4 files changed, 11 insertions, 0 deletions

diff --git a/common/xrdp_client_info.h b/common/xrdp_client_info.h
index aefc7119..43ff3f82 100644
--- a/common/xrdp_client_info.h
+++ b/common/xrdp_client_info.h
@@ -92,6 +92,7 @@ struct xrdp_client_info
   int use_bulk_comp;
   int pointer_flags; /* 0 color, 1 new, 2 no new */
   int use_fast_path;
+  int require_credentials; /* when true, credentials *must* be passed on cmd line */
 };
 
 #endif
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index 82ccdea0..93219968 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -135,6 +135,10 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
         {
             client_info->pointer_flags = text2bool(value) == 0 ? 2 : 0;
         }
+        else if (g_strcasecmp(item, "require_credentials") == 0)
+        {
+            client_info->require_credentials = text2bool(value);
+        }
     }
 
     list_delete(items);
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 54d5d0de..726fcde4 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -451,6 +451,8 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
     else
     {
         in_uint8s(s, len_password + 2);
+        if (self->rdp_layer->client_info.require_credentials)
+            return 1; /* credentials on cmd line is mandatory */
     }
 
     unicode_in(s, len_program, self->rdp_layer->client_info.program, 255);
diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini
index ea6576cb..8d97c0d3 100644
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@@ -24,6 +24,10 @@ tcp_keepalive=yes
 #background=626c72
 #autorun=xrdp1
 #hidelogwindow=yes
+
+# when true, userid/password *must* be passed on cmd line
+# require_credentials=yes
+
 #bulk_compression=yes
 # You can set the PAM error text in a gateway setup (MAX 256 chars)
 #pamerrortxt=change your password according to policy at http://url