Zum Inhalt springen

Xrdp/Problembehebung

Aus Foxwiki
Version vom 15. November 2024, 08:56 Uhr von Dirkwagner (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „= Unable to make xRDP connection using TLS certificate #2297 = === greped commented Jun 29, 2022 === I'm a novice to much of this, so I decided to use this github guide suggested to me by a nice person on this subreddit: https://github.com/neutrinolabs/xrdp/wiki/TLS-security-layer I followed the github instructions as described, but I'm now no longer able to xRDP in with or without an SSH tunnel. To provide some perspective, I'm using an Ubuntu 20.04.4…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)

Unable to make xRDP connection using TLS certificate #2297

greped commented Jun 29, 2022

I'm a novice to much of this, so I decided to use this github guide suggested to me by a nice person on this subreddit: https://github.com/neutrinolabs/xrdp/wiki/TLS-security-layer

I followed the github instructions as described, but I'm now no longer able to xRDP in with or without an SSH tunnel.

To provide some perspective, I'm using an Ubuntu 20.04.4 client to access a Debian 11 remote server. Both machines are updated and placed on the same VLAN.

Here were the exact steps I took in my Debian server as root:# Security changes made to xrdp.ini and xRDP was restarted 

tls_cipher=high
security_layer=tls

The system was restarted, there were no issues yet# Generate a private key and self-signed certificate

$ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650# Move key.pem (private key) and cert.pem (self-signed certificate) to /etc/xrdp/

  1. The path to the key.pem and cert.pem was specified in xrdp.ini (global)
certificate=/etc/xrdp/cert.pem

key_file=/etc/xrdp/key.pem# Users were added to ssl-cert group
# xRDP service was restarted, server was restarted
# Was not able to log into xRDP, but SSH worked just fine

For reference, here is my xrdp.ini file: https://pastebin.com/Su2igSwn

Here were the outputs I received when I switched security_layer from rdp to tls: https://imgur.com/a/cgRqL7D

I was able to temporarily fix the issue by going into xrdp.ini (global) and changing security_layer from tls to rdp. When I did that, xRDP worked again.

Any suggestions?

The text was updated successfully, but these errors were encountered:

matt335672 commented Jun 29, 2022

File permissions?

On Debian (unless you're building from source), xrdp runs as the xrdp user.

You only need to worry about the ssl-cert group if you're using the standard Debian 'snakeoil' certificates. If you're setting up your own certificates you don't need to do this.

What do you get for ls -l /etc/xrdp/key.pem /etc/xrdp/cert.pem?

Certificate should be owned by root:root, permissions 644. Key should be owned by root:xrdp and should have permissions 640.

greped commented Jun 30, 2022

@matt335672 Thank you, when I run the command I see the below permissions:-rw-r--r-- 1 root root 1558 Jun 26 22:57 /etc/xrdp/cert.pem-rw------- 1 root root 1704 Jun 26 22:55 /etc/xrdp/key.pem

It sounds to me like I should try "$ chmod 644 /etc/xrdp/cert.pem" and "$ chmod 640 /etc/xrdp/key.pem", correct?

metalefty commented Jul 1, 2022

In addition to that, 

chown :xrdp /etc/xrdp/key.pem


matt335672 commented Jul 1, 2022

The cert is fine. It's world-readable, as it should be as it contains no secrets.

The key does contain a secret and so it needs to be readable by xrdp. If you do the chmod 640 ... and the chown :xrdp as @metalefty suggests, you should end up with:- 

-rw-r----- 1 root xrdp 1704 Jun 26 22:55 /etc/xrdp/key.pem

Does that make sense?

matt335672 commented Aug 11, 2022

No further input - closing.

AvabAlexander commented Aug 31, 2022

For those googling and finding this. I had the exact same error and it worked for me after I executed these suggested commands:

chmod 644 /etc/xrdp/cert.pemchmod 640 /etc/xrdp/key.pemchown :xrdp /etc/xrdp/key.pem

eliassal commented Nov 12, 2023

Fantatstic, this helped me acces my kalilinux 2023 purple with xrdp. I followed instructions /1https://www.kali.org/docs/general-use/xfce-with-rdpbut it stops at starting the service and when I tried to RDP to the kali box my login was rejected. After issuing the 3 commands, I was able to RDP like a charm, so many thanks. Thanks @matt335672 again for your help

metalefty commented Nov 12, 2023

I believe it's documented in /usr/share/doc/xrdp/README.Debian . I recommend you guys see distro-specific README when using the distro package. 

https://salsa.debian.org/debian-remote-team/xrdp/-/blob/debian/0.9.21.1-1/debian/README.Debian?ref_type=tags

eliassal commented Nov 12, 2023

@metalefty Thanks, but in the link you provided it indicates onlyConsider using TLS encryption instead of the default RDP encryption.........but it does not say how (I am not a security expert), can you please tell me how this can be done?Thanks again

metalefty commented Nov 13, 2023

It is definitely there!

Don't forget that xrdp might have to be a member of the ssl-cert group to read your private key.

eliassal commented Nov 14, 2023

@metalefty xrdp is not a user it is a group, what I understand that we cant add a group to a group. So my comment is "How to make xrdp member of ssl-cert? Thanks

metalefty commented Nov 14, 2023

I'm not familiar with Kali Linux however xrdp is a user and also a group at least on Debian/Ubuntu. So we CAN add xrdp user to ssl-cert group. 

ubuntu@jammy:~$ id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp)
root@jammy:/etc/ssl/private# ls -l
total 4
-rw-r----- 1 root ssl-cert 1704 Nov 14 08:12 ssl-cert-snakeoil.key

The following command adds xrdp user to ssl-cert group. 

root@jammy:/etc/ssl/private# usermod -G ssl-cert xrdp
root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp),122(ssl-cert)

There is also a guide added by Debian maintainers in xrdp.ini. I think the documents added by Debian team are very good. All Debian-specific SSL stuff is already explained in their documentation. So I recommend everyone to read Debian documentation first when using xrdp on Debian-based distro.https://salsa.debian.org/debian-remote-team/xrdp/-/blob/debian/0.9.21.1-1/debian/patches/document-certs.diff

adduser xrdp ssl-cert will make the same result with usermod -G ssl-cert xrdp. 

root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp)
root@jammy:/etc/ssl/private# adduser xrdp ssl-cert
Adding user `xrdp' to group `ssl-cert' ...
Adding user xrdp to group ssl-cert
Done.
root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp),122(ssl-cert)

eliassal commented Nov 14, 2023

So many thanks @metalefty , OK, I did and will read the doc, but tell me I need also to execute the 3 mentioned commands as wellchmod 644 /etc/xrdp/cert.pemchmod 640 /etc/xrdp/key.pemchown :xrdp /etc/xrdp/key.pem

metalefty commented Nov 14, 2023

Then it might be a Debian documentation issue. Report it to Debian team. We're not responsible on that.

Anyway, Debian does distro-specific customization on SSL certiticates. Following Debian documentation is the most standard way that package maintainer expects. If their guide will not working, report it them.

pharaonic-faery commented Dec 3, 2023

@eliassal

OK, I did and will read the doc, but tell me I need also to execute the 3 mentioned commands as wellchmod 644 /etc/xrdp/cert.pemchmod 640 /etc/xrdp/key.pemchown :xrdp /etc/xrdp/key.pem

I don’t know about Kali Linux, but on Debian, it's not necessary. The SSL private key is owned by the "ssl-cert" group. The "xrdp" user is the user that runs the "xrdp" binary, and has to have access to the key if you want a TLS connexion. So either you add the "xrdp" user to the "ssl-cert" group ( sudo adduser xrdp ssl-cert ), or you change the group owning the key to the "xrdp" group ( chown :xrdp /etc/xrdp/key.pem ), which the "xrdp" user is part of.

The 2 other commands ( chmod 644 /etc/xrdp/cert.pem and chmod 640 /etc/xrdp/key.pem ) seem unnecessary, since the 2 files already have 644 (cert) and 640 (key) permissions (on Debian at least). If you want to make sure, you can run sudo stat -L -c %a /etc/xrdp/key.pem and sudo stat -L -c %a /etc/xrdp/cert.pem commands.

eliassal commented Mar 18, 2024

Hi @metalefty , its me again. I downloaded the kali linux 2024, followed all steps but still I get "Connection Refused". I thought it was a firewall issue. I did

ufw allow 3389/tcp but it seems that no firewall is installed

Always getting "Could not open connection to the host, on port 3389"I tried to telnet to 3389 port from win machine I getConnecting To 192.168.10.240...Could not open connection to the host, on port 3389: Connect failed

When I run Port scanner, 3389 is not listening in spite of the fact that xrdp is up and running on the kali linux machine. Doing

netstat -tnlp | grep 3389

returns nothing, how can this be possible? Thanks for your help

eliassal commented Mar 18, 2024

After digging in the xrdp.ini file, I sawport=vsock://-1:3389I changed it toport=tcp://:3389and hop it worked fine and was able to connect using RDP

Abgerufen von „https://wiki.foxtom.de/index.php?title=Xrdp/Problembehebung&oldid=115512