xrdp using sslv2....ugh

jpnilson

Active Member
Joined
Jul 31, 2021
Messages
204
Reaction score
103
Credits
1,790
I was doing a packet capture for another purpose and noticed my rdp session was using sslv2. This was all happening behind a firewall so my moment of terror quickly passed. I poked around with my xrdp configuration and found where I could force TLS. I did that immediately and promptly broke RDP

( changed security_layer=negotiate to security_layer=tls in xrdp.ini) .

This caused an error message on attempt to connect

"The connection cannot proceed because authentication is not enabled and the remote computer requires that authentication be enabled to connect"

I resolved this by hacking my windows registry... Long story

My question is any idea on how to configure xrdp to use reasonable encryption without having to touch the registry of every windows machine I touch? I did try out using a ssh tunnel which did secure the traffic but again its an extra step. Feels like there is another answer to this but just can't find it. Any ideas?
 


I never checked what encryption method xrdp uses by default. I will try and look into this when I have time later this weekend or next week.
 
From what I can see it appears initiating a ssh tunnel first is the best route. Turns out the registry changes I made allowing me to connect did not resolve the encryption problem. ssh adds an extra step but seems like the best method to make a secure connection. I will do a bit of playing around with guacamole server to see if I get the same result. If I can do it with that it would also solve the issue of any potential modification to windows machines. It also adds other security measures in front of the RDP connection.
 
Update...
I think I found the actual problem. I'm out of steam for tonight will walk through configuring and generating appropriate certificates. Why I didn't look at the log in the first place is dumb. My bad..

[20230201-20:10:50] [DEBUG] TLSv1.3 enabled
[20230201-20:10:50] [DEBUG] TLSv1.2 enabled
[20230201-20:10:50] [DEBUG] Security layer: requested 11, selected 0
[20230201-20:10:50] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.2.113 port 3389)
[20230201-20:10:51] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.4.22 port 62247
[20230201-20:10:51] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.2.113 port 3389)
[20230201-20:10:51] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20230201-20:10:51] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20230201-20:10:51] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20230201-20:10:51] [ERROR] Cannot read private key file /etc/xrdp/key.pem: Permission denied
 
[20230201-20:10:51] [ERROR] Cannot read private key file /etc/xrdp/key.pem: Permission denied
Try adding the user or group that runs the xrdp process as owner or group with read permissions to that key file.
 
I had actually done that. The problem was I just used the default snake oil certificates that are generated on installation. I followed the steps from the following thread and I am now running TLS1.2


I was a bit deficient in my original troubleshooting but made my way to the answer eventually. Had a few beers before I started looking at this....:) It is interesting that most xrdp installation tutorials out there don't touch on configuring certificates and users. I will be documenting this one for myself so I don't repeat this in the future. Thanks for you help ....
 
This is more of a networking issue, is it not? I can move it there.

Save me a beer.

Wizard
 

Members online


Top