Unable to make xRDP connection using TLS certificate

[greped]

I'm a novice to much of this, so I decided to use this github guide suggested to me by a nice person on this subreddit: https://github.com/neutrinolabs/xrdp/wiki/TLS-security-layer

I followed the github instructions as described, but I'm now no longer able to xRDP in with or without an SSH tunnel.

To provide some perspective, I'm using an Ubuntu 20.04.4 client to access a Debian 11 remote server. Both machines are updated and placed on the same VLAN.

Here were the exact steps I took in my Debian server as root:

1. Security changes made to xrdp.ini and xRDP was restarted

tls_cipher=high

security_layer=tls

The system was restarted, there were no issues yet

2. Generate a private key and self-signed certificate

$ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650

3. Move key.pem (private key) and cert.pem (self-signed certificate) to /etc/xrdp/

4. The path to the key.pem and cert.pem was specified in xrdp.ini (global)

certificate=/etc/xrdp/cert.pem

key_file=/etc/xrdp/key.pem

5. Users were added to ssl-cert group

6. xRDP service was restarted, server was restarted

7. Was not able to log into xRDP, but SSH worked just fine

For reference, here is my xrdp.ini file: https://pastebin.com/Su2igSwn

Here were the outputs I received when I switched security_layer from rdp to tls: https://imgur.com/a/cgRqL7D

I was able to temporarily fix the issue by going into xrdp.ini (global) and changing security_layer from tls to rdp. When I did that, xRDP worked again.

Any suggestions?

[matt335672]

File permissions?

On Debian (unless you're building from source), xrdp runs as the xrdp user.

You only need to worry about the ssl-cert group if you're using the standard Debian 'snakeoil' certificates. If you're setting up your own certificates you don't need to do this.

What do you get for ls -l /etc/xrdp/key.pem /etc/xrdp/cert.pem?

Certificate should be owned by root:root, permissions 644. Key should be owned by root:xrdp and should have permissions 640.

[greped]

@matt335672 Thank you, when I run the command I see the below permissions:
-rw-r--r-- 1 root root 1558 Jun 26 22:57 /etc/xrdp/cert.pem
-rw------- 1 root root 1704 Jun 26 22:55 /etc/xrdp/key.pem

It sounds to me like I should try "$ chmod 644 /etc/xrdp/cert.pem" and "$ chmod 640 /etc/xrdp/key.pem", correct?

[metalefty]

In addition to that,

chown :xrdp /etc/xrdp/key.pem

[matt335672]

The cert is fine. It's world-readable, as it should be as it contains no secrets.

The key does contain a secret and so it needs to be readable by xrdp. If you do the chmod 640 ... and the chown :xrdp as @metalefty suggests, you should end up with:-

-rw-r----- 1 root xrdp 1704 Jun 26 22:55 /etc/xrdp/key.pem

Does that make sense?

[matt335672]

No further input - closing.

[AvabAlexander]

For those googling and finding this. I had the exact same error and it worked for me after I executed these suggested commands:

chmod 644 /etc/xrdp/cert.pem
chmod 640 /etc/xrdp/key.pem
chown :xrdp /etc/xrdp/key.pem

[eliassal]

Fantatstic, this helped me acces my kalilinux 2023 purple with xrdp. I followed instructions /1
https://www.kali.org/docs/general-use/xfce-with-rdp
but it stops at starting the service and when I tried to RDP to the kali box my login was rejected. After issuing the 3 commands, I was able to RDP like a charm, so many thanks. Thanks @matt335672 again for your help

[metalefty]

I believe it's documented in /usr/share/doc/xrdp/README.Debian . I recommend you guys see distro-specific README when using the distro package.

https://salsa.debian.org/debian-remote-team/xrdp/-/blob/debian/0.9.21.1-1/debian/README.Debian?ref_type=tags

[eliassal]

@metalefty Thanks, but in the link you provided it indicates only
Consider using TLS encryption instead of the default RDP encryption.........
but it does not say how (I am not a security expert), can you please tell me how this can be done?
Thanks again

[metalefty]

It is definitely there!

Don't forget that xrdp might have to be a member of the ssl-cert group to read your private key.

[eliassal]

@metalefty xrdp is not a user it is a group, what I understand that we cant add a group to a group. So my comment is "How to make xrdp member of ssl-cert? Thanks

[metalefty]

I'm not familiar with Kali Linux however xrdp is a user and also a group at least on Debian/Ubuntu. So we CAN add xrdp user to ssl-cert group.

ubuntu@jammy:~$ id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp)

root@jammy:/etc/ssl/private# ls -l
total 4
-rw-r----- 1 root ssl-cert 1704 Nov 14 08:12 ssl-cert-snakeoil.key

The following command adds xrdp user to ssl-cert group.

root@jammy:/etc/ssl/private# usermod -G ssl-cert xrdp
root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp),122(ssl-cert)

There is also a guide added by Debian maintainers in xrdp.ini. I think the documents added by Debian team are very good. All Debian-specific SSL stuff is already explained in their documentation. So I recommend everyone to read Debian documentation first when using xrdp on Debian-based distro.
https://salsa.debian.org/debian-remote-team/xrdp/-/blob/debian/0.9.21.1-1/debian/patches/document-certs.diff

adduser xrdp ssl-cert will make the same result with usermod -G ssl-cert xrdp.

root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp)
root@jammy:/etc/ssl/private# adduser xrdp ssl-cert
Adding user `xrdp' to group `ssl-cert' ...
Adding user xrdp to group ssl-cert
Done.
root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp),122(ssl-cert)

[eliassal]

So many thanks @metalefty , OK, I did and will read the doc, but tell me I need also to execute the 3 mentioned commands as well
chmod 644 /etc/xrdp/cert.pem
chmod 640 /etc/xrdp/key.pem
chown :xrdp /etc/xrdp/key.pem

[metalefty]

Then it might be a Debian documentation issue. Report it to Debian team. We're not responsible on that.

Anyway, Debian does distro-specific customization on SSL certiticates. Following Debian documentation is the most standard way that package maintainer expects. If their guide will not working, report it them.