You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After starting a new linuxserver/rdesktop container, it should generate new ssl keys for secure communication and optimally store it somewhere in a configuration volume.
Current Behavior
This is what I find after starting:
# ls /etc/xrdp/*.pem -l
lrwxrwxrwx 1 root root 36 Oct 22 17:50 /etc/xrdp/cert.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root 38 Oct 22 17:50 /etc/xrdp/key.pem -> /etc/ssl/private/ssl-cert-snakeoil.key
# ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r--r-- 1 root root 1062 Oct 22 17:50 /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r----- 1 root ssl-cert 1704 Oct 22 17:50 /etc/ssl/private/ssl-cert-snakeoil.key
Oct 22 is the date when the image 35a5ec81a4d3 was built. The date when I started the container was Oct 29. The key is hardcoded inside the image, public for everyone who is able to record my/your internet traffic.
this is a security issue
Steps to Reproduce
start the container: docker run -d -n rdesktop -e PUID=1000 -e PGID=1000 -e TZ=Europe/London -p 3389:3389 linuxserver/rdesktop
enter the container, using rdp session or docker exec -ti rdesktop bash -i
run the above ls commands
Environment
OS: Linux CPU architecture: x86_64 How docker service was installed:
default package from ubuntu focal-updates/universe repo
Command used to create docker container (run/create/compose/screenshot)
see above
Docker logs
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
-------------------------------------
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 12-prep_xrdp: executing...
[cont-init.d] 12-prep_xrdp: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Expected Behavior
After starting a new linuxserver/rdesktop container, it should generate new ssl keys for secure communication and optimally store it somewhere in a configuration volume.
Current Behavior
This is what I find after starting:
Oct 22 is the date when the image 35a5ec81a4d3 was built. The date when I started the container was Oct 29. The key is hardcoded inside the image, public for everyone who is able to record my/your internet traffic.
this is a security issue
Steps to Reproduce
docker run -d -n rdesktop -e PUID=1000 -e PGID=1000 -e TZ=Europe/London -p 3389:3389 linuxserver/rdesktop
docker exec -ti rdesktop bash -i
ls
commandsEnvironment
OS: Linux
CPU architecture: x86_64
How docker service was installed:
default package from ubuntu focal-updates/universe repo
Command used to create docker container (run/create/compose/screenshot)
see above
Docker logs
The text was updated successfully, but these errors were encountered: