xrdp unintendedly listen on 6/tcp when set to port=tcp6://:3389

[telmich]

Installed on alpine, default config, it starts. Changing the config to

;port=3389
port=tcp6://:3389

results in

[16:59] media.place10:~# /etc/init.d/xrdp restart
 * Starting xrdp ...
logging configuration:
	LogFile:       /var/log/xrdp.log
	LogLevel:      4
	EnableSyslog:  1
	SyslogLevel:   4
[20191205-16:59:18] [INFO ] address [::] port [3389] mode 6
[20191205-16:59:18] [INFO ] listening to port 3389 on ::
[20191205-16:59:18] [ERROR] trans_listen_address failed
[20191205-16:59:18] [ERROR] Failed to start xrdp daemon, possibly address already in use.
 * start-stop-daemon: failed to start `/usr/sbin/xrdp'
 * Failed to start xrdp                                                                                                  [ !! ]
 * ERROR: xrdp failed to start
[16:59] media.place10:~# netstat -anp | grep 3389
[16:59] media.place10:~# 

[telmich]

Also fails with port=tcp6://.:3389:

[17:02] media.place10:~# /etc/init.d/xrdp restart
 * Starting xrdp ...
logging configuration:
	LogFile:       /var/log/xrdp.log
	LogLevel:      4
	EnableSyslog:  1
	SyslogLevel:   4
[20191205-17:02:14] [INFO ] address [::1] port [3389] mode 6
[20191205-17:02:14] [INFO ] listening to port 3389 on ::1
[20191205-17:02:14] [ERROR] trans_listen_address failed
[20191205-17:02:14] [ERROR] Failed to start xrdp daemon, possibly address already in use.
 * start-stop-daemon: failed to start `/usr/sbin/xrdp'
 * Failed to start xrdp                                                                                                  [ !! ]
 * ERROR: xrdp failed to start

[moobyfr]

I'm not sure to understand the problem, from where does this syntax come ? If you are asking yourself if the service support ipv6, yes, it's the default if compiled with --enable-ipv6

[metalefty]

@moobyfr The syntax is introduced since v0.9.11. xrdp.ini has examples in its comment.

[metalefty]

At least it's forking fine for me. With port=tcp6://3389,

Starting xrdp.
logging configuration:
        LogFile:       /var/log/xrdp.log
        LogLevel:      4
        EnableSyslog:  1
        SyslogLevel:   4
[20191206-18:24:56] [INFO ] address [0.0.0.0] port [6] mode 1
[20191206-18:24:56] [INFO ] listening to port 6 on 0.0.0.0
[20191206-18:24:56] [INFO ] address [0.0.0.0] port [3389] mode 1
[20191206-18:24:56] [INFO ] listening to port 3389 on 0.0.0.0
[20191206-18:24:56] [INFO ] xrdp_listen_pp done
[20191206-18:24:56] [DEBUG] Closed socket 7 (AF_INET6 :: port 6)
[20191206-18:24:56] [DEBUG] Closed socket 8 (AF_INET6 :: port 3389)
daemon process 34582 started ok

[metalefty]

Hmm, acaually that's strange.

If port is set to port=tcp6://3389, xrdp tries to listen on 6/tcp not only 3389/tcp. This might be a xrdp bug.

[20191206-18:24:56] [INFO ] address [0.0.0.0] port [6] mode 1
[20191206-18:24:56] [INFO ] listening to port 6 on 0.0.0.0

So in @telmich 's case, it failed to listen on 6/tcp. Not only 3389/tcp. It looks this bug caused your failure to start.

@jsorg71 Jay, can you have a look at this?

[moobyfr]

Wasn't aware of this change. Even with the default config (port=3389) there is no listener on tcp6 on 0.9.11 on alpine linux too

…

On Fri, Dec 6, 2019 at 10:22 AM metalefty ***@***.***> wrote: @moobyfr <https://github.com/moobyfr> The syntax is introduced since v0.9.11. xrdp.ini has examples in its comment. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1450?email_source=notifications&email_token=AAEZOXII5FTJWAYSAEZHMSLQXIKT5A5CNFSM4JV3ZS7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGDQONQ#issuecomment-562497334>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEZOXKUMB3RURDHVS4GUE3QXIKT5ANCNFSM4JV3ZS7A> .

[metalefty]

Do you know if xrdp on alipine is compiled with --enable-ipv6 flag?

Anyway, the issue xrdp listen on unnecessary port 6/tcp should be a xrdp bug.

[jsorg71]

I get the same output as @telmich if I set port=tcp6://:3389 and I did not use --enable-ipv6 at configure time. Maybe that is what happen.
@metalefty I think port=tcp6://3389 should not work. For me it errors as it should. I do not see it waiting on tcp port 6.

[metalefty]

Oh, that was my mistake, sorry. I confirmed again and it doesn't listen on 6/tcp.
BTW, tcp6://:3389 listens both IPv4 and IPv6. This is a little bit surprising for me. I expect this configuration listen on 3389/tcp IPv6 only.

port=tcp6://:3389 tcp://443 results like this:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 *.443                  *.*                    LISTEN
tcp46      0      0 *.3389                 *.*                    LISTEN

@telmich You should show xrdp configure option.

[jsorg71]

If I remember right Linux defaults to listen on both, default ssh daemon does this too, netstat only shows listening on tcp6 but you can connect on both.
We have the --enable-ipv6only option that I think disables that behavior on Linux.

[quang777]

What's the syntax if you only want it to listen to ipv4? Our network doesn't have ipv6 enabled and so we disable ipv6 via GRUB per security hardening guidelines. If ipv6 is enabled, xrdp starts fine but will refuse to start if only ipv4 is enabled via GRUB options. I tried setting port=tcp://3389 (w/ ipv6 enabled), but it still only binds to ipv6. This is on Ubuntu 18.04 w/ v0.9.5-2.

[telmich]

Just retested with xrdp-0.9.13.1-r0 on alpine Linux with port=tcp6://:3389 the result is:

bridge:~# /usr/sbin/xrdp 
logging configuration:
	LogFile:       /var/log/xrdp.log
	LogLevel:      4
	EnableSyslog:  1
	SyslogLevel:   4
[20200813-11:54:42] [INFO ] address [::] port [3389] mode 6
[20200813-11:54:42] [INFO ] listening to port 3389 on ::
[20200813-11:54:42] [ERROR] trans_listen_address failed
[20200813-11:54:42] [ERROR] Failed to start xrdp daemon, possibly address already in use.

with port=3389 I only get IPv4 listeners:

bridge:~# netstat -anp | grep xrdp
tcp        0      0 0.0.0.0:3389            0.0.0.0:*               LISTEN      6788/xrdp
unix  2      [ ]         DGRAM                    3496729 6788/xrdp           
bridge:~# 

with port=tcp6://.:3389 I get

bridge:~# /usr/sbin/xrdp 
logging configuration:
	LogFile:       /var/log/xrdp.log
	LogLevel:      4
	EnableSyslog:  1
	SyslogLevel:   4
[20200813-11:57:36] [INFO ] address [::1] port [3389] mode 6
[20200813-11:57:36] [INFO ] listening to port 3389 on ::1
[20200813-11:57:36] [ERROR] trans_listen_address failed
[20200813-11:57:36] [ERROR] Failed to start xrdp daemon, possibly address already in use.
bridge:~# 

so in a nutshell: for me IPv6 listeners do not work.

[matt335672]

@quang777 - 0.9.5 is pretty old, and uses the older syntax. You should be able to get xrdp listening with no IPv6 with the plain-and-simple port=3389 (I've just verified this). Feel free to open a separate issue if this isn't working for you. Also, please make a note in your migration strategy to a later LTS version that:-

• The syntax for port= is different for XRDP v0.9.11 and later.
• Additional testing is required for your configuration. There are know problems in IPv4-only deployments with later versions (see for example, xrdp - vnc connection does not work in pure IPv4 scenario #1596)

@telmich - the alpine build may not have been done with IPv6 enabled. What is the output of xrdp -v? Do the configure contain --enable-ipv6?

[telmich]

@matt335672 you are so right!

bridge:~# xrdp -v
xrdp 0.9.13.1
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2018 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --prefix=/usr
      --disable-static
      --sysconfdir=/etc
      --localstatedir=/var
      --sbindir=/usr/sbin
      --enable-fuse
      --disable-pam
      --enable-tjpeg
      CC=gcc
      CFLAGS=-Os -fomit-frame-pointer
      LDFLAGS=-Wl,--as-needed
      CPPFLAGS=-Os -fomit-frame-pointer

  Compiled with OpenSSL 1.1.1g  21 Apr 2020
bridge:~# 

I'll create an MR on the alpine side.

[quang777]

• xrdp - vnc connection does not work in pure IPv4 scenario #1596

Yes, that was the first thing I tried, but it seems to only bind to the ipv6 (when enabled). When ipv6 is disabled via grub, it refuses to start per the other discussion. On Ubuntu 18.04, the latest version of xrdp is 0.9-5.2

root@lovage:/var/log# systemctl start xrdp
root@lovage:/var/log# ps -ef|grep xrdp
root      2772     1  0 11:57 ?        00:00:00 /usr/sbin/xrdp-sesman
xrdp      2783     1  0 11:57 ?        00:00:00 /usr/sbin/xrdp
root      2821  4726  0 11:58 pts/0    00:00:00 grep --color=auto xrdp

root@lovage:/var/log# netstat -nl|grep 3389
tcp6       0      0 ::1:3389                :::*                    LISTEN     

root@lovage:/var/log# head -10 /etc/xrdp/xrdp.ini
[Globals]
# xrdp.ini file version number
ini_version=1

bitmap_cache=yes
bitmap_compression=yes
address=127.0.0.1
port=3389
allow_channels=true
max_bpp=24

[matt335672]

@quang777 - I've had a play with this, and I'm optimistic we can find a solution for you.

Can I trouble you to open a separate issue for this? Your problem is completely separate from the original issue raised by @telmich. Also, the solution for you is likely to be specific to 18.04, and others may benefit from the discussion.

Thanks for bearing with me - speak soon.

[quang777]

Thanks @matt335672, just created a separate issue for the ipv4 port problem.