Unable to make xRDP connection using TLS certificate

[greped]

I'm a novice to much of this, so I decided to use this github guide suggested to me by a nice person on this subreddit: https://github.com/neutrinolabs/xrdp/wiki/TLS-security-layer

I followed the github instructions as described, but I'm now no longer able to xRDP in with or without an SSH tunnel.

To provide some perspective, I'm using an Ubuntu 20.04.4 client to access a Debian 11 remote server. Both machines are updated and placed on the same VLAN.

Here were the exact steps I took in my Debian server as root:

1. Security changes made to xrdp.ini and xRDP was restarted

tls_cipher=high

security_layer=tls

The system was restarted, there were no issues yet

2. Generate a private key and self-signed certificate

$ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650

3. Move key.pem (private key) and cert.pem (self-signed certificate) to /etc/xrdp/

4. The path to the key.pem and cert.pem was specified in xrdp.ini (global)

certificate=/etc/xrdp/cert.pem

key_file=/etc/xrdp/key.pem

5. Users were added to ssl-cert group

6. xRDP service was restarted, server was restarted

7. Was not able to log into xRDP, but SSH worked just fine

For reference, here is my xrdp.ini file: https://pastebin.com/Su2igSwn

Here were the outputs I received when I switched security_layer from rdp to tls: https://imgur.com/a/cgRqL7D

I was able to temporarily fix the issue by going into xrdp.ini (global) and changing security_layer from tls to rdp. When I did that, xRDP worked again.

Any suggestions?

[matt335672]

File permissions?

On Debian (unless you're building from source), xrdp runs as the xrdp user.

You only need to worry about the ssl-cert group if you're using the standard Debian 'snakeoil' certificates. If you're setting up your own certificates you don't need to do this.

What do you get for ls -l /etc/xrdp/key.pem /etc/xrdp/cert.pem?

Certificate should be owned by root:root, permissions 644. Key should be owned by root:xrdp and should have permissions 640.

[greped]

@matt335672 Thank you, when I run the command I see the below permissions:
-rw-r--r-- 1 root root 1558 Jun 26 22:57 /etc/xrdp/cert.pem
-rw------- 1 root root 1704 Jun 26 22:55 /etc/xrdp/key.pem

It sounds to me like I should try "$ chmod 644 /etc/xrdp/cert.pem" and "$ chmod 640 /etc/xrdp/key.pem", correct?

[metalefty]

In addition to that,

chown :xrdp /etc/xrdp/key.pem

[matt335672]

The cert is fine. It's world-readable, as it should be as it contains no secrets.

The key does contain a secret and so it needs to be readable by xrdp. If you do the chmod 640 ... and the chown :xrdp as @metalefty suggests, you should end up with:-

-rw-r----- 1 root xrdp 1704 Jun 26 22:55 /etc/xrdp/key.pem

Does that make sense?

[matt335672]

No further input - closing.

[AvabAlexander]

For those googling and finding this. I had the exact same error and it worked for me after I executed these suggested commands:

chmod 644 /etc/xrdp/cert.pem
chmod 640 /etc/xrdp/key.pem
chown :xrdp /etc/xrdp/key.pem

[eliassal]

Fantatstic, this helped me acces my kalilinux 2023 purple with xrdp. I followed instructions /1
https://www.kali.org/docs/general-use/xfce-with-rdp
but it stops at starting the service and when I tried to RDP to the kali box my login was rejected. After issuing the 3 commands, I was able to RDP like a charm, so many thanks. Thanks @matt335672 again for your help

[metalefty]

I believe it's documented in /usr/share/doc/xrdp/README.Debian . I recommend you guys see distro-specific README when using the distro package.

https://salsa.debian.org/debian-remote-team/xrdp/-/blob/debian/0.9.21.1-1/debian/README.Debian?ref_type=tags

[eliassal]

@metalefty Thanks, but in the link you provided it indicates only
Consider using TLS encryption instead of the default RDP encryption.........
but it does not say how (I am not a security expert), can you please tell me how this can be done?
Thanks again

[metalefty]

It is definitely there!

Don't forget that xrdp might have to be a member of the ssl-cert group to read your private key.

[eliassal]

@metalefty xrdp is not a user it is a group, what I understand that we cant add a group to a group. So my comment is "How to make xrdp member of ssl-cert? Thanks

[metalefty]

I'm not familiar with Kali Linux however xrdp is a user and also a group at least on Debian/Ubuntu. So we CAN add xrdp user to ssl-cert group.

ubuntu@jammy:~$ id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp)

root@jammy:/etc/ssl/private# ls -l
total 4
-rw-r----- 1 root ssl-cert 1704 Nov 14 08:12 ssl-cert-snakeoil.key

The following command adds xrdp user to ssl-cert group.

root@jammy:/etc/ssl/private# usermod -G ssl-cert xrdp
root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp),122(ssl-cert)

There is also a guide added by Debian maintainers in xrdp.ini. I think the documents added by Debian team are very good. All Debian-specific SSL stuff is already explained in their documentation. So I recommend everyone to read Debian documentation first when using xrdp on Debian-based distro.
https://salsa.debian.org/debian-remote-team/xrdp/-/blob/debian/0.9.21.1-1/debian/patches/document-certs.diff

adduser xrdp ssl-cert will make the same result with usermod -G ssl-cert xrdp.

root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp)
root@jammy:/etc/ssl/private# adduser xrdp ssl-cert
Adding user `xrdp' to group `ssl-cert' ...
Adding user xrdp to group ssl-cert
Done.
root@jammy:/etc/ssl/private# id xrdp
uid=114(xrdp) gid=123(xrdp) groups=123(xrdp),122(ssl-cert)

[eliassal]

So many thanks @metalefty , OK, I did and will read the doc, but tell me I need also to execute the 3 mentioned commands as well
chmod 644 /etc/xrdp/cert.pem
chmod 640 /etc/xrdp/key.pem
chown :xrdp /etc/xrdp/key.pem

[metalefty]

Then it might be a Debian documentation issue. Report it to Debian team. We're not responsible on that.

Anyway, Debian does distro-specific customization on SSL certiticates. Following Debian documentation is the most standard way that package maintainer expects. If their guide will not working, report it them.

[pharaonic-faery]

@eliassal

OK, I did and will read the doc, but tell me I need also to execute the 3 mentioned commands as well
chmod 644 /etc/xrdp/cert.pem
chmod 640 /etc/xrdp/key.pem
chown :xrdp /etc/xrdp/key.pem

I don’t know about Kali Linux, but on Debian, it's not necessary. The SSL private key is owned by the "ssl-cert" group. The "xrdp" user is the user that runs the "xrdp" binary, and has to have access to the key if you want a TLS connexion. So either you add the "xrdp" user to the "ssl-cert" group ( sudo adduser xrdp ssl-cert ), or you change the group owning the key to the "xrdp" group ( chown :xrdp /etc/xrdp/key.pem ), which the "xrdp" user is part of.

The 2 other commands ( chmod 644 /etc/xrdp/cert.pem and chmod 640 /etc/xrdp/key.pem ) seem unnecessary, since the 2 files already have 644 (cert) and 640 (key) permissions (on Debian at least). If you want to make sure, you can run sudo stat -L -c %a /etc/xrdp/key.pem and sudo stat -L -c %a /etc/xrdp/cert.pem commands.

[eliassal]

Hi @metalefty , its me again. I downloaded the kali linux 2024, followed all steps but still I get "Connection Refused". I thought it was a firewall issue. I did

ufw allow 3389/tcp but it seems that no firewall is installed

Always getting "Could not open connection to the host, on port 3389"
I tried to telnet to 3389 port from win machine I get
Connecting To 192.168.10.240...Could not open connection to the host, on port 3389: Connect failed

When I run Port scanner, 3389 is not listening in spite of the fact that xrdp is up and running on the kali linux machine. Doing

netstat -tnlp | grep 3389

returns nothing, how can this be possible? Thanks for your help

[eliassal]

After digging in the xrdp.ini file, I saw
port=vsock://-1:3389
I changed it to
port=tcp://:3389
and hop it worked fine and was able to connect using RDP