New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to make xRDP connection using TLS certificate #2297
Comments
File permissions? On Debian (unless you're building from source), xrdp runs as the You only need to worry about the ssl-cert group if you're using the standard Debian 'snakeoil' certificates. If you're setting up your own certificates you don't need to do this. What do you get for Certificate should be owned by |
@matt335672 Thank you, when I run the command I see the below permissions: It sounds to me like I should try " |
In addition to that,
|
The cert is fine. It's world-readable, as it should be as it contains no secrets. The key does contain a secret and so it needs to be readable by xrdp. If you do the
Does that make sense? |
No further input - closing. |
For those googling and finding this. I had the exact same error and it worked for me after I executed these suggested commands:
|
Fantatstic, this helped me acces my kalilinux 2023 purple with xrdp. I followed instructions /1 |
I believe it's documented in |
@metalefty Thanks, but in the link you provided it indicates only |
It is definitely there!
|
@metalefty xrdp is not a user it is a group, what I understand that we cant add a group to a group. So my comment is "How to make xrdp member of ssl-cert? Thanks |
I'm not familiar with Kali Linux however xrdp is a user and also a group at least on Debian/Ubuntu. So we CAN add xrdp user to ssl-cert group.
The following command adds xrdp user to ssl-cert group.
There is also a guide added by Debian maintainers in
|
So many thanks @metalefty , OK, I did and will read the doc, but tell me I need also to execute the 3 mentioned commands as well |
Then it might be a Debian documentation issue. Report it to Debian team. We're not responsible on that. Anyway, Debian does distro-specific customization on SSL certiticates. Following Debian documentation is the most standard way that package maintainer expects. If their guide will not working, report it them. |
I don’t know about Kali Linux, but on Debian, it's not necessary. The SSL private key is owned by the "ssl-cert" group. The "xrdp" user is the user that runs the "xrdp" binary, and has to have access to the key if you want a TLS connexion. So either you add the "xrdp" user to the "ssl-cert" group ( The 2 other commands ( |
Hi @metalefty , its me again. I downloaded the kali linux 2024, followed all steps but still I get "Connection Refused". I thought it was a firewall issue. I did
Always getting "Could not open connection to the host, on port 3389" When I run Port scanner, 3389 is not listening in spite of the fact that xrdp is up and running on the kali linux machine. Doing
returns nothing, how can this be possible? Thanks for your help |
After digging in the xrdp.ini file, I saw |
I'm a novice to much of this, so I decided to use this github guide suggested to me by a nice person on this subreddit: https://github.com/neutrinolabs/xrdp/wiki/TLS-security-layer
I followed the github instructions as described, but I'm now no longer able to xRDP in with or without an SSH tunnel.
To provide some perspective, I'm using an Ubuntu 20.04.4 client to access a Debian 11 remote server. Both machines are updated and placed on the same VLAN.
Here were the exact steps I took in my Debian server as root:
$ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650
Move key.pem (private key) and cert.pem (self-signed certificate) to /etc/xrdp/
The path to the key.pem and cert.pem was specified in xrdp.ini (global)
Users were added to ssl-cert group
xRDP service was restarted, server was restarted
Was not able to log into xRDP, but SSH worked just fine
For reference, here is my xrdp.ini file: https://pastebin.com/Su2igSwn
Here were the outputs I received when I switched security_layer from rdp to tls: https://imgur.com/a/cgRqL7D
I was able to temporarily fix the issue by going into xrdp.ini (global) and changing security_layer from tls to rdp. When I did that, xRDP worked again.
Any suggestions?
The text was updated successfully, but these errors were encountered: