Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Scott Stirling
    @scottstirling
    can see even when they show how to proxy ssl they decipher on the frontend and re-crypt on the proxy call to rdp on ssl. So no advantage there for ssl termination.
    good for load balancing though. I don’t see any reason why that wouldn’t work as they document using an rdp cookie and stick table. I only tested proxying to one instance and that worked (tcp proxying from rdp client to xrdp).
    matt335672
    @matt335672

    Thanks for the update - it's good to hear when things get fixed. I don't have any ideas where your thinclie directory is coming from I.m afraid.

    I'm not surprised you're having problems with TLS termination. The same think happens with protocols which use STARTTLS which is effectively what RDP is doing:-

    https://discourse.haproxy.org/t/terminating-opportunistic-tls-starttls/3681

    GG668
    @GG668
    Hi,Can we enter this login interface?
    20201116200240.png
    Scott Stirling
    @scottstirling
    @GG668 what do you mean? You want to customize the Xorg login dialog to look like that?
    GG668
    @GG668
    Enter the Microsoft login interface
    Just enter the IP port number
    metalefty
    @metalefty
    i still don’t get you
    GG668
    @GG668
    I just asked if it was possible
    metalefty
    @metalefty
    i don’t get “it”
    GG668
    @GG668
    That is, I input IP and port number in xrdp login interface. I want to enter the interface of that picture
    metalefty
    @metalefty
    do you mean you want to RDP to Windows via xrdp?
    GG668
    @GG668
    You may ask why you don't use mstsc directly.
    I was just curious to ask if that would work
    yes
    metalefty
    @metalefty
    got it. it is possible.
    but please don't think it works fully functional like Windows to Windows remote desktop.
    GG668
    @GG668
    Never mind
    metalefty
    @metalefty
    mostly it will work.
    GG668
    @GG668
    If I don't input the account and password in the xrdp login interface. Can I get into that picture?
    sibelle-labs
    @sibelle-labs
    One rdp client (windows or linux) connect and login to xrdp server. how can i with a script, read they username and ip adress ? on env vars no client ip visible...
    only on log files can i see for example ...
    [20201119-12:07:35] [INFO ] lib_mod_log_peer: xrdp_pid=77712 connected to X11rdp_pid=77720 X11rdp_uid=1000 X11rdp_gid=1001 client_ip=::ffff:172.31.0.30 client_port=55005
    matt335672
    @matt335672

    Don't understand this fully. Where is the script running? In the context of the logged-in user?

    This might be the same as #392 which is currently unresolved.

    Derek W
    @dmwarren

    Hi! Sorry if this is a dumb question, but setting sesman.ini:MaxLoginRetry=X and restarting xrdp doesn't do what I would expect; it just lets me retry logins endlessly.

    Am I missing something? I assumed xrdp-sesman would disconnect me after X failed login attempts. Observed with xrdp 0.9.12 as shipped with Ubuntu 20.04 LTS.

    scp_v0.c doesn't seem to have any concept of maximum retries. scp_v1 does, yet nothing happens.

    Derek Schrock
    @derekschrock
    When you restart xrdp sesman is restarting too?
    Derek W
    @dmwarren
    Yes!
    Derek Schrock
    @derekschrock
    umm I guess I don't know how the scp version is controled. On FreeBSD it's using v0.
    Derek W
    @dmwarren

    That was going to be my next question ;) Seems to be using v0 on Debian/Ubuntu, too, judging by the absence of disconnects on failed logins.

    So it's not just me, and there's no compile-time flag to force one scp version or the other?

    Derek Schrock
    @derekschrock
    For some reason I was thinking that scp v1 was a WIP thing.
    Derek W
    @dmwarren
    Good to know, thanks. :)
    Derek Schrock
    @derekschrock
    Let that question brew for a couple hours. matt335672 or metalefty should know. I'm just doing a quick search over the code right now but also in the middle of getting something done that's needed by EOD.
    aquesnel
    @aquesnel

    @dmwarren
    I've recently looked through this code and as far as I can tell the scp version is hard coded to use v0

    Code that sends the login request to sesman: https://github.com/neutrinolabs/xrdp/blob/devel/xrdp/xrdp_mm.c#L275-L276
    Sesman code that parses the request and decides which version of scp to use: https://github.com/neutrinolabs/xrdp/blob/devel/sesman/libscp/libscp_vX.c#L44-L46

    matt335672
    @matt335672

    Hi all,

    The state of SCP is an interesting topic, and one I've been thinking about for a while. I've just posted a summary of where we are with SCP on the developer conversation.

    You're right in that SCP V0 doesn't have a dialog with the user regarding authentication. As a result, MaxLoginRetries is effectively 1. It looks like it's unlimited as the XRDP front end allows for a new attempt to be started if the last one fails authentication.

    A proper retry (to my mind) should just ask for a password and not a username and password. We're a long way from implementing that, but I think something could be added to sesman to improve the current situation.

    @dmwarren - please raise an issue on github about this. I think it needs to be tracked.

    Derek W
    @dmwarren

    Thanks for confirming. Yes, I saw the conversation on the developer Gitter but wanted to double-check that infinite login attempts are effectively allowed.

    I'll file an issue.

    Scott Stirling
    @scottstirling
    observed behavior in order of steps connecting from RDP client to XRDP:
    1. login credentials prompted for and sent
    1. SSL certificate presented by XRDP
    reading about the STARTTLS process in general - didn’t notice before but credentials are sent plain text by RDP client login. TLS encryption is only established after login?
    Scott Stirling
    @scottstirling
    If on XRDP, TLS1.2 enabled with highest security, will that ensure that even the login credentials are sent over TLS?
    metalefty
    @metalefty
    which part of the spec? point it.
    aquesnel
    @aquesnel
    @scottstirling which client are you using?
    if you are using the windows rdp client, then it will prompt for credentials using a windows dialog box before any connection to the server is made. the connection to the server is made second at which point if the certificate is is invalid in some way then a warning dialog box will be shown.
    The credentials are sent over the encrypted TLS connection.
    Scott Stirling
    @scottstirling
    Ok, thanks, @aquesnel - I’ve mainly been using the OS X client from Microsoft. I noticed the SSL cert prompt always is after the login prompt. But makes sense not to send the login until SSL established.
    I’ve tried terminating SSL on a load balancer in front of XRDP but cannot because the initial request from the RDP client seems to require non-SSL followed by STARTTLS negotiation.
    Scott Stirling
    @scottstirling
    One more question, reading about MS RDP Gateways - some partner is doing HTTPS -> RDP proxied via HTML5 conversion, à la NoVNC with vnc it sounds like, but with RDP.
    Question is hmm I wonder how clipboard and drive redirection work and if they work in HTML 5 browser client.
    aquesnel
    @aquesnel
    I'm sorry I don't know about RDP gateways nor browser rdp clients.
    Scott Stirling
    @scottstirling
    one of my reasons for choosing xrdp over vnc was the client support - RDP clients are generally superior to (as far as I’ve seen) VNC rendered as HTML 5 in a browser.
    If one wants to log the xrdp traffic in verbose mode, particularly any text readable parts, Is there a way to do that easily on either the rdp client or xrdp server?
    Or just do tcpdump or wireshark ?