xrdp over ssh tunnel connection issue using putty

I always like to use a putty session to connect to my Linux systems remotely and also like to tunnel through using xrdp tunnel within putty/ssh.

I have this working fine on my xubunutu system that has xfce desktop. However, whenever I connect with the same setup in my new Leap 15.1 install it starts to connect and then disconnects when trying to pull up the desktop through windows terminal server.

Here’s what I use for this after connecting with putty via ssh and forwarding port 3301 to my local Windows box.

https://i.imgur.com/b1JuL7d.png

And then I get this connection like normal.
https://i.imgur.com/IfQN5l1.png

Everything looks like it’s going to connect (Leap Light Bulb starts to Glow) and then it just disconnects

I was thinking I might need to install another desktop like xfce or something to use for xrdp and then specify this under an xSession file somewhere?

I also might need to modify startwm.sh in /etc/xrdp to specify it uses KDE desktop if that’s possible?

I have this in some of my old notes but don’t recall how I got this working on my other ubuntu systems?

“The good news is you can define a different desktop session for xrdp by specifying this in the .xsession file”

I currently only have kde desktop installed because that’s the desktop environment I specified during the Leap 15.1 install process.

Maybe I should install xfce4-session and then specify xrdp to use xfce?

Also, I noticed if I create the tunnel in Remmina Remote Desktop Client on my ubunutu and try to connect to Leap 15.1 I get this error>

“You requested an H264 GFX mode for server 127.0.0.1 but your libfreerdp does not support H264. Please check Color Depth settings.”

Here’s my xrdp.ini file

[Globals]; xrdp.ini file version number
ini_version=1


; fork a new process for each incoming connection
fork=true
; tcp port to listen
port=3301
; 'port' above should be connected to with vsock instead of tcp
use_vsock=false
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768


; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
; set TLS cipher suites
#tls_ciphers=HIGH


; Section name to use for automatic login if the client sends username
; and password. If empty, the domain name sent by the client is used.
; If empty and no domain name is given, the first suitable section in
; this file will be used.
autorun=


allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
#hidelogwindow=true
max_bpp=32
new_cursors=true
; fastpath - can be 'input', 'output', 'both', 'none'
use_fastpath=both
; when true, userid/password *must* be passed on cmd line
#require_credentials=true
; You can set the PAM error text in a gateway setup (MAX 256 chars)
#pamerrortxt=change your password according to policy at http://url


;
; colors used by windows in RGB format
;
blue=009cb5
grey=dedede
#black=000000
#dark_grey=808080
#blue=08246b
#dark_blue=08246b
#white=ffffff
#red=ff0000
#green=00ff00
#background=626c72


;
; configure login screen
;


; Login Screen Window Title
#ls_title=My Login Title


; top level window background color in RGB format
ls_top_window_bg_color=009cb5


; width and height of login screen
ls_width=350
ls_height=430


; login screen background color in RGB format
ls_bg_color=dedede


; optional background image filename (bmp format).
#ls_background_image=


; logo
; full path to bmp-file or file in shared folder
ls_logo_filename=
ls_logo_x_pos=55
ls_logo_y_pos=50


; for positioning labels such as username, password etc
ls_label_x_pos=30
ls_label_width=60


; for positioning text and combo boxes next to above labels
ls_input_x_pos=110
ls_input_width=210


; y pos for first label and combo box
ls_input_y_pos=220


; OK button
ls_btn_ok_x_pos=142
ls_btn_ok_y_pos=370
ls_btn_ok_width=85
ls_btn_ok_height=30


; Cancel button
ls_btn_cancel_x_pos=237
ls_btn_cancel_y_pos=370
ls_btn_cancel_width=85
ls_btn_cancel_height=30


[Logging]
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug


[Channels]
; Channel names not listed here will be blocked by XRDP.
; You can block any channel by setting its value to false.
; IMPORTANT! All channels are not supported in all use
; cases even if you set all values to true.
; You can override these settings on each session type
; These settings are only used if allow_channels=true
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true


; for debugging xrdp, in section xrdp1, change port=-1 to this:
#port=/tmp/.xrdp/xrdp_display_10


; for debugging xrdp, add following line to section xrdp1
#chansrvport=/tmp/.xrdp/xrdp_chansrv_socket_7210




;
; Session types
;


; Some session types such as Xorg, X11rdp and Xvnc start a display server.
; Startup command-line parameters for the display server are configured
; in sesman.ini. See and configure also sesman.ini.
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20


[X11rdp]
name=X11rdp
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
xserverbpp=24
code=10


[Xvnc]
name=Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
#xserverbpp=24
#delay_ms=2000


[console]
name=console
lib=libvnc.so
ip=127.0.0.1
port=5900
username=na
password=ask
#delay_ms=2000


[vnc-any]
name=vnc-any
lib=libvnc.so
ip=ask
port=ask5900
username=na
password=ask
#pamusername=asksame
#pampassword=asksame
#pamsessionmng=127.0.0.1
#delay_ms=2000


[sesman-any]
name=sesman-any
lib=libvnc.so
ip=ask
port=-1
username=ask
password=ask
#delay_ms=2000


[neutrinordp-any]
name=neutrinordp-any
lib=libxrdpneutrinordp.so
ip=ask
port=ask3389
username=ask
password=ask


; You can override the common channel settings for each session type
#channel.rdpdr=true
#channel.rdpsnd=true
#channel.drdynvc=true
#channel.cliprdr=true
#channel.rail=true
#channel.xrdpvr=true



Here’s some sample output from /var/log messages when I attempt the connection.


2020-06-16T21:29:27.030528-06:00 linux-1fn2 xrdp-sesman[14094]: rdpClientConDisconnect: clientCon removed from dev list
2020-06-16T21:29:27.030701-06:00 linux-1fn2 xrdp-sesman[14094]: rdpClientConDeinit: deleting file /tmp/.xrdp/xrdp_display_200
2020-06-16T21:29:27.030899-06:00 linux-1fn2 xrdp-sesman[14094]: rdpClientConDeinit: deleting file /tmp/.xrdp/xrdp_disconnect_display_200
2020-06-16T21:29:27.034895-06:00 linux-1fn2 xrdp[14118]: (14118)(139750566336320)[DEBUG] Closed socket 12 (AF_INET6 ::1 port 3301)
2020-06-16T21:29:27.035233-06:00 linux-1fn2 xrdp[14118]: (14118)(139750566336320)[DEBUG] xrdp_mm_module_cleanup
2020-06-16T21:29:27.036159-06:00 linux-1fn2 xrdp[14118]: (14118)(139750566336320)[DEBUG] Closed socket 17 (AF_UNIX)
2020-06-16T21:29:27.045619-06:00 linux-1fn2 xrdp-sesman[14094]: (II) Server terminated successfully (0). Closing log file.
2020-06-16T21:29:28.014638-06:00 linux-1fn2 kwin_x11[14230]: Qt: Session management error: Could not open network socket
2020-06-16T21:29:28.030537-06:00 linux-1fn2 kwin_x11[14230]: The X11 connection broke: I/O error (code 1)
2020-06-16T21:29:28.031193-06:00 linux-1fn2 xrdp-sesman[14094]: XIO:  fatal IO error 2 (No such file or directory) on X server ":200.0"
2020-06-16T21:29:28.031612-06:00 linux-1fn2 xrdp-sesman[14094]:       after 193 requests (193 known processed) with 0 events remaining.
Maybe I need to create an xSession file somewhere but have not tried this yet either. 

I also might need to create a custom xSession file or something?

Any thoughts or ideas are appreciated!

Also, appreciate any input on how secure this is? I’ve always used this for my remote connections to home from work assuming it’s impervious to MIM attacks and that my traffic is all encrypted via ssh and all the xrdp traffic being routed through the tunnel should mean it’s secured well?

I managed to get this working by installing xfce4-session. I tend to have better results with xfce on remote desktops and xrdp setups.

This was the guide I followed.

It’s for Ubuntu but basically the same thing. I didn’t have to disable or mess with light-locker.

Hope this helps someone else sometime.

BTW, Leap 15.1 rocks!!

Quick question, where are you trying to ssh/putty in to LEAP from? Windows 10 has bash feature that allows you to secure shell into linux machines with very little effort.

I’ve always used putty to SSH from my Window systems to Linux boxes. I should look into the Bash / WSL option in Windows 10 though. Seems pretty cool but I haven’t ever used it. Not sure if the bash shell would be as easy to create the tunnel with as it is in putty’s GUI.