With ssh-only access, how do you configure headless gnome-remote-desktop?

NullVoxPopuli · November 10, 2024, 4:05am

I’ve seen these threads so far:

But, folks enabling this feature already have a way of interacting with their gnome settings on the host machine.

My host machine has no display, but I do have SSH access (it’s an old laptop that I turned in to a server and shoved in a 1U rack chasis)

Currently, I have:

❯ gnome-shell --version
GNOME Shell 46.0

❯ lsb_release -r
Release:	24.04

And I know this headless remote desktop feature is something in Gnome 47, so I’ll have to upgrade.

But how do I enable it via the Terminal? (on the machine I’m using now to type these questions, I see the settings for remote login have a few settings – hostname, port, username, password, (enabled or not, of course) – nothing too crazy)

How should I connect to the session from another computer? (looks like maybe any RDP client?)

Thanks!

It’s possible that I need to do some debugging of some sort, but am not sure (yet) where to look. This system I’m trying to connect to is > 10 years old, so I’m sure there are some old configs, and I’m not sure if they’d be a problem.

Troubleshooting

A running log of my discoveries (and help from others) here.

If others run in issues with remote-desktop, I think all of these checks or something to look at.

Ports not open

To test

❯ netstat -an --program | grep gnome-remote
# no output

To fix:

❯ systemctl --user restart gnome-remote-desktop

To verify:

❯ netstat -an --program | grep gnome-remote

unix  3      [ ]         STREAM     CONNECTED     2015191  264705/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     2017118  264705/gnome-remote  
unix  2      [ ]         DGRAM                    2017740  264705/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     2016087  264705/gnome-remote

(exact details not as important here as later)

Connection log shows login failed for user ___

To test: connect via rdp, see message here
To fix:

grdctl rdp clear-credentials

To verify: connect via rdp, see login screen

However, not that if you see that screen, this is because you have xrdp, and will need to uninstall that.

The actual fix is to

❯ grdctl rdp set-credentials my-username my-password

And to verify, you should be able to type the username and password into your RDP client to connect, and you will not be able to connect without these credentials set.

Remote control not enabled (view only)

To test:

❯ grdctl status

Overall:
	Unit status: active
RDP:
	Status: disabled
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: yes         # <=== here
	Negotiate port: yes
	Username: (empty)
	Password: (empty)

To fix:

❯ grdctl rdp disable-view-only

To verify:

❯ grdctl status

Overall:
	Unit status: active
RDP:
	Status: disabled
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: no          # <==== here
	Negotiate port: yes
	Username: (empty)
	Password: (empty)

grdctl reports that RDP is disabled

Note that this doesn’t solve the problem of RDP running on port 3389.

To test

❯ grdctl status

Overall:
	Unit status: active
RDP:
	Status: disabled           # <==== here
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: no
	Negotiate port: yes
	Username: (empty)
	Password: (empty)

To fix

❯ grdctl rdp enable

To verify

❯ grdctl status

Overall:
	Unit status: active
RDP:
	Status: enabled           # <==== here
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: no
	Negotiate port: yes
	Username: (empty)
	Password: (empty)

Verify that gnome-remote is running on port 3389

To test:

❯ sudo netstat -an --program | grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN      1980/xrdp           
tcp6       0      0 192.168.1.17:3389       192.168.1.146:52924     ESTABLISHED 282531/xrdp

To fix (in the case of having xrdp installed):

sudo apt remove xrdp

To verify

❯ sudo netstat -an --program | grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN      1572/gnome-remote-d

Note that in order for netstat to show gnome-remote-desktop, you’ll also have to make sure that the certificate is valid.

To restart:

grdctl rdp disable
grdctl rdp enable

Message about invalid certificate

To test

❯ grdctl status
[ERROR][com.freerdp.crypto] - [x509_utils_from_pem]: BIO_new failed for certificate
RDP server certificate is invalid.
# ...

To fix:

export GRDCERTDIR=~/.rdp-certs
mkdir -p $GRDCERTDIR
openssl genrsa -out ${GRDCERTDIR}/grd-tls.key 4096
openssl req -new -key ${GRDCERTDIR}/grd-tls.key -out ${GRDCERTDIR}/grd-tls.csr -subj "/C=DE/ST=Private/L=Home/O=Family/OU=IT Department/CN=ubuntu-live"
openssl x509 -req -days 100000 -signkey ${GRDCERTDIR}/grd-tls.key -in ${GRDCERTDIR}/grd-tls.csr -out ${GRDCERTDIR}/grd-tls.crt

grdctl rdp disable

# These can't change while enabled
grdctl rdp set-tls-cert ${GRDCERTDIR}/grd-tls.crt
grdctl rdp set-tls-key ${GRDCERTDIR}/grd-tls.key

grdctl rdp enable

To verify:

# Server will now be allowed to listen
❯ sudo netstat -an --program | grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN      1572/gnome-remote-d

# This won't show an error
❯ grdctl status

Cannot create an item in a locked collection

This happens when you try to set credentials:

❯ grdctl rdp set-credentials my-username my-password
Cannot create an item in a locked collection

To fix (pending)
To verify (pending)

Sid · November 10, 2024, 9:17am

https://discourse.gnome.org/t/using-the-ui-to-allow-rdp-connections/24914/2 might help.

NullVoxPopuli · November 10, 2024, 3:45pm

That post does help! It told me that the daemon isn’t running.

Updated info:

❯ gnome-shell --version
GNOME Shell 47.0

❯ lsb_release -r
Release:	24.10

❯ netstat -an --program | grep gnome-remote
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

So now I need to figure out how to start the daemon.

I ran

❯ systemctl --user restart gnome-remote-desktop

Which now gives netstat something to show

❯ netstat -an --program | grep gnome-remote
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
unix  3      [ ]         STREAM     CONNECTED     2015191  264705/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     2017118  264705/gnome-remote  
unix  2      [ ]         DGRAM                    2017740  264705/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     2016087  264705/gnome-remote

So now I can “connect” with RDP clients, but need to figure out my username / password.

A second problem I’ve run in to is that the RDP appears to be running X instead of gdm3

Sid · November 10, 2024, 4:14pm

Checkout grdctl command.

$ grdctl --help
Usage: grdctl [OPTIONS...] COMMAND [SUBCOMMAND]...
Commands:
  rdp                                            - RDP subcommands:
    set-port                                     - Set port the server binds to
    enable                                       - Enable the RDP backend
    disable                                      - Disable the RDP backend
    set-tls-cert <path-to-cert>                  - Set path to TLS certificate
    set-tls-key <path-to-key>                    - Set path to TLS key
    set-credentials [<username> [<password>]]    - Set username and password
                                                   credentials
    clear-credentials                            - Clear username and password
                                                   credentials
    enable-view-only                             - Disable remote control of input
                                                   devices
    disable-view-only                            - Enable remote control of input
                                                   devices
    enable-port-negotiation                      - If unavailable, listen to
                                                   a different port
    disable-port-negotiation                     - If unavailable, don't listen
                                                   to a different port

  status [--show-credentials]                - Show current status

Options:
  --headless                                 - Use headless credentials storage
  --system                                   - Configure system daemon
  --help                                     - Print this help text

NullVoxPopuli · November 10, 2024, 4:27pm

thank you!

For now, for testing, I did

grdctl rdp clear-credentials

and now am presented with

which feels suspicious, but probably because may xinit stuff is wrong.

Here is what I have so far (on the server):

❯ cat ~/.xsessionrc 
export GNOME_SHELL_SESSION_MODE=ubuntu
export XDG_CURRENT_DESKTOP=ubuntu:GNOME
export XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg
startx

❯ cat ~/.xinitrc 
# if [ -d /etc/X11/xinit/xinitrc.d ]; then
#   for f in /etc/X11/xinit/xinitrc.d/*; do
#     [ -x "$f" ] && . "$f"
#   done
#   unset f
# fi

exec gnome-session

How the plot has thickened, even though I’ve rdp’d to the above login screen, grdctl, shows that rdp is disabled.

❯ grdctl status
[11:26:28:981] [283848:000454c8] [ERROR][com.freerdp.crypto] - [x509_utils_from_pem]: BIO_new failed for certificate
RDP server certificate is invalid.
Overall:
	Unit status: active
RDP:
	Status: disabled
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: yes
	Negotiate port: yes
	Username: (empty)
	Password: (empty)

Sid · November 10, 2024, 4:34pm

Run the following command as sudo / root to see which program is listening on the RDP port you’re connecting to (e.g. 3389).
```
$ netstat -an --program | grep 3389
```
Check the logs of the running RDP server.

NullVoxPopuli · November 10, 2024, 4:47pm

Oh, none of them? O.o

❯ sudo netstat -an --program | grep gnome-remote

unix  3      [ ]         STREAM     CONNECTED     14195    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2015191  264705/gnome-remote  
unix  2      [ ]         DGRAM                    16463    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2017118  264705/gnome-remote  
unix  2      [ ]         DGRAM                    2017740  264705/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     15706    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2016087  264705/gnome-remote

I used a slightly different command to find out what’s running on 3389

❯ sudo netstat -nlp \
  | grep -i "listen" \
  | grep tcp \
  | grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN      1980/xrdp

So this tells me I have the wrong rdp server installed.
I will uninstall xrdp.

Sid · November 10, 2024, 4:49pm

Ah, we should be greping for the port. Updated above command.

NullVoxPopuli · November 10, 2024, 4:50pm

ah, that’s much more concise than my command!

❯ sudo netstat -an --program | grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN      1980/xrdp           
tcp6       0      0 192.168.1.17:3389       192.168.1.146:52924     ESTABLISHED 282531/xrdp

NullVoxPopuli · November 10, 2024, 5:13pm

Uninstalling xrdp, and restarting remote-desktop did not re-expose a binding on the rdp port, 3389

❯ sudo apt remove xrdp
❯ systemctl --user restart gnome-remote-desktop
❯ sudo netstat -an --program | grep 3389
# no results

Gnome-remote-desktop is running though (albeit with an invalid /missing cert):

❯ systemctl --user status gnome-remote-desktop
● gnome-remote-desktop.service - GNOME Remote Desktop
     Loaded: loaded (/usr/lib/systemd/user/gnome-remote-desktop.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-11-10 12:10:41 EST; 1min 45s ago
 Invocation: 7a80e291c9084d669074ad8d2352cccc
   Main PID: 305205 (gnome-remote-de)
      Tasks: 5 (limit: 8634)
     Memory: 2.9M (peak: 3.7M)
        CPU: 30ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/gnome-remote-desktop.service
             └─305205 /usr/libexec/gnome-remote-desktop-daemon

Nov 10 12:10:41 Calypso systemd[4438]: Starting gnome-remote-desktop.service - GNOME Remote Desktop...
Nov 10 12:10:41 Calypso gnome-remote-desktop-daemon[305205]: [12:10:41:786] [305205:0004a835] [ERROR][com.freerdp.crypto] >
Nov 10 12:10:41 Calypso gnome-remote-de[305205]: RDP server certificate is invalid
Nov 10 12:10:41 Calypso systemd[4438]: Started gnome-remote-desktop.service - GNOME Remote Desktop.
lines 1-15/15 (END)

Sid · November 10, 2024, 5:16pm

Try this command to see what port is used by gnome-remote-desktop.

gnome-remote-desktop can use a different port (e.g. 3390) if 3389 is in use etc.

NullVoxPopuli · November 10, 2024, 5:29pm

❯ sudo netstat -an --program | grep gnome-remote

unix  3      [ ]         STREAM     CONNECTED     14195    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2323865  305205/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     2322383  305205/gnome-remote  
unix  2      [ ]         DGRAM                    2322385  305205/gnome-remote  
unix  2      [ ]         DGRAM                    16463    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     15706    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2323328  305205/gnome-remote

which of these is the port to connect to?
though, i think maybe no ports are exposed? It’s supposed to be the 4th column (middle column, 4th from left and 4th from right)

Sid · November 10, 2024, 5:32pm

I don’t think g-r-d is listening on RDP.

Those are unix sockets for communicating between g-r-d processes.

You can check and enable with grdctl.

NullVoxPopuli · November 10, 2024, 5:36pm

I’ve enabled rdp using grdctl like this:

❯ grdctl rdp enable

❯ grdctl status

Overall:
	Unit status: active
RDP:
	Status: enabled
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: no
	Negotiate port: yes
	Username: (empty)
	Password: (empty)

Then restarted the service:

❯ systemctl --user restart gnome-remote-desktop

but there are no ports listed:

❯ sudo netstat -an --program | grep gnome-remote
unix  3      [ ]         STREAM     CONNECTED     14195    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2413562  317112/gnome-remote  
unix  2      [ ]         DGRAM                    16463    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2416795  317112/gnome-remote  
unix  2      [ ]         DGRAM                    2416794  317112/gnome-remote  
unix  3      [ ]         STREAM     CONNECTED     15706    1572/gnome-remote-d  
unix  3      [ ]         STREAM     CONNECTED     2416792  317112/gnome-remote

Sid · November 10, 2024, 5:53pm

The issue is because TLS keys and certs are not configured yet.

Need to check on how they’re generated.

Here’s the output on my system.

$ grdctl status 
Overall:
	Unit status: active
RDP:
	Status: enabled
	Port: 3389
	TLS certificate: /home/sid/.local/share/gnome-remote-desktop/certificates/rdp-tls.crt
	TLS fingerprint: 27:fb:5e:ad:cb:49:b8:25:0b:......:a1:56:7e:d7
	TLS key: /home/sid/.local/share/gnome-remote-desktop/certificates/rdp-tls.key
	View-only: yes
	Negotiate port: yes
	Username: (hidden)
	Password: (hidden)

NullVoxPopuli · November 10, 2024, 6:50pm

This seems to work: https://www.reddit.com/r/Ubuntu/comments/11f5cv5/how_to_enable_ubuntu_sharing_remote_desktop_from/

export GRDCERTDIR=~/.rdp-certs
mkdir -p $GRDCERTDIR
openssl genrsa -out ${GRDCERTDIR}/grd-tls.key 4096
openssl req -new -key ${GRDCERTDIR}/grd-tls.key -out ${GRDCERTDIR}/grd-tls.csr -subj "/C=DE/ST=Private/L=Home/O=Family/OU=IT Department/CN=ubuntu-live"
openssl x509 -req -days 100000 -signkey ${GRDCERTDIR}/grd-tls.key -in ${GRDCERTDIR}/grd-tls.csr -out ${GRDCERTDIR}/grd-tls.crt

grdctl rdp disable

# These can't change while enabled
grdctl rdp set-tls-cert ${GRDCERTDIR}/grd-tls.crt
grdctl rdp set-tls-key ${GRDCERTDIR}/grd-tls.key

grdctl rdp enable

So now,

❯ sudo netstat -an --program | grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN      1572/gnome-remote-d

NullVoxPopuli · November 10, 2024, 7:07pm

ok, so now I can’t connect for a new reason - authentication!

❯ grdctl rdp set-credentials nvp 12345678
Cannot create an item in a locked collection

On the client side, I can’t just grdctl rdp clear-credentials any more

clicking ok just brings the prompt up again.

vgaetera · November 10, 2024, 7:49pm

GNOME Remote Desktop works for me just fine in system mode:
Headless Remote Desktop setup process - #2 by vgaetera

To apply config changes, be sure to restart the service:

sudo systemctl restart gnome-remote-desktop.service

If the problem persists, check the service status, sockets, key and cert, credentials, etc.:

systemctl status gnome-remote-desktop.service
sudo ss -lnpAinet | grep -e gnome-remote
sudo grdctl --system status --show-credentials

NullVoxPopuli · November 10, 2024, 10:30pm

Some observations so far:

credentials are required
setting credentials doesn’t mean they’ll work
restarting the service doesn’t impact the error about Cannot create an item in a locked collection

Current state:

❯ sudo grdctl --system status --show-credentials
[sudo] password for lprestonsegoiii: 
Init TPM credentials failed because No TPM device found, using GKeyFile as fallback.
Overall:
	Unit status: active
RDP:
	Status: enabled
	Port: 3389
	TLS certificate: /var/lib/gnome-remote-desktop/rdp-tls.crt
	TLS fingerprint: f1:db:60:79:75:40:97:84:63:ef:5f:bc:43:6b:b9:5d:81:f8:df:bc:24:d6:e9:92:6c:b1:8d:1b:25:91:fa:b4
	TLS key: /var/lib/gnome-remote-desktop/rdp-tls.key
	Username: nvp
	Password: 12345678 # weak password for testing and sharing

❯ sudo ss -lnpAinet | grep -e gnome-remote
tcp   LISTEN 0      10                                               *:3389             *:*    users:(("gnome-remote-de",pid=453738,fd=9))    

❯ systemctl status gnome-remote-desktop.service
● gnome-remote-desktop.service - GNOME Remote Desktop
     Loaded: loaded (/usr/lib/systemd/system/gnome-remote-desktop.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-11-10 17:27:58 EST; 32s ago
 Invocation: 983e7b191b3f4471959d17cbc8f5efb2
   Main PID: 453738 (gnome-remote-de)
      Tasks: 4 (limit: 8634)
     Memory: 3.1M (peak: 3.8M)
        CPU: 29ms
     CGroup: /system.slice/gnome-remote-desktop.service
             └─453738 /usr/libexec/gnome-remote-desktop-daemon --system

Nov 10 17:27:58 Calypso systemd[1]: Starting gnome-remote-desktop.service - GNOME Remote Desktop...
Nov 10 17:27:58 Calypso gnome-remote-de[453738]: Init TPM credentials failed because No TPM device found, using GKeyFile as fallback
Nov 10 17:27:58 Calypso systemd[1]: Started gnome-remote-desktop.service - GNOME Remote Desktop.
Nov 10 17:27:58 Calypso gnome-remote-de[453738]: RDP server started

Of note, it looks like Init TPM credentials would be an issue but there is a fallback, GKeyFile, so this warning may be safe to ignore.

In any case, I am unable to connect from an RDP client.

I suspect because of the easy-to-forget message here:

❯ grdctl rdp set-credentials nvp 12345678
Cannot create an item in a locked collection

vgaetera · November 11, 2024, 12:36am

To be clear, GNOME Remote Desktop can work in 2 different modes:

Desktop Sharing - user service that allows to share already running seat-based sessions.
Remote Login - system service that can start new headless sessions.

Each mode has its own separate configuration including separate credentials.

Your last command applied only to Desktop Sharing since you missed the --system flag.
In that case, the --user flag applies implicitly and requires running GNOME keyring to store the credentials, unless you explicitly add the --headless flag.
BTW, the --headless flag applies implicitly when invoked with the --system flag.