With ssh-only access, how do you configure headless gnome-remote-desktop?

NullVoxPopuli · November 11, 2024, 1:05am

oh interesting, how do you now which is active? or are they both always active? oh it is as simple as using or not using --system!

What I want in the system variant because I want to start a session, and then have it remain active when I disconnect (and then resume when I reconnect)

Current status, which I think is what I want:

# user mode (not what I want, and correctly disabled)
❯ sudo grdctl  status
[20:09:30:740] [38020:00009484] [ERROR][com.freerdp.crypto] - [x509_utils_from_pem]: BIO_new failed for certificate
RDP server certificate is invalid.
Failed to lookup legacy VNC password schema: Cannot autolaunch D-Bus without X11 $DISPLAY
RDP:
	Status: disabled
	Port: 3389
	TLS certificate: 
	TLS fingerprint: (null)
	TLS key: 
	View-only: yes
	Negotiate port: yes
Failed to read credentials: Cannot autolaunch D-Bus without X11 $DISPLAY.

and then system, which is enabled, has the cert, etc.

❯ sudo grdctl --system  status
Init TPM credentials failed because No TPM device found, using GKeyFile as fallback.
Overall:
	Unit status: active
RDP:
	Status: enabled
	Port: 3389
	TLS certificate: /var/lib/gnome-remote-desktop/rdp-tls.crt
	TLS fingerprint: f1:db:60:79:75:40:97:84:63:ef:5f:bc:43:6b:b9:5d:81:f8:df:bc:24:d6:e9:92:6c:b1:8d:1b:25:91:fa:b4
	TLS key: /var/lib/gnome-remote-desktop/rdp-tls.key
	Username: (hidden)
	Password: (hidden)

(however, I still cannot connect from an rdp client)

❯ systemctl --system status gnome-remote-desktop.service
Warning: The unit file, source configuration file or drop-ins of gnome-remote-desktop.service ch>
● gnome-remote-desktop.service - GNOME Remote Desktop
     Loaded: loaded (/usr/lib/systemd/system/gnome-remote-desktop.service; enabled; preset: enab>
     Active: active (running) since Sun 2024-11-10 20:08:15 EST; 4min 24s ago
 Invocation: 267ea8b02fba430f8eece4b1275b1b84
   Main PID: 37393 (gnome-remote-de)
      Tasks: 4 (limit: 8634)
     Memory: 3.1M (peak: 4M)
        CPU: 29ms
     CGroup: /system.slice/gnome-remote-desktop.service
             └─37393 /usr/libexec/gnome-remote-desktop-daemon --system

Nov 10 20:08:15 Calypso systemd[1]: Starting gnome-remote-desktop.service - GNOME Remote Desktop>
Nov 10 20:08:15 Calypso gnome-remote-de[37393]: Init TPM credentials failed because No TPM devic>
Nov 10 20:08:15 Calypso systemd[1]: Started gnome-remote-desktop.service - GNOME Remote Desktop.
Nov 10 20:08:15 Calypso gnome-remote-de[37393]: RDP server started

vgaetera · November 11, 2024, 1:52am

Verify the following using the diagnostic commands given above:

ss and systemctl status should return the same PID.
grdctl and the client app should show the same fingerprint.

Also check the credentials like this:

sudo -u gnome-remote-desktop cat \
~gnome-remote-desktop/.local/share/\
gnome-remote-desktop/credentials.ini

If everything is correct, but the problem persists:

Start monitoring the server side log and try connecting the client:

journalctl -f -u gnome-remote-desktop.service

Capture the relevant traffic on the server:

sudo tcpdump -nni any tcp port 3389

Try using a different client app.

NullVoxPopuli · November 11, 2024, 2:09am

Also check the credentials like this:

Looks good.

Start monitoring the server side log and try connecting the client:

Ah, these logs are good stuff.

They reveal that I do have a problem:

Nov 10 21:07:21 Calypso gnome-remote-desktop-daemon[37393]: [21:07:21:767] [37393:0000fdd5] [ERROR][com.winpr.sspi.NTLM] - [ntlm_read_AuthenticateMessage]: Message Integrity Check (MIC) verification failed!
Nov 10 21:07:21 Calypso gnome-remote-desktop-daemon[37393]: [21:07:21:767] [37393:0000fdd5] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_MESSAGE_ALTERED [0x8009030F]
Nov 10 21:07:21 Calypso gnome-remote-desktop-daemon[37393]: [21:07:21:767] [37393:0000fdd5] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_MESSAGE_ALTERED [0x8009030F]
Nov 10 21:07:21 Calypso gnome-remote-desktop-daemon[37393]: [21:07:21:767] [37393:0000fdd5] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Nov 10 21:07:21 Calypso gnome-remote-desktop-daemon[37393]: [21:07:21:767] [37393:0000fdd5] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Nov 10 21:07:21 Calypso gnome-remote-desktop-daemon[37393]: [21:07:21:767] [37393:0000fdd5] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Nov 10 21:07:21 Calypso gnome-remote-de[37393]: [RDP] Network or intentional disconnect, stopping session

So, Message Integrity Check verification failed. That’s the first thing.

vgaetera · November 11, 2024, 2:24am

This looks like a similar issue:

NullVoxPopuli · November 11, 2024, 2:50am

maybe. they’re pointing at a client issue…which I’d hope Remina and Gnome Connections wouldn’t have such an issue

Sid · November 11, 2024, 6:23am

You can try with Gnome Connections and see how it goes.

NullVoxPopuli · November 11, 2024, 5:25pm

omg it worked. thank you!!

I thought I’d already tried Gnome Connenctions…

OK, so my troubleshooting at the top / OP is a little over the place – but I hope this through serves as an aggregate of stuff to look at for future headless RDP folks <3