Ubuntu
xrdp package

Next xrdp - fixes to VNC wait condition?

Asked by mbck

Two annoying but not blocking probs with 0.6.0-1 xrdp. If there is a better workaround to (1), pray tell!

(1) Apparent race condition when starting Xvnc, prevents xrdp from completing startup, as Xvnc is not ready yet. This was apparently fixed by developers in xrdp#182 (https://github.com/neutrinolabs/xrdp/commit/6ddc43c4fc202b96ccff60afa66db81a3ee2f4b7).

(2) Default sesman.ini allows Xvnc to continue running when xrdp session terminates. This would be OK if sesman did reconnect to it, but in this setting it goes on and creates a new Xvnc session. No code change apparently required, advice is configuration change: adding "param8=-once" yo sesman.ini.

While this is a mere annoyance to developers and other power users, these two limitations prevent deploying xrdp to nontechnical users.

Thanks,

Michel.

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu xrdp Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

What is the remote connection to achieve?

Revision history for this message
mbck (michel-lodix) said : 		#2

To answer the question "what is the connexion supposed to achieve?" ---
Mostly, provide users with a separate network access for high-risk transactions or such. The use case is:
* User has default desktop, any OS will do; connected to "default" network from which high-risk resources are inaccessible (e.g., in about any environment, financial activity subject to SOX).
* User also has the ability to connect to a local xrdp server, using the xrdp viewer his/her OS provides
* xrdp server has connectivity to the "default" network above, but limited to incoming TCP over :3389. xrdp server also has outgoing connectivity ith other networks for "higher risk" transactions. Examples: IPs of financial institutions whitelisted by external firewall
* xrdp server has user profiles tailored to specific missions. This includes appropriate certificates for browsing, proper appArmor settings, and iptables entries for additional controls per group membership.

Sure, you could do that by having several screens per user, or having several TerminalServer configurations. For low levels of traffic (which can be expected for high-risk traffic), it should be possible to work with a single xrdp server, possibly (if stateless) reinitialized from a static image every so often.

...

The fact that I am paranoid doesn't prove that they are not after me. Further, you don't need to implement the whole enchilada above, but a separate network/VM for banking makes sense in many, many circumstances.

Revision history for this message
Launchpad Janitor (janitor) said : 		#3

This question was expired because it remained in the 'Needs information' state without activity for the last 15 days.