xrdp keeps allowing me to connect with username/password instead of only ssh tunnel after setting [globals] port to port=tcp://.:3389. What am I doing wrong?

[CrayCJ]

Hi, I've used xrdp a long time and am very greatful for it! Many thanks.

Now, I'm trying to make my devices a little more secure. That includes the connection type to them. With xrdp I read that I would only have to set the port in /etc/xrdp/xrdp.ini to port=tcp://.:XXXX instead of port=XXXX. I did that, restarted the service (and even the machine), but I am still able to log in just like before with username and passwort - no ssh tunnel required, contrary to my expectation.

xrdp version 0.9.9.

I am fairly sure, that this is not an issue on xrdp's side, but that I am overseeing something. I know that github is not the place for such help requests, but on other forums I've got no help so far.

Any help or suggestions is very much obliged.
Have a great and safe day!

[CrayCJ]

Solved:

See this guide, but: Instead of setting port=tcp//.:3389, I left it at port=3389 (or the one you like) and added address=127.0.0.1 to the line above. Then I sudo service xrdp restart to restart xrdp, which will of course terminate any remote desktop session. Upon re-establishing that, I'm let through - as intended. I then continued in the guide above to set puTTY accordingly. Joined with it (which opens the SSH tunnel) and then connected with Remote Desktop to localhost:5555 (or whatever you have set in puTTY). Then everything worked as before, but now through the SSH-tunnel.

To make my SSH (tunnel) safe, I used

• ssh-keygen -b 4096 (4096 is probably overkill) on the remote machine to generate an RSA keypair (with password).
• Then cd .ssh to get into the directory where those keys are. See the files with ls -la.
• cat id_rsa.pub >> authorized_keys2 will allow any device with id_rsa (non-.pub - the private key) to connect. See ls -la again (authorized_keys2 = id_rsa.pub = public key).
• Therefore we can now "export" id_rsa to the device I want to connect from: cp id_rsa /home/pi/ (I'm on a Raspberry Pi; choose what you like/need). id_rsa was copied for "export" from there. Now we make our original files unreadable for anyone except the now logged in user with chmod 600 *. See the permissions: ls -la.
• Export the /home/pi/id_rsa to the other machine by any means (SFPT, SCP, usb stick, etc., maybe not email).
• Back to the terminal to deny any ssh-connections without a keypair: sudo nano /etc/ssh/sshd_config, change:

• ChallengeResponseAuthentication no
• PasswordAuthentication no
• UsePAM no
• Save and exit (crtl-o, y, ctrl-x).

• sudo reboot to reboot the Pi. Maybe do the two steps below first to make sure your key is ok. If it's not, you will be effectively locked out from ssh on the remote machine. Without physical access, this would be quite painful...
• Opened puTTYgen on the other machine, "load"ed the previously exported private key and "save[d] private key" as .ppk-file, because puTTY cannot use that file without conversion.
• In puTTY, do as above, but add the .ppk-file under Connection > SSH > Auth > Authentication parameter > browse... - then back to session (maybe save that session). Open. Now you tunnel and "normal-ssh" with a ssh-keypair.

Tag for Google to find this: xRDP – How to secure Xrdp Connection using SSH Tunnels