Introduction

These are steps for building and configuring xrdp 0.10.x and xorgxrdp 0.10.x, on Debian and derivatives, including Ubuntu.

Security

These instructions assume you will want to configure the xrdp daemon to run as an unprivileged user. This feature is available for xrdp version v0.10.2 and later.

Backends

xrdp can use one of these backends:

• xorgxrdp: use the existing Xorg installation and add a module xorgxrdp for providing modules for RDP suppport
• Xvnc: a VNC server with X11 support

The preferred backend is xorgxrdp.
This configuration only activates the Xorg backend, so when connecting with a RDP client, be sure to use this session type.

You must install at least one of these backends!

Build & Install xrdp

Get the sources

Check https://github.com/neutrinolabs/xrdp/releases/latest to find the latest version

XRDP_SRC_DIR="${PWD}"/xrdp
wget https://github.com/neutrinolabs/xrdp/releases/download/v0.10.3/xrdp-0.10.3.tar.gz
tar xvzf xrdp-0.10.3.tar.gz
mv xrdp-0.10.3 "${XRDP_SRC_DIR}"  ; # renaming to make the other steps clearer
cd "${XRDP_SRC_DIR}"

Alternatively, clone the git repository if you need the devel branch: git clone https://github.com/neutrinolabs/xrdp.git.

Install dependencies

The following command uses the CI script built into xrdp to install all the dependencies used by xrdp:-

sudo ./scripts/install_xrdp_build_dependencies_with_apt.sh max

This script is only regularly tested on Github's latest x86_64 CI version of Ubuntu, but should work on other systems. If it doesn't feel free to raise an issue and we can discuss it.

Build

Note: adapt the configure line below to activate your needed features:

./bootstrap
./configure --with-systemdsystemunitdir=/usr/lib/systemd/system \
    --enable-ibus --enable-ipv6 --enable-jpeg --enable-fuse --enable-mp3lame \
    --enable-fdkaac --enable-opus --enable-rfxcodec --enable-painter \
    --enable-pixman --enable-utmp -with-imlib2 --with-freetype2 \
    --enable-tests --enable-x264 --enable-openh264 --enable-vsock
make

If you are building on a Debian-based distro which does not use systemd (e.g. Devuan), please omit the --with-systemdsystemunitdir= option.

Install the xrdp server on your system

If you have xrdp installed from a debian/ubuntu package, remove it first with sudo apt purge xrdp.

sudo make install
sudo ln -s /usr/local/sbin/xrdp{,-sesman} /usr/sbin

Configure xrdp

Create a local user to run xrdp

sudo adduser --system --group --no-create-home --disabled-password --disabled-login --home /run/xrdp xrdp

Edit /etc/xrdp/xrdp.ini, and uncomment these lines:-

runtime_user=xrdp
runtime_group=xrdp

Edit /etc/xrdp/sesman.ini and uncomment this line:-

SessionSockdirGroup=xrdp

Then:-

sudo chmod 640 /etc/xrdp/rsakeys.ini
sudo chown root:xrdp /etc/xrdp/rsakeys.ini

Certificate

If you know what you are doing, generate an X.509 certificate and private key in /etc/xrdp/cert.pem and /etc/xrdp/key.pem. Both the certificate and key must be readable by the xrdp group. If you're happy to use the standard Debian self-signed snakeoil certificate:-

# Generate the certificate and key
sudo make-ssl-cert generate-default-snakeoil
# Link the certificate into the xrdp config
sudo ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/xrdp/cert.pem
# Link the private key into the xrdp config
sudo ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/xrdp/key.pem
# Make sure xrdp can read the private key
sudo usermod -a -G ssl-cert xrdp

Check file permissions

This command checks all the file permissions are correct to run xrdp without root privilege:-

sudo /usr/local/share/xrdp/xrdp-chkpriv

Example output:-

Settings
 - [xrdp.ini]   runtime_user        : xrdp
 - [xrdp.ini]   runtime_group       : xrdp
 - [xrdp.ini]   certificate         : /etc/xrdp/cert.pem
 - [xrdp.ini]   key_file            : /etc/xrdp/key.pem
 - [sesman.ini] SessionSockdirGroup : xrdp

[  OK  ] runtime_user 'xrdp' appears to exist
[  OK  ] runtime_group 'xrdp' appears to exist
[  OK  ] xrdp.ini and sesman.ini agree on group ownership
[  OK  ] /etc/xrdp/rsakeys.ini has correct permissions
[  OK  ] /etc/xrdp/cert.pem is read-only for xrdp:xrdp
[  OK  ] /etc/xrdp/key.pem is read-only for xrdp:xrdp

[  OK  ] -Summary- Permissions appear to be correct to run xrdp unprivileged

If any lines are tagged with [ NG ] rather than [ OK ], investigate and correct the errors.

Start xrdp

sudo systemctl enable --now xrdp xrdp-sesman

Build, install and configure xorgxrdp

Get the sources

Check https://github.com/neutrinolabs/xorgxrdp/releases/latest to find the version of xorgxrdp which works with your version of xrdp.

XORG_XRDP_SRC_DIR="${PWD}"/xorgxrdp
wget https://github.com/neutrinolabs/xorgxrdp/releases/download/v0.10.4/xorgxrdp-0.10.4.tar.gz
tar xvzf xorgxrdp-0.10.4.tar.gz
mv xorgxrdp-0.10.4 xorgxrdp  # renaming to make the other steps clearer

Alternatively, clone the git repository if you need the devel branch: git clone https://github.com/neutrinolabs/xorgxrdp.git.

Build & Install the sources:

cd "${XORG_XRDP_SRC_DIR}"
sudo scripts/install_xorgxrdp_build_dependencies_with_apt.sh
./bootstrap
./configure --enable-glamor
make
sudo make install

Configure xorgxrdp

Edit /etc/xrdp/sesman.ini. Look for the line param=Xorg and replace it with the line param=/usr/lib/xorg/Xorg. The comments in the file should hopefully make this clear.