Printed by Stephen Quinney Feb 05, 19 13:46 xrdp.log.txt Page 1/3 * Wednesday 31st January 2018 Stephen has imported the XRDP configuration from SEE. Most of it has been put into lcfg−level headers so that it can be shared. At the top level the service is configured using the dice/options/external−xrdp−server.h header. There is a test service accessible at xrdp.inf.ed.ac.uk which seems to work well. A quick survey of clients for Linux suggests that the best is remmina. Stephen will be talking about the project at the next Development meeting so before then he will collect all his notes on a wiki page for the project.

* Wednesday 7th February 2018 Since SEE has already put together a remote desktop solution which works well and is freely available, there seemed little point in trying other possible solutions; so a small test version of SEE’s RDP−based remote desktop service has been set up here in Informatics. It uses HAProxy as a load−balancing front end. In the trial service at xrdp.inf.ed.ac.uk, the front end routes connection requests to the less loaded of the two backend machines, or to an existing session if there is one. The test service will be open to computing staff. It’s envisaged that the full service will use real hardware rather than virtual, and that there will be separate staff and student services. The next work on this project will be to add some Informatics identity to the login screen; to change access controls on the PAM stack for the backend machines, to permit differences between staff and student services; and to document the services on computing.help.

See XRDPService for more details.

* Wednesday 14th February 2018 The xrdp test service is now using a Quovadis certificate. The PAM configuration has been improved so that access to SSH and XRDP services can be controlled separately. The DICE headers are now close to being finished including that for the staff server. A "no cookie" backend has been added to handle the MacOS client not always using one. The login screen has been improved but still needs an Informatics logo, Graham is going to see if he can come up with one for us. Since lightdm is not required the config has been simplified by switching the screensaver back to that supplied with MATE. We would like to use fail2ban to block attackers but it seems that xrdp does not log the IP address for login failures. An alternative approach would be to use haproxy to do rate limiting, Stephen will investigate that option. Chris and Stephen have been working on the computing.help documentation.

* Wednesday 21st February 2018 Stephen has been writing up his work on this at https://blog.inf.ed.ac.uk/squinney/tag/xrdp/. Chris has written user documentation for several platforms and will add a page for Windows 10 users once he gets Windows 10 up and running.

* Wednesday 28th March 2018 There are still issues with clients not accepting the SSL certificates on first connection. Stephen wonders if possibly he does not have the complete chain in the .pem file he generated. Currently waiting on George to offer some advice on how to add the RDP connection rate limiting into the standard dice iptables config (or whether we should Tuesday February 05, 2019 1/3 Printed by Stephen Quinney Feb 05, 19 13:46 xrdp.log.txt Page 2/3 just ignore that and just have something simpler). Stephen has decided to document the Vinagre Gnome RDP client instead of Remmina since it works better on his Debian machine at home.

* Tuesday 12th June 2018 Stephen has used the iptables component to set up rate−limiting for new connections. The Linux client documentation is finished. We recommend the Vinagre client. All of the Remote Desktop pages have now been published. Users are finding that keyboard mapping is wrong, particularly when connecting from Windows or Mac clients. Once we get that sorted we intend to ditch staff.nx and convert the host to the RDP service. This should free up metropolitan. 24 bit connections are pretty slow. 16 bit connections no longer work at all. 8 bit is fast and reliable though.

* Thursday 27th September 2018 NX has been retired. Both remote desktop servers now offer XRDP. Stephen has started writing the technical documentation for this service. Stephen has increased the permitted number of threads so that thread−heavy applications such as firefox can run successfully.

Some people are still getting a US keyboard layout on login.

* Wednesday 17th October 2018 We continued in our efforts to produce a stable service for undergraduates.

Stephen applied the polkit policy to block suspend/hibernate so that these options are not displayed for users (they didn’t work).

* Tuesday 30th October 2018 There have been problems with the new remote desktop service, at least on xrdp.inf.ed.ac.uk. It has often not been possible to start a new session. There’s a bug: when old sessions are expired, not all of their session files are deleted, and this stops the daemon from re−using the session slot for a new user. Stephen has made a script which deletes these neglected files, freeing up expired sessions for re−use. Inexperienced students have been running very demanding software practicals directly on xrdp.inf.ed.ac.uk instead of on a more appropriate machine such as student.compute.inf.ed.ac.uk. This has kept most of the machine’s CPU cores fully occupied and thus greatly slowed down its response time to interactive sessions. To counteract this we’re experimenting with applying resource control measures. We’ve had some success imposing maximum resource quotas on user sessions using systemd control groups. We’re going to look at how these might be imposed on all user sessions automatically, for example using PAM. We’ll also tackle the user education angle − for instance we’ll look into displaying motd−type messages to those starting or connecting to remote desktop sessions. We hope to buy new hardware soon. Once we have new hardware, we may reserve the current machine for distance learning students and the new hardware for other 2/3 Tuesday February 05, 2019 Printed by Stephen Quinney Feb 05, 19 13:46 xrdp.log.txt Page 3/3 students. Apart from these specific problems, the current xrdp.inf hardware is six years old and already retired from the role it was bought for, and while still reasonably specified, it’s not particularly powerful. It was always intended to be only a temporary xrdp.inf until more capable hardware was purchased.

Tuesday February 05, 2019 3/3