Configuring xrdp for FIPS compliance
This document (000020310) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
Situation
Remote desktop access is required.
VNC services do not provide FIPS encryption.
RDP using the xrdp service does provide FIPS encryption and is the proper choice for FIPS enabled servers.
Resolution
Installation and configuration of xrdp with FIPS mode enabled
1. Register and update the server.
The SUSE server will need to be registered to the SUSE Customer Center (SCC), or to an appropriate update server such as SUSE Manager, SMT, or RMT. Repositories on update servers should be recently mirrored and the SUSE server should be updated. There are known issues with FIPS on earlier releases of the 12sp5 and 15sp2 operating systems.
2. Install xrdp along with any dependencies.
# zypper install xrdp
If dependencies are required, allow the system to install all of them.
During the installation there may be a message related to generating RSA keys using OpenSSL. It can be ignored.
3. Edit appropriate entries in /etc/xrdp/xrdp.ini.
# vi /etc/xrdp/xrdp.ini
Locate the following entries and change the values to the following:
security_layer=tls
ssl_protocols=TLSv1.2, TLSv1.3
tls_ciphers=FIPS:-eNULL:-aNULL
4. Create a blank rsakeys.ini file.
cp /dev/null /etc/xrdp/rsakeys.ini
5. Generate cert and key pem files.
openssl req -x509 -newkey rsa:2048 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -days 365
6. Open firewall TCP ports 3389 (RDP) and 3350 (xrdp-sesman).
These ports can be opened for the public zone if needed, by going into
yast2-->Security and Users-->Firewall (or simply "yast2 firewall") and making the following changes:
SLES 12
Click on "Allowed Services".
From the "Service to Allow" drop down menu, select Remote Desktop Protocol.
Click the "Add" button and then Next and Finish.
SLES 15
Click on the "public" zone and then click on the "Ports" tab at the top.
In "TCP Ports" add the following entries. Use a comma delemeter between entries:
3389, 3350
Click Accept
Alternatively, the changes can be made from the command-line in the following ways:
SLES 12
As the root user edit /etc/sysconfig/SuSEfirewall2
Locate the following line and add "xrdp" to the list of allowed services:
FW_CONFIGURATIONS_EXT="xrdp"
If there are other services listed, use a space as a delemeter like this:
FW_CONFIGURATIONS_EXT="sshd xrdp"
After saving the file restart the service:
# systemctl restart SuSEfirewall2.service
SLES 15
The following command-line tool will add the entries to the configuration:
# firewall-cmd --zone=public --permanent --add-port=3389/tcp
# firewall-cmd --zone=public --permanent --add-port=3350/tcp
# systemctl restart firewalld.service
7. Restart xrdp to enable new configuration.
# systemctl restart xrdp
8. Connect using a FIPS enabled RDP client from Windows, Mac, or Linux
If connecting from SUSE Linux Enterprise, use the following commands based on the OS version:
SLES 15 SP*
xfreerdp /v:192.168.1.100 /encryption-methods:FIPS +glyph-cache
SLES 12 SP*
xfreerdp /v:192.168.1.100 /encryption-methods:FIPS
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020310
- Creation Date: 28-Jun-2021
- Modified Date:13-May-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
