Configuring xrdp for FIPS compliance

This document (000020310) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

Server has FIPS enabled following this article: TID000019432 - How to Enable FIPS on SLES

Remote desktop access is required. 

VNC services do not provide FIPS encryption.

RDP using the xrdp service does provide FIPS encryption and is the proper choice for FIPS enabled servers.

Resolution

Installation and configuration of xrdp with FIPS mode enabled


1.  Register and update the server.

The SUSE server will need to be registered to the SUSE Customer Center (SCC), or to an appropriate update server such as SUSE Manager, SMT, or RMT.  Repositories on update servers should be recently mirrored and the SUSE server should be updated.  There are known issues with FIPS on earlier releases of the 12sp5 and 15sp2 operating systems.

2.  Install xrdp along with any dependencies.

# zypper install xrdp

If dependencies are required, allow the system to install all of them.

During the installation there may be a message related to generating RSA keys using OpenSSL.  It can be ignored.

3.  Edit appropriate entries in /etc/xrdp/xrdp.ini.

# vi /etc/xrdp/xrdp.ini

Locate the following entries and change the values to the following:

security_layer=tls
ssl_protocols=TLSv1.1, TLSv1.2
tls_ciphers=FIPS:-eNULL:-aNULL

4.  Create a blank rsakeys.ini file.

cp /dev/null /etc/xrdp/rsakeys.ini

5.  Generate cert and key pem files.

openssl req -x509 -newkey rsa:2048 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -days 365

6.  Open firewall TCP ports 3389 (RDP) and 3350 (xrdp-sesman).

These ports can be opened for the public zone if needed, by going into
yast2-->Security and Users-->Firewall (or simply "yast2 firewall") and making the following changes:

SLES 12
Click on "Allowed Services".
From the "Service to Allow" drop down menu, select Remote Desktop Protocol.
Click the "Add" button and then Next and Finish.

SLES 15
Click on the "public" zone and then click on the "Ports" tab at the top.
In "TCP Ports" add the following entries.  Use a comma delemeter between entries:
3389, 3350
Click Accept

Alternatively, the changes can be made from the command-line in the following ways:

SLES 12
As the root user edit /etc/sysconfig/SuSEfirewall2
Locate the following line and add "xrdp" to the list of allowed services:

FW_CONFIGURATIONS_EXT="xrdp"

If there are other services listed, use a space as a delemeter like this:

FW_CONFIGURATIONS_EXT="sshd xrdp"

After saving the file restart the service:
# systemctl restart SuSEfirewall2.service

SLES 15
The following command-line tool will add the entries to the configuration:
# firewall-cmd --zone=public --permanent --add-port=3389/tcp
# firewall-cmd --zone=public --permanent --add-port=3350/tcp
# systemctl restart firewalld.service


7.  Restart xrdp to enable new configuration.

# systemctl restart xrdp

8.  Connect using a FIPS enabled RDP client from Windows, Mac, or Linux

If connecting from SUSE Linux Enterprise, use the following commands based on the OS version:

SLES 15 SP*
xfreerdp /v:192.168.1.100 /encryption-methods:FIPS +glyph-cache

SLES 12 SP*
xfreerdp /v:192.168.1.100 /encryption-methods:FIPS
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020310
  • Creation Date: 29-Jun-2021
  • Modified Date:29-Jun-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center