19

I can connect to my Ubuntu 22.04 computer using Remmina RDP with "Remote Login" enabled when I'm logged in. However, as soon as the target's console is locked, I can no longer connect. Port 3389 is open but it shuts down the connection immediately. As soon as I log in physically I can access it remotely again (until the display lock kicks in).

I can disable the display lock but then anyone can access the display without needing my credentials.

I can change my account to autologin and disable the keysafe but then the computer is accessible all the time.

How do I protect my 22.04 machine while being able to access it remotely using the new "Remote Login" RDP method?

tudor -Reinstate Monica-
  • 7,288
  • I have revised the answer to focus on your security question, rather than the workaround for bypassing the screen lock. If the answer below works for you, feel free to up vote the answer and accept the answer as correct by clicking on the gray check mark next to the answer and turn it green ✅. This will mark your problem as solved and help others. – user68186 May 02 '23 at 19:25
  • Just to add to the answer provided by @max, I've had to log-out and log back in between step 3 and 4. Otherwise gnome-extensions would throw an error of not finding the extension I wanted to enable. Source: jik's comment – BrM Jan 24 '24 at 09:31

2 Answers2

31

Securing Local Display for Remote Connection

It is my understanding that it is not possible to protect your computer from local physical intrusion while using it remotely using the new "Remote Login" RDP method.

If your concern is someone may watch your screen locally and get sensitive information, or worse, takeover your computer locally while you are connected remotely, then install xrdp and bypass the "new Remote login" RDP method.

The new (as of Ubuntu 22.04) GNOME Remote Desktop does not allow a remote connection if you are not logged in locally in the remote computer. On the other hand, xrdp does not allow remote connection if you are logged in locally.

To install the xrdp server, open a terminal and enter:

sudo apt install xrdp

This will install the full xrdp server app. It will allow you to remotely connect to your computer if and only if you are NOT logged in locally. When you login remotely using RDP (xrdp) your local monitor will not turn on and show potential observers and intruders what you are doing.

See Ubuntu 22.04 remote desktop headless? for more details.

Remote Connection with Local login (Original Answer)

GNOME Shell Extension: Allow locked Remote Desktop

The solution below is for problem with screen lock and the new GNOME Remote Desktop in Ubuntu 22.04 that allows RDP (and legacy VNC) protocol for remote desktop sharing. If someone is physically near your your computer they will see your activities on the connected monitor and thus be able to collect sensitive information.

You will need a GNOME Shell extension to solve this problem.

First, install install gnome-shell-extension-manager with this command:

sudo apt install gnome-shell-extension-manager

The open the newly installed app called Extension in the GUI. Within this app, search for and install the Allow locked Remote Desktop GNOME Shell extension.

Now you will be able to remotely connect to this computer even when the screen is locked. You will still need to be logged in locally first.

Hope this helps

user68186
  • 33,360
  • 5
    This worked perfectly for what I needed. – KneadToKnow Sep 19 '22 at 13:36
  • I can confirm that this also works for Fedora 36 and 37 (Gnome 42 and Gnome 43). I had issues with my session being terminated as soon as the screen went blank, and the extension also takes care of that. Thank you for the answer. – denNorske Nov 29 '22 at 07:37
  • 2
    The Allow locked Remote Desktop GNOME extension solution only woks if I lock the screen though Win + L shortcut. How can we obtain the possibility to connect the remote PC after the first boot (before the first login)? – Nicholas Redi Dec 28 '22 at 13:47
  • @NicholasRedi install xrdp this only allows remote connection if nobody is logged in. As noted above, see the answer to this question – user68186 Dec 29 '22 at 03:11
  • @user68186 Thanks for pointing out! Isn't there any possibility to make the default GNOME Remote Desktop works at the very first boot ? For example by activating some services... I would like to have the possibility to be logged in on both ends, also because the Desktop appearance using xrdp looks really strange to me... – Nicholas Redi Dec 29 '22 at 10:08
  • @NicholasRedi not that I know about. You may want to ask a new question. – user68186 Dec 29 '22 at 15:05
  • 1
    The main solution does not really answer OP's question, since one of their primary concerns was security ("anyone can access the display without needing my credentials"). With the "Allow Locked Remote Desktop" Extension, the screen is still visible at the physical monitor; if there is no monitor, a malicious actor could just plug one in. The more secondary solution of using XRDP is actually better in this respect. – Bob May 02 '23 at 09:59
  • 1
    @Bob thanks for bringing this to my notice. I have revised the answer to emphasize the security issue and the corresponding solution. – user68186 May 02 '23 at 19:20
  • 1
    I found the "gnome-shell-extension-manager" solution works perfectly for my needs, thanks! – Jonathan Jul 03 '23 at 16:17
0

The issue is well documented here: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3212#note_992252

As answered by @user68186, the gnome shell extension to disable this behavior is "Allow locked Remote Desktop"

I couldn't find it in gnome-shell-extension-manager. So I installed it manually with these steps:

  1. get your shell version with gnome-shell --version
  2. download the corresponding version at https://extensions.gnome.org/extension/4338/allow-locked-remote-desktop/
  3. install the extension with gnome-extensions install <downloaded_file.zip> (and reboot)
  4. enable the extension with gnome-extensions enable allowlockedremotedesktop@kamens.us (and reboot)

This method has 2 advantages:

  • gnome-extensions is installed by default, so you don't need to install gnome-shell-extension-manager (the GUI manager)
  • gnome-extensions doesn't need any browser integration (contrary to gnome-shell-extension-manager)
max
  • 395