XRDP Setup on Debian/Ubuntu (with XFCE)

1. Install & Enable XRDP

sudo apt update && sudo apt upgrade -y
sudo apt install -y xrdp
sudo systemctl enable --now xrdp

Check status:

sudo systemctl status xrdp

2. Add XRDP to SSL-Cert Group

sudo adduser xrdp ssl-cert

3. Install XFCE Desktop

GNOME often has issues with XRDP → use XFCE:

sudo apt install -y xfce4
# or full Xubuntu desktop (bigger install):
# sudo apt install -y xubuntu-desktop

Force XRDP to use XFCE:

# Backup
cp ~/.xsession ~/.xsession.$(date +%F).bk

# Add comment and set XFCE session
{
  echo "#############################"
  echo "# $(date +%F) edit"
  echo "xfce4-session"
} > ~/.xsession

4. Configure Firewall

Allow access from trusted networks only (port 3389):

sudo apt install -y ufw
sudo ufw allow from 192.168.150.0/24 to any port 3389 proto tcp
sudo ufw allow from 100.99.99.0/24 to any port 3389 proto tcp
sudo ufw enable
sudo ufw reload

5. Restart XRDP

sudo systemctl restart xrdp

Connect using any RDP client → server_ip:3389

if not connecting, Please log out and log back in.

Security Tips

• Never expose port 3389 directly to the internet.

• Use VPN or SSH tunnel:

  ssh -L 3389:localhost:3389 user@server-ip
  

  Then connect RDP to localhost:3389.

Fix SSH “REMOTE HOST IDENTIFICATION HAS CHANGED!” (Windows)

This warning means the server’s SSH key has changed (common after reinstall). To clear the old key:

1. Open PowerShell / CMD.

2. Edit your known hosts file:

   notepad C:\Users\%USERNAME%\.ssh\known_hosts
   

3. Find the line with your server’s IP (e.g., 192.168.150.10) → delete it.

4. Save and close the file.

5. Retry SSH:

   ssh -L 3389:localhost:3389 user@server-ip
   

If the host is trusted, type yes when asked to confirm the new fingerprint.

Would you like me to add this SSH fix inline (inside the Security Tips section) as above, or keep it in the Troubleshooting section at the bottom with the XRDP errors?

Troubleshooting

1. Color Management Error

Authentication is required to create a color managed device

Fix with polkit rule:

sudo apt install -y policykit-1
sudo nano /etc/polkit-1/rules.d/50-color-management.rules

Add:

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.color-manager.create-device") === 0) {
    return polkit.Result.YES;
  }
});

Restart XRDP:

sudo systemctl restart xrdp

2. Wi-Fi Scan Error

System policy prevents Wi-Fi scans

Create polkit rule:

sudo nano /etc/polkit-1/rules.d/50-wifi-scanning.rules

Add:

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {
    return polkit.Result.YES;
  }
});

Restart:

sudo systemctl restart polkit

3. Keyring Not Unlocked

Install and configure keyring:

sudo apt install -y gnome-keyring seahorse

Enable auto-unlock (LightDM):

sudo nano /etc/pam.d/lightdm
# Add line:
auth optional pam_gnome_keyring.so

Start keyring at login (~/.xprofile):

eval $(gnome-keyring-daemon --start)

Reset keyring if corrupted:

rm -rf ~/.local/share/keyrings/*