No longer working after enabling "fscrypt" for home directory

[mallardtheduck]

xrdp version

0.9.17

Detailed xrdp version, build options

xrdp 0.9.17
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2020 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-ipv6
      --enable-jpeg
      --enable-fuse
      --enable-rfxcodec
      --enable-opus
      --enable-painter
      --enable-vsock
      --build=aarch64-linux-gnu
      --prefix=/usr
      --includedir=${prefix}/include
      --mandir=${prefix}/share/man
      --infodir=${prefix}/share/info
      --sysconfdir=/etc
      --localstatedir=/var
      --disable-silent-rules
      --libdir=${prefix}/lib/aarch64-linux-gnu
      --libexecdir=${prefix}/lib/aarch64-linux-gnu
      --disable-maintainer-mode
      --disable-dependency-tracking
      --with-socketdir=/run/xrdp/sockdir
      build_alias=aarch64-linux-gnu
      CFLAGS=-g -O2 -ffile-prefix-map=/build/xrdp-oI93rY/xrdp-0.9.17=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security 
      LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
      CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -Wno-error=deprecated-declarations
      PKG_CONFIG_PATH=/build/xrdp-oI93rY/xrdp-0.9.17/pkgconfig

  Compiled with OpenSSL 3.0.2 15 Mar 2022

Operating system & version

Ubuntu 22.04.3 LTS aarch64

Installation method

dnf / apt / zypper / pkg / etc

Which backend do you use?

xorgxrdp

What desktop environment do you use?

xfce

Environment xrdp running on

OrangePi Zero3

What's your client?

Microsoft Remote Desktop (Mac)

Area(s) with issue?

Session manager (sesman)

Steps to reproduce

Attempt to connect. The problem stated after fscrypt-ing the home directory, but occurs even if the directory is already unlocked (e.g. by opening an SSH session first).

There is no autologin or even so much as a graphical login enabled for the system, so no "double login" issue. Xrdp works fine for another user without an encrypted home directory.

✔️ Expected Behavior

A working login...

❌ Actual Behavior

Black screen for a while, followed eventually by:

Anything else?

As far as I can tell, xrdp-sesman is hanging before getting as far as starting the X server. The instance of it can only be removed with SIGKILL. No ".xorgxrdp.10.log" is created (even modifying sesman.ini to create this outside of the home directory didn't change anything). Switching to Xvnc didn't change things either.

xrdp.log:

[20240404-19:31:50] [INFO ] address [0.0.0.0] port [3389] mode 1
[20240404-19:31:50] [INFO ] listening to port 3389 on 0.0.0.0
[20240404-19:31:50] [INFO ] xrdp_listen_pp done
[20240404-19:31:52] [INFO ] starting xrdp with pid 5515
[20240404-19:31:52] [INFO ] address [0.0.0.0] port [3389] mode 1
[20240404-19:31:52] [INFO ] listening to port 3389 on 0.0.0.0
[20240404-19:31:52] [INFO ] xrdp_listen_pp done
[20240404-19:32:35] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:172.29.41.154 port 57208
[20240404-19:32:35] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20240404-19:32:35] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20240404-19:32:35] [ERROR] Cannot read private key file /etc/xrdp/key.pem: Permission denied
[20240404-19:32:35] [ERROR] libxrdp_force_read: header read error
[20240404-19:32:35] [ERROR] Processing [ITU-T T.125] Connect-Initial failed
[20240404-19:32:35] [ERROR] [MCS Connection Sequence] receive connection request failed
[20240404-19:32:35] [ERROR] xrdp_sec_incoming: xrdp_mcs_incoming failed
[20240404-19:32:35] [ERROR] xrdp_rdp_incoming: xrdp_sec_incoming failed
[20240404-19:32:35] [ERROR] xrdp_process_main_loop: libxrdp_process_incoming failed
[20240404-19:32:35] [ERROR] xrdp_iso_send: trans_write_copy_s failed
[20240404-19:32:35] [ERROR] Sending [ITU T.125] DisconnectProviderUltimatum failed
[20240404-19:32:35] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:172.29.41.154 port 57209
[20240404-19:32:35] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20240404-19:32:35] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20240404-19:32:35] [ERROR] Cannot read private key file /etc/xrdp/key.pem: Permission denied
[20240404-19:32:35] [INFO ] Connected client computer name: Stuarts-iMac
[20240404-19:32:35] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc006 is unknown (ignored)
[20240404-19:32:35] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc00a is unknown (ignored)
[20240404-19:32:35] [INFO ] xrdp_load_keyboard_layout: Keyboard information sent by the RDP client, keyboard_type:[0x04], keyboard_subtype:[0x00], keylayout:[0x00000809]
[20240404-19:32:35] [INFO ] xrdp_load_keyboard_layout: model [] variant [] layout [gb] options []
[20240404-19:32:35] [INFO ] Non-TLS connection established from ::ffff:172.29.41.154 port 57209: encrypted with standard RDP security
[20240404-19:32:35] [INFO ] xrdp_caps_process_pointer: client supports new(color) cursor
[20240404-19:32:35] [INFO ] xrdp_process_offscreen_bmpcache: support level 0 cache size 0 MB cache entries 0
[20240404-19:32:35] [INFO ] xrdp_caps_process_codecs: nscodec, codec id 1, properties len 3
[20240404-19:32:35] [INFO ] Loading keymap file /etc/xrdp/km-00000809.ini
[20240404-19:32:35] [WARN ] local keymap file for 0x00000809 found and doesn't match built in keymap, using local keymap file
[20240404-19:32:35] [INFO ] connecting to sesman ip 127.0.0.1 port 3350
[20240404-19:32:35] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20240404-19:32:35] [INFO ] sesman connect ok
[20240404-19:32:35] [INFO ] sending login info to session manager, please wait...
[20240404-19:32:35] [INFO ] xrdp_wm_log_msg: login successful for display 10
[20240404-19:32:35] [INFO ] login successful for display 10
[20240404-19:32:35] [INFO ] loaded module 'libxup.so' ok, interface size 10296, version 4
[20240404-19:32:35] [INFO ] started connecting
[20240404-19:32:35] [INFO ] lib_mod_connect: connecting via UNIX socket
[20240404-19:36:05] [INFO ] connection problem, giving up
[20240404-19:36:05] [INFO ] some problem

xrdp-sesman.log:

[20240404-19:30:09] [INFO ] starting xrdp-sesman with pid 5074
[20240404-19:30:09] [INFO ] shutting down sesman 1
[20240404-19:30:21] [INFO ] starting xrdp-sesman with pid 5102
[20240404-19:30:21] [INFO ] shutting down sesman 1
[20240404-19:31:22] [INFO ] starting xrdp-sesman with pid 5458
[20240404-19:31:23] [INFO ] shutting down sesman 1
[20240404-19:31:50] [INFO ] starting xrdp-sesman with pid 5505
[20240404-19:32:35] [INFO ] Socket 8: AF_INET6 connection received from ::1 port 37026
[20240404-19:32:35] [INFO ] Terminal Server Users group is disabled, allowing authentication
[20240404-19:32:35] [INFO ] ++ created session (access granted): username orangepi, ip ::ffff:172.29.41.154:57209 - socket: 12
[20240404-19:32:35] [INFO ] starting Xorg session...
[20240404-19:32:35] [INFO ] Starting session: session_pid 5527, display :10.0, width 1920, height 1080, bpp 24, client ip ::ffff:172.29.41.154:57209 - socket: 12, user name orangepi
[20240404-19:32:35] [INFO ] [session start] (display 10): calling auth_start_session from pid 5527
[20240404-19:32:35] [ERROR] sesman_data_in: scp_process_msg failed
[20240404-19:32:35] [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans

xrdp/xorg.conf (although this probably isn't relevant as there's no evidence that any attempt to actually run X is occuring):

Section "ServerLayout"
    Identifier "X11 Server"
    Screen "Screen (xrdpdev)"
    InputDevice "xrdpMouse" "CorePointer"
    InputDevice "xrdpKeyboard" "CoreKeyboard"
EndSection

Section "ServerFlags"
    # This line prevents "ServerLayout" sections in xorg.conf.d files
    # overriding the "X11 Server" layout (xrdp #1784)
    Option "DefaultServerLayout" "X11 Server"
    Option "DontVTSwitch" "on"
    Option "AutoAddDevices" "off"
EndSection

Section "Module"
    Load "dbe"
    Load "ddc"
    Load "extmod"
    Load "glx"
    Load "int10"
    Load "record"
    Load "vbe"
    Load "glamoregl"
    Load "xorgxrdp"
    Load "fb"
EndSection

Section "InputDevice"
    Identifier "xrdpKeyboard"
    Driver "xrdpkeyb"
EndSection

Section "InputDevice"
    Identifier "xrdpMouse"
    Driver "xrdpmouse"
EndSection

Section "Monitor"
    Identifier "Monitor"
    Option "DPMS"
    HorizSync 30-80
    VertRefresh 60-75
    ModeLine "1920x1080" 138.500 1920 1968 2000 2080 1080 1083 1088 1111 +hsync -vsync
    ModeLine "1280x720" 74.25 1280 1720 1760 1980 720 725 730 750 +HSync +VSync
    Modeline "1368x768" 72.25 1368 1416 1448 1528 768 771 781 790 +hsync -vsync
    Modeline "1600x900" 119.00 1600 1696 1864 2128 900 901 904 932 -hsync +vsync
EndSection

Section "Device"
    Identifier "Video Card (xrdpdev)"
    Driver "xrdpdev"
    Option "DRMDevice" "/dev/dri/renderD128"
    Option "DRI3" "1"
EndSection

Section "Screen"
    Identifier "Screen (xrdpdev)"
    Device "Video Card (xrdpdev)"
    Monitor "Monitor"
    DefaultDepth 24
    SubSection "Display"
        Depth 24
        Modes "640x480" "800x600" "1024x768" "1280x720" "1280x1024" "1600x900" "1920x1080"
    EndSubSection
EndSection

[matt335672]

@mallardtheduck - I don't have great news for you I'm afraid. After a bit of searching about, this seems to be a known issue with no workarounds. See google/fscrypt#350.

The only way forward I can see is to upgrade to xrdp v0.10.x when it's released. This version does not fork in a way which confuses fscrypt (and other PAM modules). This was a pretty major architectural change, and can' be back-ported to the v0.9.x series.

v0.10.x is very nearly due for release, but to run it on Ubuntu 22.04 you'll need to build it yourself or find a trusted source for an update.

I'm closing this as there's little else we can do here.