Skip to content

Remote desktop with XRDP#

Introduction#

It is possible to run a remote graphical Linux desktop on our dialog server csnhr.nhr.fau.de through XRDP. This enables use of a graphical desktop environment and applications (e.g. Firefox) even over relatively slow connections (e.g. Hotel-Wifi abroad). In addition, it is possible to "park" sessions and resume them from elsewhere later, so in a way it is sort of screen for X. Your detached session keeps on running on the server, and when you reattach it later, all the applications you had open still are open.

Please keep the following restrictions in mind:

  • This is not suitable for doing graphically demanding tasks like remote 3D visualization, just for normal desktop use. For 3D remote visualization see our dedicated nodes.
  • There is a time limit: Sessions will be killed after a few days of inactivity.
  • Audio redirection is currently not available - you will not get any audio output from the remote session.

Using XRDP from Linux#

You will need to have SSH login to csnhr already configured and working, see our documentation on setting up SSH access for that. There is absolutely no point trying this without having verified that you can log in to csnhr with SSH first, it is a necessary precondition because the remote desktop session will be started via SSH.

You will also need a RDP client installed. We currently recommend xfreerdp (or wlfreerdp if you use Wayland), which on Ubuntu can be installed by installing the package freerdp2-x11 (or freerdp2-wayland). Please make sure to use a client that supports the rfx extension. If you don't, the result will be that running the remote desktop will generate upwards of 150 MBit of traffic, practically guaranteeing that your connection will be massively overloaded.

Once you have all the necessary preconditions, you can save the following script on your computer, make it executable with chmod +x /path/to/script and run it every time you want to connect to the remote desktop. Make sure to replace USERNAME with your actual username, and xfreerdp with wlfreerdp if you use Wayland.

#!/bin/bash

ssh -x -L 3389:localhost:3389 USERNAME@csnhr.nhr.fau.de 'get_transient_token; sleep 10' | (read TOKEN ; xfreerdp /v:localhost:3389 /rfx /cert:tofu /u:USERNAME "/p:${TOKEN}")

Using XRDP from Windows#

Most current Windows versions include a builtin OpenSSH client, e.g., Windows 10 since version 1803. See Microsoft's Documentation on how to install it if it isn't installed by default. This client should be properly configured, so that you can successfully run ssh -i KEYFILE USERNAME@csnhr.nhr.fau.de on a command prompt to log into csnhr.

Save the following into a .bat file. Remember to replace USERNAME on the first line with your HPC account username (e.g., b2101c4) and PRIVATEKEY on the second line with the full path to your private SSH key (e.g., C:\Users\b2101c4\.ssh\id_rsa):

set UN=USERNAME
set KE=PRIVATEKEY
for /f %%i in ('ssh -i %KE% %UN%@csnhr.nhr.fau.de get_transient_token') do set TOKEN=%%i
cmdkey /generic:TERMSRV/127.0.0.1 /user:%UN% /pass:%TOKEN%
start /B ssh -i %KE% -L 9999:localhost:3389 %UN%@csnhr.nhr.fau.de sleep 60
timeout 15 > NUL
mstsc /v:127.0.0.1:9999
cmdkey /delete:legacygeneric:target=TERMSRV/127.0.0.1

You can store the .bat file above on your desktop (or anywhere you like) so you can execute it with a double mouse click. A command window will open and you will be required to type your key passphrase twice. You have 15 seconds for typing the second passphrase. If you exceed this limit, the RDP client will try to start and use a non-existing port, and the whole process fails. If all goes well, give it a few seconds and the Windows RDP client will pop up. Ignore the warning about a wrong certificate.

Some useful hints:#

  • Do not kill the command window while the session is running since this will terminate the connection. If your session was shorter than 60 seconds, the command window will still be visible for the remaining time until one minute is over.

  • Generate the key pair under Windows (e.g., using ssh-keygen in a command window). Copying the private key from somewhere else (e.g., from a remote Linux machine) will often result in file permissions that are too open and the OpenSSH client will complain. It is a good idea anyway to use a separate key for each standalone client computer.

  • After terminating the RDP connection, the command window should automatically disappear but sometimes does not. Just kill it if necessary.

Using XRDP from MacOS#

At the moment, we have no automated solution.

You will need a configured and working SSH connection to csnhr for token generation; please check our documentation on setting up SSH access.

Currently, connecting works via the Microsoft Remote Desktop app which is freely available in the Mac App Store. The Microsoft Remote Desktop app can be partially pre-configured: Go to Connections -> Add PC and add localhost:3389 as "PC name".

Type the following into a command line to setup an SSH tunnel and generate the token. Make sure to replace USERNAME with your actual username!

ssh -x -L 3389:localhost:3389 USERNAME@csnhr.nhr.fau.de 'get_transient_token; sleep 100'

Immediately after, connect to the remote desktop in the Microsoft Remote Desktop app and enter your username. Copy the previously generated token from the command line and paste it into the password field. Be aware that the token is only valid once and has a lifetime of 60 seconds!

Selecting a desktop environment#

The default desktop environment on csnhr is currently XFCE, which offers a good compromise between performance and usability. There are however multiple desktop environments available on csnhr, and if XFCE is not your cup of tea, you may try a different one.

To select a desktop environment, you'll need to modify the file .xsession in your home directory. It should contain just one single line, and the following table shows the available values.

Content of ~/.xsession Resulting Desktop Environment
nothing / file does not exist currently XFCE4, but this may change at a later date.
startxfce4 XFCE4
startplasma-x11 KDE Plasma
mate-session MATE Desktop
cinnamon a very broken and unusable Cinnamon desktop (do not use)
gnome-session Gnome3

Advanced info on XRDP on csnhr#

This section is mostly intended for people with a technical background.

XRDP on csnhr only listens on localhost, meaning that you will always have to use an SSH tunnel to access it.

For login, a single-use token with a limited lifetime has to be used, even for non-NHR-Accounts that still have a password set. You can get such a token by running the command get_transient_token. This will spit out a string that looks like this:

TTK12345:543210:AbCdEFghIJKlmnop3456778xnNaAaA9B

This token has a lifetime of 60 seconds and can only be used once, meaning that within 60 seconds you can use this in the place where you would normally put the password. Use your normal username as the username. While it is possible to manually copy+paste the Token, we strongly recommend to script generating and using it - see our scripts in the sections above.