xRDP – The Infamous “Authentication Required to Create Managed Color Device” Explained

Hello World, 

Since Ubuntu 18.04 LTS has been made available, we have been quite busy testing and validating the new features and functionalities of this release.  Currently, the focus is on xRDP software solution and how to make it works on Ubuntu 18.04.  In a previous post, we have provided an updated version of our small script utility that simplify the installation and configuration of xRDP on Ubuntu 18.04.  

This new version of the script fixes a recurring issue that any user would have encountered after performing a manual installation of the xRDP software solution on Ubuntu :  The Infamous “Authentication Required to create managed Color Device” popup message. 

This post will try to explain why the popup appears in remote session and what to do to fix it (partially) or completely…

Let’s do this ! 

Problem Explained

Describing the issue

This section will briefly explained the problem and how to reproduce it.  Let’s assume that you have performed a manual installation of xRDP software package on your Ubuntu 18.04 machine by executing the following command in a Terminal console 

sudo apt-get install xrdp 

With no additional configurations, you should be able to perform, after the installation of the xrdp package, a remote desktop session to your Ubuntu machine.  Open your favorite remote desktop client, type the hostname or ip address of the remote machine and connect.  You should see the xrdp login screen 

U1704_xrdp_3

Click on picture for better resolution

Provide your credentials and wait for the login process to complete.  At this stage, you should see your Ubuntu Desktop but you should see the following popups showing up.  The first popup should look like this one with the following message “Authentication Required – Create a Pr…”.  Press Cancel 

Polkit_1

Click on picture for better resolution

Then another popup will show up again displaying again an Authentication required message (i.e.Create managed color device)… .Press Cancel 

Polkit_2

Click on picture for better resolution

Depending the Desktop interface, you might see only 2 authentication popup or possibly more (up to 4 popups )

After dismissing all these popups, you will be able to access your desktop and perform your task on the computer using remote connections software solution…

Polkit_3

Click on picture for better resolution

The behavior explained 

Ubuntu is using the PolKit software component.  PolKit is basically an application authorization framework that will capture actions performed by a user and check if this user is authorized to perform such action on the system.  PolKit reads some policy files that will specify if the user requested by the user is authorized, not authorized or need authentication.  Polkit provide s a way to implement granular authorization to users based on the action requested. 

When you perform the remote login on Ubuntu and the popup appears, it simply means that the Polkit Policy file for this action cannot be performed without authentication first.   Now, if you logon locally on the system, no popup are displayed because Polkit application has evaluated that this action does not need authentication.  This means that Polkit can differentiate between a local session and a remote session. This also means that different authorization policies applies for local sessions and remote sessions. 

PolKit application reads some XML files in order to evaluate which user is authorized or not authorized.  Some of these files are located under the following location /usr/share/polkit-1/actions.  If you list the content of this folder, you will see that there is file called org.freedesktop.color.policy.  

Polkit_4

Click on picture for better resolution

 

If you open the file, you will see that this file is exactly the one controlling the authentication requests popping up when connecting remotely on the system.  

Polkit_5

Click on picture for better resolution

 

If you scroll down at the end of a section, you can see in the <defaults> section, how the system will treat request to perform the specific action 

Polkit_6

Click on picture for better resolution

If we look at this section, we have basically the following three lines that dictates the behavior of the system.

(....)  
<defaults> 
      <allow_any>auth_admin</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
</defaults>
(...)

 

  • Allow_action define authorization for user logged on locally on the system.  As you can see, the value is set to yes meaning that no popup will be displayed when creating managed device or profile
  • Allow_inactive define authorization for user with inactive sessions (this means remote sessioins). As you can see, this value is set to no.
  • Allow_any define authorization rules for any users either logged on locally on the system or remotely on the system.  As you can see the value is set to auth_admin which means that admin account authentication will be requested

Modify <allow_inactive> settings

To identify which  value is actually controlling the behavior, we have modified them and checked the behavior in the remote session.

We have first changed the value for the setting <allow_inactive> from no to yes.  We have replaced every occurence in the file org.freedesktop.color.policy

(....)  
<defaults> 
    <allow_any>auth_admin</allow_any> 
    <allow_inactive>yes</allow_inactive> 
    <allow_active>yes</allow_active> 
</defaults> (...)

Changing this value does not change the behavior in the remote session.  The popup will still be displayed.  So, the xRDP session is not really seen as a remote session, isn’t it ?.   We revert back the changes we have made 

Modify <allow_any> settings

After reverting back all the changes made in the org.freedesktop.color.policy.xml file, we have changed the setting <allow_any> from auth_admin to yes

(....)  
<defaults> 
    <allow_any>yes</allow_any> 
    <allow_inactive>no</allow_inactive> 
    <allow_active>yes</allow_active> 
</defaults> (...)

When performing this change, when connecting to the remote session, no more popups are displayed.  This settings is basically controlling the popup behavior in the remote sessions.  Based on this new understanding of PolKit and the policy applied to the Color managed device and profile, we have been updating our xrdp installation script to offer an even better user experience…. 

How to “fix” this issue 

To fix this issue, there are multiple ways. Some ways are really not recommended and should not be be used in production environment and recommended ways which can be used in production environment.  

Not Recommended way 

If you want to dismiss this annoying popup in your remote session, you can perform one of the following actions 

  • delete the file org.freedesktop.color.policy.xml file (located in /usr/share/polkit-1/actions).  By deleting this file, you are basically remove the limitations of creating,managing color devices and profiles…. 
  • modify the /usr/share/polkit-1/actions/org.freedesktop.color.policy.xml as described above.  for each <allow_any>….</allow_any>, replace the auth_admin value with the value yes.   Modifying the section <allow_inactive> from No to yes, (and not changing any other values) will not remove the limitation 

Recommended way (so far)

Recommended way is not to modify the files mentioned above but to create authorization files.  These files allows to define exception and decide what to do when a user needs to perform a controlled action. So far, if you google or search on internet, the standard way to get rid of the popup in the remote session is to create a file in /etc/polikit- /config  and populated with the following content 

polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.color-manager.create-device" ||
 action.id == "org.freedesktop.color-manager.create-profile" ||
 action.id == "org.freedesktop.color-manager.delete-device" ||
 action.id == "org.freedesktop.color-manager.delete-profile" ||
 action.id == "org.freedesktop.color-manager.modify-device" ||
 action.id == "org.freedesktop.color-manager.modify-profile") &&
 subject.isInGroup("{users}")) {
 return polkit.Result.YES;
 }
 });

This file is basically telling that if the user belong to the group “users” then the create,modify profile and color device can then be performed with authentication prompt.  So, far we have been using this solution in our famous script used to automate installation of xRDP.  Using this approach, no popup will be displayed anymore and not authentication required will be seen.  However, this solution generates a small side effect on your Ubuntu System.  This approach will generate a Crash system popup 

A Better Recommended way 

We have spend some time in reading and searching on Internet in order to explain and find some hints and tips about the Polkit framework and the famous Crash system popup that come with the authorization rules used so far.  Based on all these information, we have basically updated our automated installation script in order to dismiss the Authentication required popup and to avoid the famous Crash system popup.  Instead of using a .conf file, we have been using a .pkla file….  

We are writing a dedicated post about this issue and the information will be made available  here

Final Notes 

This post has described the internal mechanisms used by Ubuntu and PolKit application that explain why some popups appears in a remote session (if a basic installation of xRDP installation has been performed).  Based on this new understanding of the technology behind, we have been able to deliver an improved version of our famous xrdp installation script.  The latest version (ver 0.2) of our Standard xrdp install script already contains the code needed to configure properly your system and not having popup displayed in remote session. This code also fixes a recurring issue that will be explained in the next post….. 

Till next time 

See ya

 

References

Leave a Reply