Skip to content

Instantly share code, notes, and snippets.

@greyltc

greyltc/launch-GRD.sh

Last active February 25, 2025 08:02
Show Gist options
  • Save greyltc/7085bff8f2e728b60077b81329019828 to your computer and use it in GitHub Desktop.
Save greyltc/7085bff8f2e728b60077b81329019828 to your computer and use it in GitHub Desktop.
Download ZIP
configures then activates gnome-remote-desktop from the command line
Raw
launch-GRD.sh
#!/usr/bin/env bash
# run this on the remote terminal machine, as auser with sudo powers, probably through a remote ssh shell
# this will overwrite all the settings it touches
# the name of the user to run these commands as
TARGET_USER=jane
# we need an inlocked desktop session. we can either start a new autologin one or unlock an existing one
echo -e "[daemon]\nAutomaticLogin=${TARGET_USER}\nAutomaticLoginEnable=true\n" | sudo tee /run/gdm/custom.conf
sudo systemctl restart gdm
#sudo loginctl unlock-sessions # unlocks all existing sessions
# print the session type
busctl get-property org.freedesktop.Accounts /org/freedesktop/Accounts/User$(id -u) org.freedesktop.Accounts.User Session
# the password for that target user (needed to unlock their keyring)
TUP="target user password"
# password to use for VNC server
VNC_PASS="welcome to narnia"
# TODO: unlock the keyring (probably by first killing it and then re-launching it like PAM would)
#killall gnome-keyring-daemon
#echo -n ${TUP} | gnome-keyring-daemon --daemonize --login
# write vnc password to the keychain
sudo -i -u ${TARGET_USER} VNC_PASS="${VNC_PASS}" DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'echo -n ${VNC_PASS} | secret-tool store --label "GRD VNC pass" xdg:schema org.gnome.RemoteDesktop.VncPassword'
# or if you want you can print the existing password with
# secret-tool lookup xdg:schema org.gnome.RemoteDesktop.VncPassword
# allow screen control
sudo -i -u ${TARGET_USER} DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'gsettings set org.gnome.desktop.remote-desktop.vnc view-only false'
# use password authentication
sudo -i -u ${TARGET_USER} DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'gsettings set org.gnome.desktop.remote-desktop.vnc auth-method password'
# let's also setup RDP creds just for fun
RDP_USER="john"
RDP_PASS="welcome to narnia"
RDP_CREDS="{\"password\": \"${RDP_PASS}\", \"username\": \"${RDP_USER}\"}"
TLS_STORE=/var/tmp/rdptls
mkdir -p ${TLS_STORE}
# generate the TLS things for the RDP server
winpr-makecert -rdp -path ${TLS_STORE} > /dev/null
# write RDP credentials to the keychain
sudo -i -u ${TARGET_USER} RDP_CREDS="${RDP_CREDS}" DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'echo -n ${RDP_CREDS} | secret-tool store --label "GRD RDP creds" xdg:schema org.gnome.RemoteDesktop.RdpCredentials'
# set RDP tls certificate path
sudo -i -u ${TARGET_USER} TLS_CRT="${TLS_STORE}/$(hostname --fqdn).crt" DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'gsettings set org.gnome.desktop.remote-desktop.rdp tls-cert "${TLS_CRT}"'
# set RDP tls private key path
sudo -i -u ${TARGET_USER} TLS_KEY="${TLS_STORE}/$(hostname --fqdn).key" DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'gsettings set org.gnome.desktop.remote-desktop.rdp tls-key "${TLS_KEY}"'
# allow RDP remote control
sudo -i -u ${TARGET_USER} DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u ${TARGET_USER})/bus" bash -c 'gsettings set org.gnome.desktop.remote-desktop.rdp view-only false'
# now launch the server (needs to be run as the ${TARGET_USER}, haven't figured out how to fool pipewire yet)
/usr/lib/gnome-remote-desktop-daemon
@gilcel
Copy link

gilcel commented Jan 11, 2024
edited
Loading

Great! thanks for your script which runs successfully on Ubuntu 22.04 LTS with GNOME Wayland and X11,
with the following changes (it needs to unlock twice the Keyring for VNC and RDP):

First install the following tools:

#sudo apt install winpr-utils
#sudo apt install libsecret-tools

Change line 11: (note for Ubuntu 23.10 it uses /run/gdm3 so I don't know for previous Ubuntu versions )
echo -e "[daemon]\nAutomaticLogin=${TARGET_USER}\nAutomaticLoginEnable=true\n" | sudo tee /run/gdm/custom.conf
to:
echo -e "[daemon]\nAutomaticLogin=${TARGET_USER}\nAutomaticLoginEnable=true\n" | sudo tee /run/gdm3/custom.conf

Uncomment line 26 and add --unlock to gnome-keyring-daemon (it also works without --daemonize):

echo "Unlocking Keyring for VNC"
echo -n ${TUP} | gnome-keyring-daemon --login --unlock --daemonize

After line 47 (winpr-makecert ) we need to unlock again gnome-keyring-daemon

echo "Unlocking Keyring for RDP"
echo -n ${TUP} | gnome-keyring-daemon --login --unlock --daemonize

Finally change line 62 to:

#/usr/lib/gnome-remote-desktop-daemon
systemctl --user restart gnome-remote-desktop.service

Note: Do not launch the script with sudo but just launch it as the current logged in user (can also be launched via ssh)
since DBUS_SESSION_BUS_ADDRESS will be completely different with sudo command...

@syanyong
Copy link

Thank you so much. I have try. It is work.

@aioue
Copy link

aioue commented Feb 12, 2025
edited
Loading

What are the security implications of auto-login/unlocking like this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment