Adapt the Remote Desktop panel for headless sessions (being able to configure the g-r-d system daemon)
Since quite some time, a set of changes were developed for g-r-d, gdm, mutter, gnome-session, gnome-settings-daemon (most notably here: gnome-remote-desktop!139 (merged)) to allow the creation of headless sessions.
Currently, the Remote Desktop panel offers the configuration of the g-r-d user daemon for Remote Assistance sessions (mirroring the primary monitor of the local session).
With g-r-d-46.alpha, there is now another daemon, the gnome-remote-desktop system daemon:
With this daemon, the user can remotely login into GNOME. This session is not visible to what is locally happening on the local machines screen (assuming here, there is even a monitor present on the server side). Multiple different users can here also access the server side remotely at the same time.
The monitor config used in this headless session is also the one, that is present on the client side, as in this scenario virtual monitors are used.
Required Changes
The Remote Desktop panel should still cover the existing Remote Assistance feature, while also being able to cover the system daemon for headless sessions.
The following things need to be configured for the system daemon:
- The server certificate/private keyfile. This one is not stored at a local users location, but in e.g.
/etc/gnome-remote-desktop
- The credentials for the system daemon (username, password). It is complex to explain why this is necessary (instead of directly using the users credentials), overall the reason is that PAM is incompatible to NTLM (hopefully we can use Kerberos in the future). The user authenticates at the system daemon with these credentials to be able to see the GDM login screen.
Another thing, that should be covered by the UI is the following:
Two years ago, for GNOME 42, the server certificate creation handling was added. The (automatically) created server certificate and private keyfile were afaik created with an expiration of two years.
With GNOME 46, we will time-wise hit this expiration date for a lot of users here. When the server certificate expires, the RDP client usually warns the user before connection, but some clients may not just warn the user, but instead directly refuse the connection.
We should somehow check the expiration date of the server certificate and offer the user to recreate the server certificate + private keyfile (maybe automatically, or do some "soft prompt" (i.e. the user can, if they want to, ignore that prompt)).
@chergert Is libbonsai able to check the expiration date for the server certificate here?
Daemon Status
Something to note: g-r-d-46.alpha also now exposes interfaces to expose the status of the individual daemon(s): https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/master/src/org.gnome.RemoteDesktop.xml#L8. This could be helpful for the Remote Desktop panel, because the system daemon and the user daemon will use different ports (they can't use the same one).
CC: @halfline, @joan.torres, @jadahl, @aday