Security
TLS
All RDP connections use TLS 1.3 by default. On first run, lamco-rdp-server automatically generates a self-signed certificate for immediate use.
Custom Certificate Configuration
tls_enabled = true
tls_cert = "/etc/lamco-rdp/cert.pem"
tls_key = "/etc/lamco-rdp/key.pem"
min_tls_version = "1.3"
Note: Self-signed certificates will cause RDP clients to show a certificate warning on the first connection. This is normal behavior. You can deploy a trusted certificate to avoid this prompt.
Authentication
Network Level Authentication (NLA) is supported via PAM (Pluggable Authentication Modules). This authenticates the user before the full RDP session is established.
auth_method = "pam" # pam, none
Important: Flatpak and Snap distributions do not support PAM authentication due to sandboxing restrictions. PAM requires native installation (.deb, .rpm, or from source).
Systemd Hardening
The native systemd service unit ships with comprehensive hardening directives to limit the attack surface:
| Directive | Description |
|---|---|
| PrivateTmp=yes | Isolates /tmp and /var/tmp from other processes |
| ProtectSystem=strict | Mounts /usr, /boot, /efi as read-only |
| NoNewPrivileges=yes | Prevents privilege escalation via setuid/setgid |
| ProtectHome=yes | Makes /home, /root, /run/user inaccessible |
| ProtectKernelTunables=yes | Read-only access to /proc and /sys kernel variables |
| ProtectKernelModules=yes | Prevents loading kernel modules |
| RestrictNamespaces=yes | Restricts creation of new namespaces |
D-Bus Policy
The D-Bus configuration file io.lamco.RdpServer.System.conf restricts which users and processes can access the management interface over the system bus. Only authorized users can start, stop, or query the server status via D-Bus.
Polkit Authorization
Administrative operations (such as binding to privileged ports or modifying system-wide configuration) require Polkit authorization. Desktop environments will display an authentication dialog when elevated access is needed.