{"id":689,"date":"2026-02-16T18:39:52","date_gmt":"2026-02-16T17:39:52","guid":{"rendered":"https:\/\/xpam.pl\/blog\/?p=689"},"modified":"2026-02-16T18:39:52","modified_gmt":"2026-02-16T17:39:52","slug":"conencting-to-safeguard-rdp-via-freerdp-on-linux","status":"publish","type":"post","link":"https:\/\/xpam.pl\/blog\/?p=689","title":{"rendered":"Conencting to SafeGuard RDP via FreeRDP on Linux"},"content":{"rendered":"

On Linux, Remmina\/KRCD\/freerdp do not work out of the box with SafeGuard remote access<\/a>.<\/p>\n

When you connect, see the SafeGuard welcome\/approval screen, click accept, and then… the window either shows \"no auth n\/a\" and disconnects, or freezes indefinitely.<\/p>\n

What's actually happening?<\/p>\n

The SafeGuard bastion uses a two-stage connection:<\/p>\n

1. First hop<\/strong> — your client connects to the bastion proxy over TLS. The vault token in the username authenticates you. The bastion shows a welcome screen.
\n2. Second hop<\/strong> — after you accept the welcome screen, the bastion sends an RDP Server Redirection PDU<\/strong> containing credentials (username, domain, password) for the target machine. Your FreeRDP client follows the redirect and establishes a new connection, this time with NLA<\/strong> (Network Level Authentication) required by the target.<\/p>\n

 <\/p>\n

When FreeRDP performs NLA on the redirect, it uses SPNEGO which tries Kerberos first. If the KDC for the target domain is unreachable from your machine (common when the domain controller is behind the bastion), Kerberos times out before falling back to NTLM.
\nWorse: FreeRDP 3.14 and 3.15 (the versions shipped with Debian Trixie and the Remmina snap as of early 2026) crash with SIGABRT<\/strong> instead of falling back to NTLM. This is fixed in FreeRDP 3.22+.<\/p>\n

To make everything work on Trixie, we need:
\n1. FreeRDP nightly (3.22+)<\/strong> which properly falls back from Kerberos to NTLM
\n2. A minimal krb5.conf<\/strong> that disables DNS-based KDC discovery, so Kerberos fails instantly instead of hanging.<\/p>\n

 <\/p>\n

 <\/p>\n

Installing FreeRDP nightly on Debian Trixie<\/strong><\/p>\n

Add the nightly repository and GPG key (as root):<\/p>\n

wget -qO- http:\/\/pub.freerdp.com\/repositories\/ADD6BF6D97CE5D8D.asc \\\n\u00a0| gpg --dearmor | sudo tee \/usr\/share\/keyrings\/freerdp-nightly.gpg > \/dev\/null\n\n# Add the repository\ncat <<EOF | sudo tee \/etc\/apt\/sources.list.d\/freerdp-nightly.sources\nTypes: deb\nURIs: http:\/\/pub.freerdp.com\/repositories\/deb\/trixie\nSuites: freerdp-nightly\nComponents: main\nSigned-By: \/usr\/share\/keyrings\/freerdp-nightly.gpg\nEOF\n\n# Install\napt update\napt install freerdp-nightly<\/code><\/pre>\n
The nightly package installs to \/opt\/freerdp-nightly\/<\/strong> and does not conflict with the system FreeRDP.<\/p>\n
The connect script<\/strong><\/p>\n
#!\/bin\/bash\nset -euo pipefail\n\nTOKEN="${1:?Usage: $0 <vault-string>}"\n\n# Minimal krb5.conf that disables DNS-based KDC discovery.\n# Without this, Kerberos hangs trying to contact a KDC\nKRB5_CONF=$(mktemp)\ntrap "rm -f '$KRB5_CONF'" EXIT\ncat > "$KRB5_CONF" <<'EOF'\n[libdefaults]\n\u00a0\u00a0\u00a0dns_lookup_kdc = false\n\u00a0\u00a0\u00a0dns_lookup_realm = false\n\u00a0\u00a0\u00a0udp_preference_limit = 0\n\u00a0\u00a0\u00a0kdc_timeout = 1\nEOF\n\nLD_LIBRARY_PATH=\/opt\/freerdp-nightly\/lib \\\nKRB5_CONFIG="$KRB5_CONF" \\\n\/opt\/freerdp-nightly\/bin\/xfreerdp3 \\\n\u00a0\/v:bastion.example.com:4444 \\\n\u00a0\/u:"$TOKEN" \\\n\u00a0\/p: \/d: \\\n\u00a0\/cert:ignore \\\n\u00a0\/auth-pkg-list:ntlm \\\n\u00a0\/relax-order-checks \\\n\u00a0+clipboard \\\n\u00a0\/drive:share,"$HOME\/remmina"<\/code><\/pre>\n
Usage:<\/p>\n
chmod +x connect.sh\n.\/connect.sh 'vaultaddress~connection-string'<\/code><\/pre>\n
What each flag does:
\n– \/u:$TOKEN<\/strong> | Full vault connection string as the username.
\n– \/p: \/d:<\/strong> | Empty password and domain (avoids interactive prompts).
\n– \/cert:ignore<\/strong> | Skip certificate validation for the bastion.
\n– \/auth-pkg-list:ntlm<\/strong> | Tell SPNEGO to prefer NTLM (Kerberos still tried by library internals, but the custom krb5.conf makes it fail fast).
\n– \/relax-order-checks<\/strong> | Tolerate out-of-order RDP packets from the bastion.
\n– +clipboard<\/strong> | Enable clipboard sharing.
\n– \/drive:share,$HOME\/remmina<\/strong> | Share a local directory into the RDP session.<\/p>\n
As of early 2026, both the Remmina snap (stable and edge) and the Debian Trixie package bundle FreeRDP 3.14, which crashes on the Kerberos-to-NTLM fallback during the bastion redirect.<\/p>\n
If you run into issues, enable trace logging by prepending WLOG_LEVEL=TRACE to the command.<\/p>\n
\r\n
\r\n
\r\n Cen
\r\nGitHub<\/a>
\r\nEurobattle.net<\/a>
\r\nLagabuse.com<\/a>
\r\nBnetdocs<\/a>
\r\n<\/div>\r\n","protected":false},"excerpt":{"rendered":"
On Linux, Remmina\/KRCD\/freerdp do not work out of the box with SafeGuard remote access. When you connect, see the SafeGuard welcome\/approval screen, click accept, and then… the window either shows \"no auth n\/a\" and disconnects, or freezes indefinitely. What's actually happening? The SafeGuard bastion uses a two-stage connection: 1. First hop — your client connects […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,18],"tags":[],"class_list":["post-689","post","type-post","status-publish","format-standard","hentry","category-linux","category-script-magic"],"_links":{"self":[{"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=689"}],"version-history":[{"count":10,"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/689\/revisions"}],"predecessor-version":[{"id":699,"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/689\/revisions\/699"}],"wp:attachment":[{"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xpam.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}