Where is stored the "Encryption Fingerprint" for the "Remote Desktop" configuration?

For Fedora Workstation 37 - to allow a Remote Desktop connection, in the client side can be use Remmina and in the server is mandatory enable the Remote Desktop option, it through Settings β†’ Sharing.

In the bottom of the Remote Desktop window exists the Authentication section and the Verify Encryption button. If it is press it appears a small window with the Encryption Fingerprint value - it in the server side. For the client side - this value appears for the first attempt connection as a Certificate. Is mandatory accept that Certificate to accomplish the first connection and make others in the future.


  • From where does Encryption Fingerprint come from?

Or in other words:

  • In what file is stored that Encryption Fingerprint?

That value shown is stored from some place (file), right?

Did you check in ~/.ssh of the specific user ?

gsettings list-recursively org.gnome.desktop.remote-desktop.rdp

Turns out that it uses a certificate located in ~/.local/share/gnome-remote-desktop/rdp-tls.crt

To get the fingerprint

openssl x509 -noout -in ~/.local/share/gnome-remote-desktop/rdp-tls.crt -fingerprint -sha256

1 Like

Allesio - Huge Thanks for the quick reply, let me test it today in the night - to mark you answer as the solution. Just being curious, how did you know that? Some link as tutorial to dig more about that?

About SSH

ilikelinux - Yes, I thought the same but working with the /etc/ssh directory instead - remember all is about the server itself where the mentioned Encryption Fingerprint is send to the client for the first attempt of connection - but is possible see directly in the server itself by just pressing the Verify Encryption button as was mentioned in the original post.

In the /etc/ssh directory exists some .pub keys - so I used for each key

ssh-keygen        -lf  /etc/ssh/ssh_host_XXX_key.pub //defaults to 'sha256'
ssh-keygen -E md5 -lf  /etc/ssh/ssh_host_XXX_key.pub

The format of presentation for the Encryption Fingerprint shown through the Verify Encryption button is the same as the output of the commands mentioned above based on md5 - but the values are not the same. Therefore ssh is discarded.

Once confirmed the openssl x509 -noout -in ~/.local/share/gnome-remote-desktop/rdp-tls.crt -fingerprint -sha256 command, therefore the format is really based on sha256

1 Like

It is a hash calculated for the RDP server certificate.

The certificate is stored on the RDP server as explained by @alciregi, but the server has no need to store the fingerprint itself.

On the other hand, the RDP client calculates the fingerprint for the server certificate on each connection to verify it against the stored one to prevent sending RDP credentials to a malicious server.

FreeRDP-based clients store the server certificate fingerprints here:

1 Like

Thanks you Alessio - all your suggested commands work - it even in Ubuntu - it because is based on GNome too

Thanks to you Valadislav too - because was my intention to create a new post about where is stored in the client the received and accepted certificate. For the audience by default does not exist the freerdp directory at ~/.config/, is mandatory at least had done one connection to some host, once done that exists the ~/.config/freerdp directory with many files, among them the known_hosts2 file

Huge thanks!

Again thanks for the valuable feedback - just being curious:

(1) In the server - in what file is stored the track history of all the clients that done the remote connection through Remmina? - I am assuming the file contains the ip, date and connection duration

(2) same as question (1) but for the clients currently connected - it specially if 2 clients are connected at the same time to the same host - consider the scenario where client 1 is indicating or doing a supervision to client 2 to fix something in the remote server.

Yes. I did do realize that in the host in the top-right appears an icon in color orange about that the screen is shared, but there is no more information.

Thanks for your understanding

  1. Take a look to system logs
    Something like
    sudo journalctl -xf --no-pager
    should show something like
    Mar 21 16:35:07 gnome-remote-desktop-daemon[5130]: [16:26:23:248] [5130:13128] [INFO][com.freerdp.core.connection] - Accepted client: remote.host

  2. Something like
    sudo ss -nte | grep 3389
    The command ss show the network connections and listening ports (-t displays only TCP connections). -e show only established connections. 3389 is the RDP port.

Huge thanks again for your quick and polite support.