37

I am running a fresh install of CentOS 7 GNOME so I could RDP from Windows.  I followed the “Connect to GNOME desktop environment via XRDP” instructions, but when I connect I get an additional login that says

authentication is required to create a color profile

How do I remove this additional login?

In an attempt to solve this problem I tried a solution at “Griffon's IT Library”, but it did not work because link is a lot more then just a solution to this problem.  I pasted the solution below.

When you login into your system via remote session, you will see this message popping up.  You can simply cancel and you will be able to proceed till the next time you login and start a new session.

To avoid this prompt, we will need to change the polkit configuration.  Using admin privileges, create a file called 02-allow-colord.conf under the following directory /etc/polkit-1/localauthority.conf.d/

The file should contains [sic] the following instructions and you should not be prompted anymore with such authentication request while remoting into your system

polkit.addRule(function(action, subject) {
   if ((action.id == “org.freedesktop.color-manager.create-device”  ||
        action.id == “org.freedesktop.color-manager.create-profile” ||
        action.id == “org.freedesktop.color-manager.delete-device”  ||
        action.id == “org.freedesktop.color-manager.delete-profile” ||
        action.id == “org.freedesktop.color-manager.modify-device”  ||
        action.id == “org.freedesktop.color-manager.modify-profile”)  &&
        subject.isInGroup(“{group}”)) {
           return polkit.Result.YES;
   }
});
G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117
Starblight
  • 544
  • 1
  • 5
  • 13
  • I have the same issue here, I'm running a centos7.5.1804. I'm using the xrdp, and if I select xvnc, I don't see this dialog, but if I select xorg, I do see the annoying dialog. – ollydbg23 Jul 26 '18 at 06:31
  • If anyone wanna know more : [Blog which explains it nicely](https://c-nergy.be/blog/?p=12073) – HarshaD Nov 30 '20 at 18:08
  • It's damn annoying that it asks you 3 times for your password every single time you want to use RDP after closing your laptop. – Sridhar Sarnobat Feb 19 '22 at 22:16
  • The same issues seems to be triggered in Ubuntu 22.04 after installing Chrome Remote Desktop. The most upvoted answer works in that case as well – apokryfos May 16 '23 at 07:16

7 Answers7

48

I had the same problem and found a different work-around here:

https://github.com/TurboVNC/turbovnc/issues/47#issuecomment-412005377

This variant is claimed to work independent of authentication scheme (e.g. LDAP).

Create /etc/polkit-1/localauthority/50-local.d/color.pkla (note: .pkla extension is required) with the following contents:

[Allow colord for all users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile;org.freedesktop.packagekit.system-sources-refresh
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Worked for me.

update
See next comment in linked github thread... 18.04 users may want to try the above answer but with the following changes:

[Allow colord for all users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile;org.freedesktop.packagekit.system-sources-refresh
ResultAny=no
ResultInactive=no
ResultActive=yes
Brian D
  • 103
  • 4
Nemo
  • 1,943
  • 2
  • 12
  • 9
  • 4
    Worked for me as well (Ubuntu 18.04). Accepted answer didn't work for me (perhaps I did something wrong). Hmm, perhaps I spoke/wrote too soon. Connection was soon dropped and when I reconnect it drops soon after connect. Remove the file and looks like I can connect again (but with the original issue). – ds00424 Feb 12 '19 at 21:56
  • 1
    worked for me on ubuntu 20.04 – realgt May 26 '20 at 15:31
  • works in Kali Linux (Debian) – Sergio Cabral May 29 '20 at 05:23
  • 9
    The key has to do with `PolKit` version. If your system uses `PolKit` < 0.106, then you will need a `.pkla` file as opposed to a `.conf` file. You can find out the version of PolKit you have by running `pkaction --version` command. On Ubuntu 20.04, I got `pkaction version 0.105`. Reference: [http://c-nergy.be/blog/?p=12043](http://c-nergy.be/blog/?p=12043). – Karthic Raghupathi Jun 25 '20 at 04:31
  • 1
    This worked for me as opposed to the accepted answer. `pkaction --version` returns `0.115` – Ex Umbris Jul 25 '20 at 22:50
  • its worked for me but now : power and restart not working what can i do now? – Shawn Nov 30 '20 at 15:10
  • 1
    This worked for me with settings ResultAny=no and ResultInactive=no – 2cents Jan 15 '21 at 17:56
  • Yeah, i had the same problem as ds00424. As soon as I implemented this 'solution', Ubuntu popped up a notice "system problem detected" and then would disconnect right after logging in via RDP. i.e., it caused this issue: https://unix.stackexchange.com/questions/523152/xrdp-disconnects-immediately-after-connection-from-windows10-centos-to-centos7 – Brian D Jan 18 '22 at 15:27
  • When using x2go to connect, this also goes hand in hand: https://askubuntu.com/questions/1291512/authentication-required-system-policy-prevents-wifi-scans-in-focalfossa – poleguy Jun 14 '23 at 16:28
21

EDIT:

Please use the upvoted answer and not this one.

OLD ANSWER:

I found this bug and some workarounds here:

https://bugzilla.redhat.com/show_bug.cgi?id=1149893

More specific you have to place a .rules file in

/etc/polkit-1/rules.d/

(Select a filename and just givr the .rules extension)

and give the rules:

polkit.addRule(function(action, subject) {
   if ((action.id == "org.freedesktop.color-manager.create-device" ||
        action.id == "org.freedesktop.color-manager.create-profile" ||
        action.id == "org.freedesktop.color-manager.delete-device" ||
        action.id == "org.freedesktop.color-manager.delete-profile" ||
        action.id == "org.freedesktop.color-manager.modify-device" ||
        action.id == "org.freedesktop.color-manager.modify-profile") &&
       subject.isInGroup("ATTENTION")) {
      return polkit.Result.YES;
   }
});

Then you have to Replace the word "ATTENTION" with your user's group.

koleygr
  • 345
  • 2
  • 13
  • 1
    With the changes mentioned above, I can workaround this issue. Thanks. – ollydbg23 Jul 26 '18 at 06:52
  • 1
    Great answer; thanks for including the references. This worked for me on Fedora 28, connecting with VNC. – Dogweather Sep 11 '18 at 22:10
  • I have some upvotes these days and possibly some distribution needs a bug fix or something... I think that adding (once) your distribution that gives this error you will help to find out which distro needs a bug report to get fixed the sooner possible. (Not sure if this could be acceptable or suggested here, but thinking it could help. The linked bug was about fedora 23 and has already been closed as EOL. I think it would help to know what disto gives this error these days.) – koleygr Apr 11 '19 at 20:44
  • 2
    I also had to restart polkit to load the new rule file (i.e. `systemctl restart polkit`). Rebooting should also work. – nochkin May 03 '19 at 13:17
  • This doesn't really work for me on Centos 8. I get these errors on the XDMCP login screen both BEFORE entering a user ID and AFTER, during the actual login (and yes, I rebooted). – Ex Umbris Jul 25 '20 at 22:44
  • 1
    After this "fix" the restart/shutdown from the power icon at top right no longer prompts for a password and does nothing. – Ex Umbris Dec 14 '21 at 19:38
  • @ExUmbris remove the file and try the answer of Nemo ... This answer is 4 years old! – koleygr Dec 14 '21 at 19:50
  • 1
    Yes, that works. In the interests of future visitors, it would be generous to ask the OP (@Starblight) to change the accept checkmark to Nemo's answer. – Ex Umbris Dec 14 '21 at 19:54
  • I will just delete this one... Tried... but "can't delete the accepted answer" – koleygr Dec 14 '21 at 20:52
5

None of the other two answers worked for me, so I used a more drastic proposal to simply disallow changing the colour profile:

Ok I edited /usr/share/polkit-1/actions/org.freedesktop.color.policy, changed every instance of "auth_admin" to "no"

I used the following little bash snippet to do this:

cd /usr/share/polkit-1/actions/
cp -a  org.freedesktop.color.policy  org.freedesktop.color.policy.orig
sed -e 's|>auth_admin<|>no<|g'  org.freedesktop.color.policy.orig  >  org.freedesktop.color.policy
FriendFX
  • 359
  • 4
  • 12
  • this stopped that popup when using VNC, on RHEL 7.8 x86-64. Other proposed solutions were not working – ron Aug 18 '20 at 15:18
  • can you, or anyone, quickly elaborate on what the ramifications would be changing the `auth_admin` to `no` in this file? – ron Aug 18 '20 at 15:20
  • @ron sorry I'm not an expert on policy files, so pleas take this with a huge grain of salt: Reading between the lines in the bug thread I think it simply does not allow changing the colour profile. [Another comment](https://bugzilla.redhat.com/show_bug.cgi?id=1149893#c13) in that thread appears to be doing the opposite, allowing a specific group to change the profile, eliminating the authentication prompt. – FriendFX Aug 19 '20 at 02:20
4

I'm running Windows 10 Remote Desktop Connection to Ubuntu 18.04.4 LTS with xrdp. The following solution from this page worked for me (see section titled How to "fix" this issue):

  • delete the file org.freedesktop.color.policy file (located in /usr/share/polkit-1/actions). By deleting this file, you are basically removing the limitations of creating and managing color devices and profiles.

Note that the above is one of two 'not recommended' ways. However, for my little home lab setup, it worked fine with no undesirable side effects that I can see. There are two other recommended solutions that I did not try.

Paul Ratazzi
  • 141
  • 6
3

Another way to fix it:

sudo sed -i 's/<allow_inactive>no</<allow_inactive>yes</' /usr/share/polkit-1/actions/org.freedesktop.color.policy
sudo sed -i 's/<allow_any>.*</<allow_any>yes</' /usr/share/polkit-1/actions/org.freedesktop.color.policy

Taken from here: https://wiki.xorde.co/en/recipes/ubuntu-share-screen

Xander Tovski
  • 31
  • 1
0

For me, the solution worked after change ResultAny and ResultInactive to "no", like Cecilia comment's in the same aswer. My connection drop if i try to authenticate, but remain after cancel. I'm running Windows 7 RDP to Ubuntu 18.04 with Xrdp.

[Allow colord for all users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes
Frank Arana
  • 1
0

I kept running into this "Authentication is Required to ...." issue over and over for every little thing when logging in through VNC or xRDP, etc. Creating the .pkla file described above resolved it for that error. I was creating a new .pkla file for each specific error. Finally, I found that this universal pkla file resolved all such errors:

  1. Create a file named "universal.pkla" (or anything as long as it ends in .pkla) in the directory:
    /etc/polkit-1/localauthority/50-local.d/

  2. These are the contents of universal.pkla:
    [Allow access to anything for remote users]
    Identity=unix-user:*
    Action=*
    ResultAny=yes
    ResultInactive=yes
    ResultActive=yes

  3. Then restart polkit with "sudo systemctl restart polkit.service" or reboot.

ITCrowd
  • 59
  • 1
  • 1
  • Your answer is for your own error which is different. – number9 Jun 29 '22 at 17:15
  • @number9: actually, it's the same problem. The fundamental issue is that users logged in remotely are treated differently. – EML Jul 04 '23 at 08:28