Secure Remote Desktop on Linux and Windows

Remote Desktop is one the great features added to Windows since XP.  From then many clients exists for connecting to remote desktops including linux, Mac OS X. Remote desktop connection uses Remote Desktop Protocol (RDP) and the protocol has 128 bit encryption; however it is possible to decrypt entire connection because of its implementation.  We need to use some other layers to make the connection secure

TLS/SSL can be used to secure the connection but it is for server systems. Also for cross platform issues it might not be the best solution. Linux's famous secure desktop shell (ssh) can be used for such purpose. SSH is not just a remote shell, more importantly it provides TCP tunneling and port forwarding with the built-in encryption of course.

You need to have an ssh server either on windows or linux machine that is accessible from the outside world. For remote connections normally you need to open port 3389, in this case only ssh server port needs to be open from the firewall. For windows ssh server OpenSSh for Windows might be a good choice for client and server. Simply you need to install ssh server and add users to the server.

What you need to do is to logon the remote system and ask the system to redirect you to a machine with the port number. As a result you get an encrypted tunneled connection to your remote machine.

can@host-174-92:~> ssh -L 3389:192.168.1.111:3389 -C 112.232.121.111 -l can The authenticity of host '112.232.121.111' can't be established. RSA key fingerprint is 47:da:4e:ab:94:2b:d7:39:cc:19:17:33:55:6a:73:61. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '112.232.121.111' (RSA) to the list of known hosts. can@112.232.121.111's password: Last login: Fri Oct 13 15:49:55 2006 from x can@host-174-92:~> rdesktop -u username -a 24 localhost .

Linux

On linux you use the remote desktop client rdesktop for connection remote desktop servers. Since the redirection is done to localhost with the previous command. Connection to local rdesktop will actually connect us to the remote.

can@host-174-92:~> rdesktop -u username -a 24 localhost .

logon Remote Desktop Visual Studio

Windows

In windows the process is almost the same unless you have a Windows XP Pro or Vista Ultimate Editions. The problem with those versions is that they have a remote desktop server running on port 3389. In that case, you need to tunnel through an unused different port. For instance 3390 should be available. The only thing you will change is the port connection to the ssh server.

openssh -L 3390:192.168.1.111:3389 -C 112.232.121.111 -l username .

With this command you redirect your system's 3390 port to remote system's 3389 port. Of course the ports must be the server's port. After that we just connect using Windows Remote Desktop client with the adress "localhost:3390". We will be connected to the remote host than after.

Conclusion

As a result on your corporation, the only port to open to the outside world is the ssh server port which is usually port 22. From that you can redirect every traffic to an internal machine using secure connection and tunneling. This is not limited to remote desktop connections of course, you can use some other services or protocols to make them more secure.