Secure Remote Desktop Access Over SSH
Remote Desktop is an excellent tool for accessing Windows machines across locations. While there have not been many security exploits involving RD, I do not feel comfortable leaving the service directly open to the internet. Also, many corporate internal firewalls restrict outbound traffic to a handful of ports, and in my experience port 3389 which RD runs on is often blocked.
I’ve come up with a simple method of accessing a Remote Desktop machine over SSH which buys A) Port 3389 is no longer open “to the wild” on the host machine B) If port 3389 is blocked outbound on the client’s network, Remote Desktop will still be accessible if the common port 22 (SSH) is available.
All that is needed for this method is an SSH server either running on the host machine or on its local network. If you’re using a Linksys router DD-WRT may be an option as it offers a full SSH server that runs right on your router. In this example I will be using DD-WRT, but any SSH server will work.
Step 1) Enable the remote access SSH service under Administration->Management in the DD-WRT configuration:
Step 2) You must also enable the Secure Shell service under Administration->Services:
I strongly suggest disallowing password login and instead use the authorized keys method with a strong passphrase.
Step 3) At this point the host-end is set up. Ensure the router has access to the machine running Remote Desktop by pinging it from the router’s shell. In this case the host machine is at 192.16.1.100 on the internal LAN:
You’ll need a SSH client on the client-side. For Windows PuTTY is the best game in town. The key here is to set up access to your host and tunnel a local port through SSH to the host’s Remote Desktop service. With PuTTY it’s just a couple of settings.
Step 4) Add the remote router or SSH server IP address to the Session settings:
Step 5) Configure the tunnel under Connection->SSH->Tunnels:
What’s important here is to pick an open port on your local computer because we are going to point Remote Desktop at that port. Under Windows XP Pro port 3389 is already taken by the local Remote Desktop service, so in this instance the port we use is 3390.
The destination is the internal IP or hostname of the host as it is known to the machine running the SSH server (in this case 192.168.1.100). The destination port will is 3389 (the listening RD service on the remote host).
Step 6) Connect to the host with SSH and login. At this point if everything is working correctly you should have a Remote Desktop port live on the client PC on port 3390. That port is being tunneled securely over SSH to the SSH server and forwarded on to the host machine. Keep the PuTTY session open or you will shutdown the tunnel.
Step 7) Time to test things out. Start the Remote Desktop Connection client and point to localhost:3390.
If all was configured correctly you should pop into a Remote Desktop session on the host computer. The speed is snappy enough for me on a 45KB/s connection with all the bells & whistles turned on, even with the additional encryption overhead.
Enjoy!
July 10th, 2006 at 6:50 pm
Good job. RDC is my most used windows application. I too feel the need to secure the connection to my main host. Using dd-wrt myself, I think I will give this a try.
July 28th, 2006 at 11:04 am
Excellent entry. Short and to the point. Thanks.
September 7th, 2006 at 4:04 am
Was just trying to do this using Vista RC1 (build 5600) as the local system [XP SP2 was the remote, FWIW] and it wouldn’t work with these settings.
Kept getting the error:
“The client could not connect. You are already connected to the console of this computer. A new console session could not be established.”
Then I eventually tried another Source port(3391)and it worked!
I guess they have changed something in Vista so you can’t use port 3390 as the local anymore.
In summary:
To configure PuTTY:
Source port: 3391
Destination port: 192.168.1.100:3389
To run ssh from a command line:
ssh -L 3391:192.168.1.100:3389
To run using ssh2_config file add the entry:
LocalForward 3391 192.168.1.100:3389
HTH
January 27th, 2007 at 3:25 am
Thanks for the 3391 tip.. I was banging my head trying to figure out a workaround. I wonder if there is a registry key that will force Vista to bind TS to specific adapters which would solve the port usage problem for loopback adapters..
On aside, you can also use the Microsoft Loopback Ethernet Adapter if you are out and about. This approach works the same except that your IP address should be setup in the 10.x.x.x range to avoid confusion with private networks. Just setup your SSH tunnels such as:
L:10.4.5.6:3391 192.168.1.42:3389
February 23rd, 2007 at 3:13 pm
All I get is “The client could not connect. You are already connected to the console of this computer. A new console session could not be established.” Does not matter what source port I choose (I’ve tried about 10 different ones). The port shows up listening locally and I can even telnet to it.
Windoze
February 18th, 2008 at 2:05 pm
The pictures are gone.
Have you heard about an RD tool called Supportsmith?
I would appreciate any comment about it.
thefwd@gmail.com
February 18th, 2008 at 6:31 pm
Images restored. Sorry, never heard of Supportsmith.
March 12th, 2008 at 1:26 am
Hi Chris, I wonder if you would mind giving me a hand? I have followed your tutorial–for which, many thanks–but I am so far still unable to get SSH access to my router from outside my LAN.
I have done both your Step 1) (”Enable the remote access SSH service under Administration->Management in the DD-WRT configuration”) and Step 2) (”You must also enable the Secure Shell service under Administration->Services”).
Do you think I need to open a port somewhere else within the DD-WRT web UI? Would the SPI Firewall be preventing the SSH connection?
Many thanks for your time!
Jon
March 12th, 2008 at 7:38 am
Hi Jon, dependng on where you are connecting from, port 22 might be blocked by a corporate firewall or some other type of filter. I suggest setting up your DD-WRT router to listen on port 443 (Secure HTTP) as many firewalls leave this port open for secure web browsing access.
Then, you must change the port in the SSH server info in the Putty client to port 443 as well and try to connect. All other settings should remain the same. Give it a try!
Joe
April 4th, 2008 at 9:35 am
Hi, I did everything that you describe here, (port 22 to 443, 3390 to 3391 with Vista) but when i go to de RDC and point to 192.168.1.10:3391 (My server) apeears a message saying that can’t find the computer… What could be wrong?? My RDC inside the Lan works just fine, the problem is when i’m outside the lan.
Thank you!
May 2nd, 2008 at 11:40 pm
Funny thing, I set this up on my home PC and everything works fine. But, when I did exactly the same thing at a clients office it won’t work. I can RDP to the “hostname:port” without using Putty and it works fine. I can connect using Putty and build the tunnel with no problem, but when I try to RDP using “localhost:port” it seems to try for a few seconds then fails with the error “Remote Desktop Disconnected: The client could not establish a connection to the remoet computer. The most likely causes for this error are:… ” and then names 3 things that aren’t the problem. I can exit Putty and try RDP again using the full Internet “hostname:port” and it works fine that way. It’s been driving me nuts all day. I’ve compared every setting I can think of but can’t find anything different about the way these 2 host PC’s are setup. One works with SSH, the other one just will not.
August 10th, 2008 at 1:10 am
Thanks so much for putting up the screen shots. They’re priceless! I was a little unsure about SSH with DD-WRT, and the text only explanations from the DD-WRT forums were *ok*, but a picture or screen shot in this case, is worth so much more…
Thanks again!