Software Secret Weapons™
Here's how you can secure your Remote Desktop (RDP) connections with SSH. This can be useful for connecting to your home computer from the office or some other remote location. We use here an advanced SSH feature for TCP/UDP IP traffic tunneling to make it work.
Prerequisites for basic RDP
You'll need an SSH server installed at home. I've used OpenSSH, but any SSH implementation will work. Windows users can use OpenSSH for Windows; Unix (including Mac OSX and Linux) users can use the standard OpenSSH distribution. You can secure SSH by using SSL and various kinds of encryption.
If you're using a router or firewall at home, make sure to allow incoming connections on the SSH port (port 22 by default).
You'll also of course need an RDP (Remote Desktop Protocol) client in your office. Windows users can use Microsoft's Remote Desktop Client that is part of Windows XP. Unix users can use RDesktop.
Ensure that your home computer is setup to accept remote connections for a specific user account. Go to Start > Settings > Control Panel and then double-click the System icon. On the Remote tab, select the Allow users to connect remotely to this computer check box.
And finally, obviously you'll have to leave your workstation running (though you should log off).
Securing RDP with SSH tunnel
The SSH client software like PuTTY can be used connect to home SSH server from the office. From your computer at the office, SSH into the home "SSH Server" with PuTTY or by executing the following command from the prompt:
You should now have a command prompt on the home "SSH Server". From there, execute the following command to enable traffic tunneling:
This will tunnel all traffic arriving from source firstname.lastname@example.org port 3390 to destination home.ip.address port 3389. Now from your computer at the office, use your Remote Desktop client to connect to localhost:3390, this will connect you to the home computer. The Remote Desktop traffic will be tunneled over SSH. If localhost does not work, try to use 127.0.0.1:3390 on Windows XP SP1, or 127.0.0.2:3390 on Windows XP SP2. This is due to changes in TCP loopback interface that occurred in SP2.
Securing CVS access with SSH tunnel
You can tunnel other kinds of ports (CVS for example) the same way. For CVS traffic tunneling use following command:
This will tunnel all traffic arriving from email@example.com port 2402 to destination home.ip.address port 2401. In order to access home CVS from the office connect to localhost:2402.
Windows XP SP2 Patch
Please note that something got broken in Microsoft Windows XP Sp2. You must apply patch or none of the loopback interfaces will not work, including one required for RDP over SHH.
Copyright © 2004-2013 by Pavel Simakov
any conclusions, recommendations, ideas, thoughts or the source code presented on this site are my own and do not reflect a official opinion of my current or past employers, partners or clients