Using Windows' New Built In OpenSSH to Secure RDP

Posted on 19 December 2018

I have two computers at college, my custom desktop, and my laptop. Both are running Windows 10, but what’s important to this guide is the desktop is running Windows 10 as the client configuration here is trivial to replicate on OSX or Linux, probably even easier. The desktop is definitely the powerhouse, and I do all of my heavier applications and processing on it. However, I’m out and about on campus most of the day, and am sometimes unable to access my desktop when I need to. I was reluctant to just open up RDP on my firewall given the security risks, and I thought setting up a personal VPN to access one port on one computer would be overkill, so I decided to go with SSH port forwarding.

Server Configuration

  1. Install OpenSSH on Windows. It’s pretty simple, just use add/remove features and check ‘OpenSSH Server’. Detailed guide here.
  2. (optional but highly recommended) Edit to disable password authentication and force pub/priv key authentication for maximum security.
  3. (optional) Change the listening port for SSH for security through obscurity and allow the new port through the firewall

The sshd_config file on windows is located at %programdata%\ssh\sshd_config

I recommend adding this line: PasswordAuthentication no to disable less secure password authentication and only rely on more secure pub/priv keys. If you do this, run ssh-keygen on the client, go to %userprofile%\.ssh, and copy the contents of the id_rsa file on the client to a file on the server in the same location called authorized_keys.

You can change the port from 22 if you want security through obscurity with this line in sshd_config: Port [port number] Make sure to allow the port through on your firewall and forward through your router if necessary.

Client Configuration

  1. Install an OpenSSH client. On Windows, I highly recommend OpenSSH, installable through add/remove features. You just need the client.
  2. Test
    1. Connect to the remote computer while forwarding the port: ‘ssh -L 4000:localhost:3389 [IP address] -p (port set in sshd_config)’
    2. Initiate RDP by opening remote desktop connection or a VNC client on Linux and connect to ‘localhost:4000’
  3. If that works, write a script to run it! Here’s a super crappy one in powershell:
$ArgumentList = '-L 4000:localhost:3389 ' + $content + ' -p 31825'
Start-Process ssh -ArgumentList $ArgumentList -NoNewWindow
Start-Sleep 5 
mstsc /v localhost:4000
wait-process -name mstsc
exit