This tech-recipe will explain how to securely remote desktop into a computer or server using Copssh / SSH and Putty (free, open source) to Remote Desktop. Remote desktop (aka Terminal Services in the corp landscape) by default is not necessarily the most service to have running on your Windows machine due to the number of exploits available that use the RDP port (port 3389) or you may have a business need to secure such a connection between two offices or sites.
You will want to have at least basic to moderate knowledge of how Remote Desktop (RDP) works and also basic networking knowledge, the rest we will cover in the recipe. This exact walk through will work on a local network, read the Notes section at the end for connecting remotely over the internet (more advanced).
- Copssh – OpenSSH / SSH (free, get here) Works w/32bit and 64bit Windows
- Putty client (free, get here)
- Windows XP Prof, Vista Home Premium/Ultimate, Win7 Home Premium/Prof/Ultimate (not all versions of XP, Vista, Win7 allow remote desktop connections)
In this recipe, we will refer to the computer we want to connect to as the SERVER and the pc that we are connecting from as the CLIENT (traditional networking terms). So the SERVER would be my desktop home pc and the CLIENT would be my laptop I take with when traveling.
We’ll use Windows 7 as our operating system, however the steps will be nearly identical for Vista and XP.
Installing Copssh and Configuring:
1. Download and install CopSSH on the SEVER computer.
2. Once installed, you will want to go to Start Menu > All Programs > Copssh > 01. Activate a User
3. Choose your user account in the drop down and click the Next button
4. Type a passphrase to create your RSA key (2048bit encrypted, very good encryption). and click Activate.
5. We now should have an SSH service running and in turn connect remotely via our Tunnel (on port 22). (Note: The user we activated will be used on the laptop / client computer in Putty)
Installing Putty and Configuring our SSH Tunnel and Remote Desktop
On the CLIENT computer we are connecting from, we will need to install Putty and configure it to connect RDP over SSH (ie create the tunnel).
1. To install putty, just extract the Zip for to your C:\Putty folder. The Putty folder should contain several .exe programs.
2. To run putty, we will just run the Putty.exe in the C:\Putty folder. To make it easier to launch, you can create a shortcut to Putty.exe and put it on your desktop or in your Start Menu.
3. Under the Session section (on left pane), type in the host name of the pc we are connecting to (in our example on our local network). 10.0.1.5 and leave the port at 22. Also you can go under the Saved Session box and enter a name to save the profile as for easy connection (more later on this).
Under the Connection > SSH > Tunnels tab, under Source Port, enter in a local port to connect to as our tunnel (i use a very high port in the 40000 range, we’ll use 40000), in the Destination box, we can put in the ip address of the remote computer we have running Copssh/SSH, 10.0.1.5 in my example.
Go back to the Sessions section and click the Save button under the Saved Sessions box and then hit the Open button.
4. You should get a prompt to accept a key the first time we connect, click Yes.
5. We now should get a command window like interface asking for a user. Enter your remote computers login username and password. Once you connect, the command window will change to a local window.
Connecting via Remote Desktop over the SSH Tunnel
1. On the laptop/client computer, open Remote Desktop Connection (Start Menu > All Programs > Accessories > Remote Desktop Connection)
2. Enter in 127.0.0.1:40000 for the computer to connect to.
127.0.0.1 = the local tcp/ip stack loopback address and 40000 = port to connect over. This in turn forces our remote desktop client to use the SSH tunnel we created at 40000 to connect to our remote pc at the 22 port. 🙂
Voila, hopefully you can connect to your remote machine. You can use Wireshark on one of the machines to verify that you are running a secure tunnel; you’ll want to check for SSHver2 packets and verify you cannot read any information minus the header in them.
NOTES / TROUBLESHOOTING:
- You may need to add an incoming and outgoing rule to the Windows Firewall client on the SERVER computer. Go to Control Panel > Security and System > Windows Firewall. Click on the left pane (win7 users) on Advanced Settings. Go into both inbound and outbound rules and add a rule to allow connections to port 22
- Remote connections from outside your local network (via the internet), you will need to reconfigure your Putty settings on the CLIENT computer to be the public IP of your home / SERVER internet connection. On the home / SERVER computer, go to www.whatismyip.com and find your public ip. Enter this in Putty on the CLIENT computer to connect. Also be sure your router is setup to forward port 22 to the computer you are connecting to.
Automating PuTTY / Command Line Notes
Putty and Remote Desktop profiles can be loaded via a .bat or .cmd file. You can open putty, load a session and even login to that session (not secure since it stores account and password in batch file).
Here is an example: putty.exe -load “my desktop” -l loginname -pw password
-load = session name saved in putty, -l = login password to computer your connecting too, pw = password of account.
Remote desktop can in turn be called with: C:\windows\system32\mstsc.exe “C:\putty\MyComputer.rdp”
This opens the remote desktop profile named “MyComputer” that i have saved in the same folder as the batch file in c:\putty along w/putty.exe
So putting the two together, you can have a batch file that 1. opens an ssh tunnel w/o any user interaction (not secure since password is in file) and then opens a remote desktop session to the computer. I use a start command so that the cmd window won’t hang in the background showing the password, rather it will execute the command and move on.
start putty.exe -load "my desktop" -l user -pw password
start c:\windows\system32\mstsc.exe "c:\putty\MyComputer.rdp"
The first time you connect, you will get the RSA encryption key warning via Putty and the remote desktop connection; however, after that initial connection, it should be automated. 🙂