Private/Public Key Authentication for Windows Remote desktop

18

7

Does anything exist for Windows RDP (Remote Desktop Protocol) that is similar to SSH (in Linux) Public/Private key authentication (Instead of leaving normal password authentication open)?

I'm finding conflicting answers to this topic around the internet. I'm hoping to be able to just distribute a private key to client devices instead of using a complex password on every login (assuming I do not want to eventually disable password authentication totally).

Lightning77

Posted 2015-09-28T16:56:07.363

Reputation: 403

2By refusing to incorporate a connection protocol that specifically prevents password-guessing, the halfwits at Redmond require that the remote machine be strictly no more secure than a machine infested with their insecure bloatware. Why am I not surprised when MSFT fails on the datasec front? – GT. – 2016-07-30T05:08:15.943

Answers

4

Remote Desktop supports X.509 client certificates, under the "smart-card authentication" name. Despite the name, it should work with locally-installed certs/keys (i.e. without an actual smart-card). Though it does however require an Active Directory domain, as far as I know.

So, sort of but not really in a way that's useful to you.

user1686

Posted 2015-09-28T16:56:07.363

Reputation: 283 655

1Would you like to expand it a little... Is it without RDP Gateway? – g2mk – 2016-01-22T11:02:18.727

0

Without an AD domain, a possibility to prevent simple username & password access would be:

  1. Installing OpenSSH for Windows (from https://github.com/PowerShell/Win32-OpenSSH/releases or on Windows 10 & 2019 it's an available feature),
  2. Using an SSH client to log on with keys,
  3. Disabling password authentication over SSH (uncomment and set "password authentication" to "no" in %ProgramData%\ssh\sshd_config),
  4. If you need the graphical interface, configure your SSH client to tunnel RDP over SSH (https://www.saotn.org/tunnel-rdp-through-ssh/),
  5. Disabling "regular" RDP traffic (TCP port 3389) over the network (not on local Windows Firewall!) so that password logon can't be used.

There might be better options for a few $$$. I've heard of Yubico's solution for example (with hardware token): https://support.yubico.com/support/solutions/articles/15000028729-yubico-login-for-windows-configuration-guide

Chris

Posted 2015-09-28T16:56:07.363

Reputation: 11

That Yubico page 1. refers to a TWO factor solution that starts with a password. I believe the question is about NOT using a password. 2. Doesn't say anything about RDP. Did you have a different Yubico product in mind? – MarcH – 2019-11-27T18:27:08.220

This tunnelling solution seems to adds an ssh key requirement on top of the regular, password-based RDP authentication, correct? Interesting and more secure but I believe the question is about replacing the inconvenience of a password with private key. – MarcH – 2019-11-27T18:31:46.763

Asked: 2015-09-28T16:56:07.363

Viewed: 29 328 times

Active: 2019-11-08T15:32:39.153