Does anything exist for Windows RDP (Remote Desktop Protocol) that is similar to SSH (in Linux) Public/Private key authentication (Instead of leaving normal password authentication open)?
I'm finding conflicting answers to this topic around the internet. I'm hoping to be able to just distribute a private key to client devices instead of using a complex password on every login (assuming I do not want to eventually disable password authentication totally).
12 Answers
Remote Desktop supports X.509 client certificates, under the "smart-card authentication" name. Despite the name, it should work with locally-installed certs/keys (i.e. without an actual smart-card). Though it does however require an Active Directory domain, as far as I know.
So, sort of but not really in a way that's useful to you.
1Without an AD domain, a possibility to prevent simple username & password access would be:
- Installing OpenSSH for Windows (from or on Windows 10 & 2019 it's an available feature),
- Using an SSH client to log on with keys,
- Disabling password authentication over SSH (uncomment and set "password authentication" to "no" in %ProgramData%\ssh\sshd_config),
- If you need the graphical interface, configure your SSH client to tunnel RDP over SSH (),
- Disabling "regular" RDP traffic (TCP port 3389) over the network (not on local Windows Firewall!) so that password logon can't be used.
There might be better options for a few $$$. I've heard of Yubico's solution for example (with hardware token):
2