Private/Public Key Authentication for Windows Remote desktop

Does anything exist for Windows RDP (Remote Desktop Protocol) that is similar to SSH (in Linux) Public/Private key authentication (Instead of leaving normal password authentication open)?

I'm finding conflicting answers to this topic around the internet. I'm hoping to be able to just distribute a private key to client devices instead of using a complex password on every login (assuming I do not want to eventually disable password authentication totally).

1

2 Answers

Remote Desktop supports X.509 client certificates, under the "smart-card authentication" name. Despite the name, it should work with locally-installed certs/keys (i.e. without an actual smart-card). Though it does however require an Active Directory domain, as far as I know.

So, sort of but not really in a way that's useful to you.

1

Without an AD domain, a possibility to prevent simple username & password access would be:

  1. Installing OpenSSH for Windows (from or on Windows 10 & 2019 it's an available feature),
  2. Using an SSH client to log on with keys,
  3. Disabling password authentication over SSH (uncomment and set "password authentication" to "no" in %ProgramData%\ssh\sshd_config),
  4. If you need the graphical interface, configure your SSH client to tunnel RDP over SSH (),
  5. Disabling "regular" RDP traffic (TCP port 3389) over the network (not on local Windows Firewall!) so that password logon can't be used.

There might be better options for a few $$$. I've heard of Yubico's solution for example (with hardware token):

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like