Lucid Tips

Remote Desktop, included with Windows XP Professional, Windows Server 2003 is a very good solution that allows you to access your computer from across the Internet.  This howto explains steps to additionally secure Remote Desktop using Secure Shell (SSH)

Disclaimer: These steps have worked for me and have been tested on Windows XP Professional SP2. YMMV. I am not responsible for loss of data or damage to computers.

Screenshots for this howto are available here.

Prerequisite

To more accurately test you would need two different computers but can be tested with one computer too.

Computer 1: Runs Remote Desktop and OpenSSH server. (Tip: It is best to setup this computer to use static IP. See Static IP guide on PortForward.com)

Computer 2: Runs PuTTy and is used to connect to Computer 1 

Make sure Remote Desktop is enabled and working correctly on Computer 1. See Get started using Remote Desktop with Windows XP Professional 

Assumptions 

In this howto we will assume the following

IP Address of Computer 1: 192.168.1.120
IP Address of Computer 2: 192.168.1.130
External IP Address: 64.233.167.99 (Tip: If you do not know your external IP address go to http://www.whatismyip.com/)

These IP addresses are for example only and your values will be different.

Download and install OpenSSH (Computer 1)

OpenSSH for Windows is a free package that installs a minimal OpenSSH server and client utilities. OpenSSH can be downloaded from SourceForge. After you have downloaded the file, unzip it and double click setup.exe and follow on screen instructions.

Configure OpenSSH (Computer 1)

The most important step after installing OpenSSH is to configure its passwords file. It is very simple to do. Open a command prompt and run the following commands

cd "C:\Program Files\OpenSSH\bin"
mkgroup -l >> ..\etc\group
mkgroup -d >> ..\etc\group
mkpasswd -l >> ..\etc\passwd
mkpasswd -d >> ..\etc\passwd

For most home users who are not running a domain the commands with -d are not required. If you only want to add one specific user then the command is

mkpasswd -l -u <username> >> ..\etc\password

Refer to quickstart.txt in C:\Program Files\OpenSSH\docs for detailed information. At this point we should be able to start OpenSSH.

net start opensshd

Configure Firewall (Computer 1)

Next step is to configure Windows Firewall (or any other firewall) to allow TCP/IP traffic on port 22. Instructions for Windows Firewall are

1. Verify that you are signed in as the administrator.
2. Click Start, click Control Panel, and then click Security Center
3. Under Manage security settings for, click Windows Firewall.
4. Make sure the Don’t allow exceptions check box is not selected
5. Click the Exceptions tab
6. Unselect Remote Desktop (skip this step if you are going to access Remote Desktop without SSH)
7. Click on Add Port button
8. In the Name field enter “SSH” and in the Port number field enter 22. Make sure TCP is selected.
9. Click OK. The Add a Port window will close. You will be returned to Windows Firewall window. (see screenshot)
10. Click OK, and then close the Windows Security Center window

Download and Install PuTTy (Computer 2)

PuTTy is a free and open source SSH client. Download the zip fileand unzip into a folder (example: C:\Program Files\PuTTy). Double click C:\Program Files\PuTTy\putty.exe to start PuTTy. For ease of future use create a shortcut.

Configure PuTTy (Computer 2)

1. In the left pane click on + next to connection
2. Click on + next to SSH
3. Click on Tunnels
4. In the Source port field enter 3100
5. In the Destination field enter the IP (or hostname) and port of the machine you want to connect to. This is the machine running Remote Desktop. (In our example this would be - 192.168.1.120:3389)
6. Click Add (see screenshot)
7. Click on Session in the left pane
8. In the Host Name field enter the public IP address or fully qualified domain name (FQDN) of the server on which OpenSSH was installed. (In our example for testing from within your network this would be - 192.168.1.120 and for testing from outside your network this would be 64.233.167.99)
9. In the port field enter 22
10. In the Saved Sessions field enter a unique name
11. Click the Save button (see screenshot for inside the network, and external)

Test SSH connectivity (Computer 2)

1. Open PuTTy
2. In the Saved Sessions list click on the name you created
3. Click Load
4. Click Open
5. The first time you connect you will see a security alert. Click Yes. (see screenshot)
6. You will be prompted for username/password
7. You should be successfully connected to Computer 1 via SSH. (see screenshot)

Test Remote Desktop (Computer 2)

1. Establish SSH connection using PuTTy. (Keep the window open)
2. Open Remote Desktop Connection (Start->All Programs->Accessories->Remote Desktop  Connection)
3. In the Computer field enter localhost:3100 (The port number should match the Source Port entered in step 4 of PuTTy configuration.) (see screenshot)
4. Click Connect (You might be prompted to enter the username/password for Computer 2)
5. If all is good you should be connected to Computer 1 using Remote Desktop on SSH

Setup Port Forwarding on your router

The last and final step of the journey is to setup Port Forwarding on your router to allow SSH connections when you are outside your network. This step is different for every router. Luckily the helpful folks at PortForward.com have made this task easier.

1. Go to PortForward.com
2. Search for your router in the list and click the link
3. On the next screen search for SSH and click the link
4. On the next screen enter the correct IP address of Computer 1 - the one that is running OpenSSH server
5. Follow the instructions on the page to setup Port Forwarding.

Enjoy

Enjoy some peace of mind knowing your setup is more secure.

Troubleshooting

Unable to login using SSH: Ensure username/password are correct. If the password is blank it will not work. Set a password for the user you are trying to login as on Computer 1.

Unable to connect to localhost: Apply Windows XP Loopback Patch