Possible to use certificate instead of passwords, like OpenSSH?

[ghost]

its doesn't make any sense to me to use passwords in a production environment. Short passwords are unsafe, long passwords are annoying. Typically for me, a simple password protects my terminal from unwanted physical access; even a short password offers plenty deterrent. But for all network access I use SSH and certificates.

Is there any convenient way to use certificate authentication? Another acceptable alternative for me would be to force xrdp server to only accept connection over an openssh tunnel , then i can continue using a shorter password as i would on a terminal.

Is there a clean way to do this or a step by step guide somewhere? I'm using Debian 11 and LMDE 5, Usually Cinnamon but sometimes Xfce.

[matt335672]

The short answer, I'm afraid, is "no". Standard xrdp clients have no mechanism to allow a client-side certificate to be presented.

You can use an ssh tunnel (Remmina supports this natively I believe), but a more performant solution would be to use a VPN to achieve this.

[ghost]

I agree VPN would be ideal for remote accessibility but in the case a LAN having an access point, that presents a huge security vulnerability. SSH is a nice intermediate where using WiFi is unavoidable and or the LAN isnt exactly in a controlled environment. I dont intimately know the interworkings of xrdp but I know RDP's security vulnerabilities are legendary and password authentication in general brings overall security to a minimal level.

Can you recommend any good information how to use xRDP of an SSH tunnel? is it as simple as client-side configuration or does something need to be configured on the server typically?

I'm pretty sure the Microsoft remote desktop client supported client side certificate authentication. One small disadvantage to using RDP over SSH would be the loss of UDP transport; there would be some performance disadvantage.

[matt335672]

It's possibly worth you looking at wireguard. It's pretty simple to set up, on the right platforms and is a lot simpler conceptually than OpenVPN or IP-Sec. It also won't suffer from the TCP-over-TCP problem that an SSH tunnel will.

Off the top of my head for the SSH tunnel, you'll need to allow tunnelling on the ssh server, and you can restrict xrdp to listening on 127.0.0.1, as the tunnel is established locally.

I'm not aware of any reference to client-side certificates for the MS client. If you know differently, please let us know

[ghost]

Id like to mention the persons wanting to increase security should consider using SSH tunneling. With openSSH server its enabled by default and no configuration is necessary.

Just open Remmina for example and click "Enable SSH Tunnel", I then use "Public Key Automatic" as my keys are already stored. Make sure to select "Tunnel via loopback address" or it will connect via the hosts interface address rather than 127.0.0.1

You can modify the port entry in /etc/xrdp/xrdp.ini to only allow inbound RDP connections from the SSH tunnel itself by setting

port=tcp://127.0.0.1:3389

SSH eliminates both password attacks and RDP authentication vulnerabilities as well as potential weaknesses in the encryption of the RDP stream itself. I personally would never use RDP without SSH if the LAN was not in a controlled environment, Wifi was present or the LAN was internet accessible on port 3389. SSH is preferable to VPN or at the very least should be used in addition to VPN. VPN networks, particularly where lan-to-lan VPN is used can have gaping vulnerabilities, especially if those LANs have WiFi. SSH provides end-to-end encryption and authentication, that's quite a bit better than VPN in most cases anyway.

Other advantages of using SSH tunneling for xrdp would be the use of fail2ban, logging, auditing and the other benefits of SSH in general. The ability to choose the type and level of encryption you want like AES-256-GCM, hmac-sha2-512, ecdh-sha2-nistp521 etc. as well as the strong anti man-in-the-middle abilities of SSH.

One final point is that SSH can safely connect to an xrdp host over the internet without even the need of VPN; SSH is completely secure all by itself with a standard hardened configuration. This is a very attractive alternative considering VPN could be overkill, difficult to setup at first and still not even be as secure as just using SSH alone.

Typical SSH hardening config would be:
PasswordAuthentication no
PermitRootLogin no
MaxAuthTries 3
Protocol 2
Ciphers [email protected]
KexAlgorithms ecdh-sha2-nistp521
MACs [email protected]
HostKey /etc/ssh/ssh_host_rsa_key

and generate both a strong server key pair and user key pair:
sudo ssh-keygen -t rsa-sha2-512 -b 16384 -N '' -f /etc/ssh/ssh_host_rsa_key <<<y
ssh-keygen -N '' -t rsa -b 16384