How secure is rdesktop?

[SkyHiRider]

I'm thinking of enabling remote desktop access to my server. How secure would this end up being really? And is there a way to use the public/private key combo to up the security and only allow access by using asymmetric cryptography?

And another thing, which solution should I use ? I know Gnome has an option to enable remote desktop access, but there are probably other options too.

Is there an remote desktop application that listens on a port, and when I want to connect it launches gdm an Gnome (or kdm and Kde) ? It's a waste of resources if the gui is running when I don't need it as I usually work through SSH but a gui would sometimes help (unless using it will have a hit on security).

[Kloschüssel]

as far as I know, the rdp protocol has no encryption built-in that I would rely on (man in the middle attacks are feasible). thus, encryption should be provided by the transport layer (i.e. ssh tunnel). further rdesktop is discontinued, thus I would not recommend to actually rely on that software in a serious business. the light at the end of the tunnel is FreeRDP, which is a fork of rdesktop. but that project was not promoted to become a GSOC project and I do not know how much effort those guys plan to invest on that project.

for these and more reasons, i would recommend a solid ssh terminal as I cannot think of any usecase where I would need a desktop environment - except the case where I need to open a shell to do the shell hacking.

JMTC

[sml156]

I just setup remote desktop on my windows 7 machine , I am pretty shure it is vunerable to brute force attacks , I havent found the setting yet but somewhere there is a setting to disable logons if someone put's in the wrong password like if you fail 3 times you wont be able to logon for set time

[SkyHiRider]

Thanks for the replies. I wanted to try it as the knowledge may come in handy. Rdesktoping to a server is a no go then, although I found a terminal command that can enable/disable remote desktop so I can simply enable, do stuff, disable.

That also means that using rdesktop on other pc's in the network is a bad idea, thou it would come in handy when there is some kind of silly issue and you can just take hold of the computer (were talking mostly gui problems) and do the fix in a flash. It's also a good marketing tactic as people are usually amazed when their mouse is moving on their own

[Kloschüssel]

I just setup remote desktop on my windows 7 machine , I am pretty shure it is vunerable to brute force attacks , I havent found the setting yet but somewhere there is a setting to disable logons if someone put's in the wrong password like if you fail 3 times you wont be able to logon for set time

Carols computer is being brute-force attacked with DDOS across several pc's and she wants Bob to rdesktop into the server and take a look at things really REALLY soon. Bob therefore picks his ducati and drives home at lightspeed. He is such in a hurry that he fails 3 times to type the 20 characters password in a correct way and is blocked out. What is he going to say to carol? If Carol is a paying customer he surely's not going to say something like: "I could not prevent your server from being hijacked because I was blocked by your silly rdesktop server.."

[Kloschüssel]

Rdesktoping to a server is a no go then, although I found a terminal command that can enable/disable remote desktop so I can simply enable, do stuff, disable.

Carols computer wasn't hijacked so far because rdesktop was turned off. Unfortunatly during the last maintanance Bob forgot to turn off rdesktop..

(yes, these things happen)

That also means that using rdesktop on other pc's in the network is a bad idea, thou it would come in handy when there is some kind of silly issue and you can just take hold of the computer (were talking mostly gui problems) and do the fix in a flash. It's also a good marketing tactic as people are usually amazed when their mouse is moving on their own

If you're going to help guys that sit behind a firewall, which is most times the case, you're simply unable to help them unless you told them how to configure the firewall properly. Take a shot a this:

Teamviewer

That is somewhat lightyears ahead to rdesktop.

[sml156]

I like remote desktop
and as far as Carols goes I guess bob wouldent have to fire him because bob would forget he ever worked for Carols
teamviewer wouldent help bob either

[Kloschüssel]

I like remote desktop

No offense meant: this thread is about whether rdesktop (the software, see "man rdesktop") is safe to use, not if one likes remote desktops or not.

as far as Carols goes I guess bob wouldent have to fire him because bob would forget he ever worked for Carols
teamviewer wouldent help bob either

Carol can start the remoting software when she needs it and it's also her responsibility to turn it off. Thus the responsibility can be shifted to carol (or her administrator). Does this help Bob? I strongly believe so.