If you’ve dabbed in server infrastructure before, you’ll know that the two main authentication protocols are the Windows Remote Desktop Protocol (RDP) and Secure Shell (SSH). Both are useful in their own way, with distinct advantages and disadvantages that may influence which is best for your use case. Let’s take a closer look:
What is SSH?
The Secure Shell Protocol (SSH), like RDP, is a network protocol designed to facilitate secure access to a remote server. It was designed on Unix-like operating systems as a replacement for Telnet and Unix shell, two outdated protocols with various security issues.
SSH has three major, hierarchical components:
- The transport layer: for server authentication, integrity, and confidentiality
- The user authentication protocol: for validating the user to the server
- The connection protocol: turns the encrypted tunnel into multiple logical communication channels via multiplexing
SSH authentication is typically backed by public-key cryptography, governed by private key pairs and a password to authenticate the user. It is primarily used to access Linux servers via command-line interface and is
What is RDP?
The Remote Desktop Protocol (RDP) is a protocol developed by Microsoft to provide users on various operating systems with a graphical interface to connect to remote Windows PCs or servers. It uses client software referred to as “Remote Desktop Connection” to achieve this.
However, while Windows RDP was naturally designed for Windows, it can also be utilized to connect to various Linux distributions. Here at BitLaunch, for example, we offer an Ubuntu Desktop VPS with RDP.
RDP uses username/password authentication as well as 128-bit RC4 encryption and TLS for security. It is often recommended that admins pair it with a Virtual Private Network (VPN) and Multi-factor authentication (MFA) foe additional security.
SSH vs RDP: The features
Though SSH and RDP achieve roughly the same thing: connection a remote host, their feature sets are very different. The primary way in which SSH and RDP differ is in interface. SSH is a command-line interface and as such has no GUI. RDP, meanwhile, has a full GUI with support for 32-bit color, audio, printing, and more. Users utilize it in much the same way they’d use a local Windows PC.
However, this core difference isn’t an advantage or disadvantage, but preference. Windows RDP provides an intuitive experience for regular users but is heavier on both the connection and resources of the local PC. SSH is primarily suitable for more technical users who are familiar with the command line but is lightweight. It all depends on the use case.
File transfers also differ. File transfer over SSH is easy and fast, but manual. Windows RDP requires a bit of initial configuration but allows you to access all of your local files from your RDP server from that point onward. Then it’s just a case of dragging and dropping between drives to transfer. RDP’s GUI approach will be easier for most users, but the fact that users have to upload files while simultaneously streaming an image of the live desktop can make things sluggish.
SSH vs RDP: The security
The way each protocol handles security is one of the biggest differentiators between the two.
For those that don’t know, server authentication refers to the practice of ensuring the server the user is connecting to is the one they expected. This is important, because hackers may try a “man-in-the-middle” attack, where they secretly sit between two servers and listen in while forwarding the traffic to its final destination.
Server authentication with SSH is quite simple, yet relatively secure. Servers have a private and public key pair. SSH clients will keep track of the fingerprint of the public key they saw the first time a user connects to a server and ask a user to validate that it’s correct. After the user completes this validation, the fingerprint is checked on each subsequent connection and the SSH client alerts the user if it has changed.
The riskiest part of the process is the initial fingerprint authentication. That is why it is important that you carefully validate the fingerprint.
Users, meanwhile, authenticate themselves using a password or, more for additional security, a manually configured SSH key.
By default, RDP comes with two security options. Standard security employs RC4 encryption. Values for this are exchanged when a connection is initialized, in the Basic Settings Exchange phase.
However, while RDP's self-signed certificate provides some degree of server authentication, it's best traded for one from an enterprise CA via the "Enhanced Security" option. RDP lets admins outsource encryption, decryption, and integrity checks to CredSSP, TLS, or a feature called Network Level Authentication.
Network Level Authentication (NLA) forces the client to authenticate itself with the RDP server before establishing a connection with the server. This saves on resources and helps protect against man-in-the-middle attacks.
However, though RDP traffic is encrypted by default, it's still susceptible to man-in-the-middle attacks via ARP poisoning. As a result, it's always recommended to connect to RDP servers with a VPN.
Users connect to a Windows RDP server with a password, which is not ideal due to phishing attacks and brute-forcing. Admins are encouraged to additionally configure multi-factor authentication (MFA) and implement a strong password policy.
SSH or RDP for VPS use?
If you're hosting just about anything, SSH is going to make the most sense. Its minimal resource requirements combined with strong security and terminal-focused environment make it great for game servers, websites, web apps, VPNs, and more.
RDP, whether for a Windows RDP server or a Linux one, is best left to situations where a UI is very useful or essential. If you're working from a VPS using it as a test environment, for example, it only makes sense. If you're doing Forex trading, you'll also need a UI. Think carefully about both your security and technical requirements, and choose the solution that makes the most sense for you.