Connecting remotely to server infrastructure is an everyday occurrence at IT and DevOps organizations. But when it comes to which authentication protocol to use, there are a few worthy options to evaluate. Two protocols that often come into contention are the Windows® Remote Desktop Protocol (RDP) and Secure Shell (SSH) protocol. If you are weighing these two options, here’s a comparison of RDP vs. SSH.
Why Compare RDP and SSH?
With a growing remote workforce, IT admins need to grant user access to servers from anywhere in the world without compromising security. RDP and SSH are both protocols used for authenticating remote server access. Increasingly, these servers are cloud-based Infrastructure-as-a-Service (IaaS). But both protocols can be used to access servers stored on-prem.
What is RDP?
The Remote Desktop Protocol is solely used for accessing Windows virtual machines (VMs) and physical Windows servers (as opposed to Linux® servers). From a user perspective, RDP provides a Windows Graphical User Interface (GUI) experience, making servers more accessible to a wider range of employees — with or without a technical background.
Because RDP ports often need to be connected to the internet for remote access, for security purposes, admins should protect their RDP instances with a virtual private network (VPN) and/or a form of multi-factor authentication (MFA). RDP ports can be vulnerable to attacks when exposed to the internet.
What is SSH?
Secure Shell is a protocol optimized for Linux server access, but usable across any operating system’s server. Unlike RDP, SSH has no GUI, only command line interfacing, which is generally controlled through bash. As such, SSH is technically demanding for end users, and even more technically demanding to set up.
The core security component behind SSH is its client/server authentication model, which leverages public/private key pairs instead of traditional credentials. These keys function much like a traditional lock and key, with the public key representing the lock and the private key the unique key to access it. In general, users store their private SSH keys directly on their systems, with the public keys stored on their respective servers. SSH secures authentication far better than a standard username and password because each key uses 2048-bit encryption, which is considerably more difficult to crack than a typical password.
Comparing RDP vs. SSH
RDP and SSH are both used to remotely access machines and other servers. They’re both essential for securely accessing cloud-based servers, and aid remote employees in leveraging infrastructure on-prem as well.
Although they’re similar in these regards, RDP and SSH have their differences. For starters, one can argue that SSH is natively more secure than RDP, which needs additional tooling like a VPN/MFA for proper security. As mentioned above, key pairs are generally harder to compromise than credentials. Although true, nothing is 100% secure out of the box. Even with SSH keys, IT organizations will need to take the proper measures to ensure the critical data on their infrastructure remains secure and confirm that end users protect their private keys.
Beyond that, RDP requires less technical know-how than SSH, which makes it more appealing to organizations with slim technical expertise or smaller, novice IT teams. The GUI-focused RDP makes it widely accessible and even usable by non-technical employees.
Securing Both RDP and SSH from the Cloud
Regardless of the final choice between the two, organizations can leverage a cloud directory service to secure their RDP ports, as well as manage SSH key pairs. With a cloud directory service, IT admins can establish multi-factor authentication (MFA) on their Windows systems and VMs, as well as on their VPNs through RADIUS, to secure access to RDP instances.
A cloud directory service also manages public SSH key pairs, creating them when a user is provisioned to the respective server and storing them in association to that server. In doing so, this process allows end users to self-administer their private key pairs, saving admins time.