How to connect to Windows remote desktop from Linux

RDP (Remote Desktop Protocol) clients exist for many platforms, even for mobile phones, of course, there are RDP clients for Linux as well

We will look at 2 RDP clients for Linux

• freerdp is a free implementation of the Remote Desktop Protocol (RDP)
• rdesktop is an open source client for remote desktop windows services

How to use freerdp

To install freerdp on Debian, Kali Linux, Linux Mint, Ubuntu and derivatives, run the command:

sudo apt install freerdp2-x11 freerdp2-shadow-x11

If the freerdp2-x11 and freerdp2-shadow-x11 packages are not found, look for a package named freerdp.

To install freerdp on Arch Linux and derivatives, run the command:

sudo pacman -S freerdp

How to connect with freerdp command

To connect to the remote desktop using xfreerdp, run a command of the form:

xfreerdp /f /u:USERNAME /p:PASSWORD /v:HOST[:PORT]

In this command:

• /f is option means to open the remote desktop in full screen mode
• /u:USERNAME is a name of the account on the computer to which we are connecting
• /p:PASSWORD is a password of the specified account
• /v:HOST[:PORT] is an IP address or name of the computer to which the remote table is connected. PORT optional (recommended: “Windows Computer name: how to change and use”)

For example, I want to open a remote computer desktop with IP address 192.168.0.101, on which there is a Tester user with a password of 1234, and I want to open a remote working collision in full screen mode, then the command is as follows:

xfreerdp /f /u:Tester /p:1234 /v:192.168.0.101

To toggle between full-screen and windowed modes, use the keyboard shortcut Ctrl+Alt+Enter.

When connecting for the first time, the following message about the problem with the certificate appears:

[11:02:36:086] [26320:26321] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - The hostname used for this connection (192.168.0.101:3389) 
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - Common Name (CN):
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - 	HackWare-MiAl
[11:02:36:096] [26320:26321] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details:
	Subject: CN = HackWare-MiAl
	Issuer: CN = HackWare-MiAl
	Thumbprint: 6a:4c:be:35:23:5f:46:b5:bd:37:15:5e:f7:21:ec:59:aa:c1:1c:3e
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N)

Since self-signed certificates are used without a private CA (authentication center, certification authority) added to the store, the only choice is to agree to trust the specified certificate, enter Y for this.

In full screen mode, you can disconnect from the remote desktop in two ways:

• press the cross on the top panel
• Start button → Shutdown → Disconnect

To run in windowed mode, do not use the /f option:

xfreerdp /u:Tester /p:1234 /v:192.168.0.101

Xfreerdp options

The xfreerdp program has many options,I picked up the most interesting of them:

    /v:<server>[:port]	Server hostname
    /u:...	Username
    /p:<password>	Password
    /f                   	Fullscreen mode (<Ctrl>+<Alt>+<Enter> toggles fullscreen)
    /port:<number>	Server port
    /size:...	Screen size
    /w:<width>	Width
    /h:<height>	Height
    /monitor-list        	List detected monitors
    /monitors:<id>[,[,...]]	Select monitors to use
    -grab-keyboard       	Disable Grab keyboard
    -mouse-motion        	Disable Send mouse motion
    /log-filters:...	Set logger filters, see wLog(7) for details
    /log-level:...	Set the default log level, see wLog(7) for details
    +home-drive          	Enable Redirect user home as share
    /drive:<name>,<path>	Redirect directory <path> as named share <name>
    +drives              	Enable Redirect all mount points as shares
    /t:<title>	Window title
    /ipv6                	Prefer IPv6 AAA record over IPv4 A record
    /kbd:0x<id> or <name>	Keyboard layout
    /kbd-fn-key:<value>	Function key value
    /kbd-list            	List keyboard layouts
    /kbd-subtype:<id>	Keyboard subtype
    /kbd-type:<id>	Keyboard type

How to create shared folders in freerdp

With remote desktop connected via RDP, you can have shared folders. Let's look at a few examples.

To connect all mount points in the current system as shared folders on the remote desktop, use the +drives option, for example:

xfreerdp /u:Tester /p:1234 /v:192.168.0.101 +drives

The screenshot shows the remote Windows desktop, in which the Linux system folders are accessible:

To connect only the home folder of the current Linux user as a network folder to the computer via RDP, specify the +home-drive option:

xfreerdp /u:Tester /p:1234 /v:192.168.0.101 +home-drive

In this case, the home folder is mounted on a system connected via the remote desktop protocol:

With the option /drive:NAME,/PATH/IN/LINUX, you can connect any folder with any name. The path in the current system must be specified as /PATH/IN/LINUX, and NAME is the name that will have the share in the remote system. For example, to connect the root folder of the current system (/) to the remote folder with the root name:

xfreerdp /u:Tester /p:1234 /v:192.168.0.101 /drive:root,/

How to bring remote desktop to another monitor

If you have several monitors, then you can choose which one to use for the remote system. To list the monitors, run the command:

xfreerdp monitor-list

Select the monitor (or multiple monitors) identifier using the /monitors:<id>[,[,…]] option.

How to set the size of the remote desktop window

The following example connects to the rdp.contoso.com host with the name USER and is 50 percent of the height.

xfreerdp /u:USER /size:50%h /v:rdp.contoso.com

If width (w) is set instead of height (h), something like /size:50%w, then 50 percent of the width will be used.

How to use rdesktop

To install rdesktop on Debian, Kali Linux, Linux Mint, Ubuntu and derivatives, run the command:

sudo apt install rdesktop

To install rdesktop on Arch Linux and derivatives, run the command:

sudo pacman -S rdesktop

How to connect to remote desktop with rdesktop

To connect to RDP with rdesktop, use a command of the form:

rdesktop -u USER -p PASSWORD HOST

For instance:

rdesktop -u Tester -p 1234 192.168.0.101

As usual, at the very beginning there will be a problem with the certificate:

Autoselecting keyboard map 'ru' from locale

ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);

 1. Certificate issuer is not trusted by this system.

     Issuer: CN=HackWare-MiAl


Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:

    Subject: CN=HackWare-MiAl
     Issuer: CN=HackWare-MiAl
 Valid From: Thu Apr  2 20:56:11 2020
         To: Fri Oct  2 20:56:11 2020

  Certificate fingerprints:

       sha1: 6a4cbe35235f46b5bd37155ef721ec59aac11c3e
     sha256: 35368cc1b2ae9e79927bcb8ededed228062de34978aeeeab74bb029ccbc255e9


Do you trust this certificate (yes/no)? yes

We type yes.

Then an error will occur:

Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).

This is because network-level authentication (Kerberos TGT) is not configured. Setup instructions at: https://github.com/rdesktop/rdesktop/wiki/Network-Level-Authentication-(NLA)

Another option that allows you to connect to Windows via RDP using rdesktop without setting up Network Level Authentication (NLA) is to disable network-level authentication in Windows. It is clear that this will weaken the security of RDP, therefore it is not recommended. But as a “quick dirty fix” this can be done as follows: Start menu → Settings → System → Remote Desktop → Advanced settings → Uncheck “Require computers to use Network Level Authentication at the to connect (recommended)”:

After that, rdesktop connection passes without errors:

In the Windows settings, you could see the link “Why allow connections with Network Level Authentication?”, It says the following:

If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect your computer from malicious users and software. To learn more about NLA and Remote Desktop, check out Configure NLA for RDS Connections. If you're remotely connecting to a PC on your home network from outside of that network, don't select this option.

How to connect from Linux to another Linux via RDP

There are no special features when connecting using the xfreerdp program, it is enough to start the RDP server, and if you use freerdp-shadow, then the /sam-file:SAM /sec:nla options are also needed:

freerdp-shadow-x11 /sam-file:SAM /sec:nla

Or run xrdp-sesman and xrdp as an RDP server.

And then the connection to Linux via RDP is the same as to Windows:

xfreerdp /u:mial /p:2 /v:192.168.0.73

As for rdesktop, it could not be forced to work with any of the RDP servers under consideration under Linux – if you know how to do this, then write in the comments.