Using IAP Desktop for zero-trust SSH access

I recently released version 2.13 of IAP Desktop. This release introduces a major new feature, the ability to connect to Linux instances by using SSH.

When you select a Linux VM in the Project Explorer tool window and click Connect, IAP Desktop now connects to the VM by using SSH and opens a virtual terminal:

SSH Terminal

Behind the scenes, IAP Desktop:

  1. creates an RSA key pair if you do not have one yet, and securely stores it in the Windows CryptoNG key store,
  2. publishes the public SSH key to OS Login, project metadata, or VM instance metadata (depending on your project configuration),
  3. creates an IAP TCP forwarding tunnel to the Linux instance so that connectivity is secured context-aware access, and
  4. creates an SSH connection through the tunnel.

Similar to Remote Desktop sessions, IAP Desktop lets you use multiple SSH sessions in parallel, and you can mix and arrange them with Remote Desktop sessions as you like:

Window layout

Customizing SSH settings

You can customize the settings IAP Desktop uses to connect to Linux instances by using the Connection settings tool window.

Version 2.14, released last week, introduced additional configuration options that you can customize under Tools > Options > SSH:

  • Key expiry: When IAP Desktop publishes your SSH key, it automatically configures the key to expire after 30 days. A shorter expiry time can improve security, but also leads to longer connection times whenever IAP Desktop needs to re-publish your key.
  • Locale: By default, IAP Desktop passes your current Windows display language as locale (LC_ALL) to remote Linux machines. In some cases, this might not be what you prefer, so you can disable this feature.

SSH settings

Customizing the terminal

The terminal itself should look and feel like a regular xterm terminal. There are a few rarely-used xterm features like double-space characters and blinking that the terminal does not support – but other than that, the terminal should support all the xterm features you’re used to.

In addition, the terminal supports a number of shortcuts:

  • Copy/paste: You can copy and paste text in the terminal by using Ctrl+C/Ctrl+V or Ctrl+Insert/Shift+Insert. When pasting text from the clipboard, any typographic/smart quotes are automatically converted to plain quotes.
  • Text selection: You use Shift+Left/Shift+Right to select text and Ctrl+A to select all text in the terminal.
  • Text navigation: By using Ctrl+Left/Ctrl+Right you can jump to the previous/next word in the terminal.
  • Scrolling: You can use Ctrl+Up/Ctrl+Down to scroll up or down a line, and Ctrl+Home/Ctrl+End to scroll to the top or end of the terminal buffer.

Because some of these shortcuts might conflict with certain Linux applications, you can disable individual shortcuts under Tools > Options > Terminal:

Terminal settings

Under the hood

SSH is growing in popularity among Windows users, but it can still hardly be considered a first-class citizen on Windows. Although Microsoft has added pseudoterminal support and has substantually improved the console in later Windows 10 releases, the OS does not yet provide all the APIs needed to add SSH capabilities to an application.

To compensate for that, IAP Desktop’s SSH features are built on two open-source components, libssh2 and VtNetCore.

You can find the source code and all releases of IAP Desktop on the project’s GitHub page.

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home