SSH keys:Windows

From CELS IT Wiki

(Difference between revisions)
(The public key goes in your MCS ~/.ssh/authorized_keys file:)
(PuTTY)
 
Line 43: Line 43:
 
You '''can''' use PuTTYgen to load and convert an existing key you may have generated with OpenSSH to PuTTY's key format.  See: [http://the.earth.li/%7Esgtatham/putty/0.54/htmldoc/Chapter8.html#8.2.12 Dealing with private keys in other formats].  We will not cover that here.  It is easier to simply generate a new key pair.
 
You '''can''' use PuTTYgen to load and convert an existing key you may have generated with OpenSSH to PuTTY's key format.  See: [http://the.earth.li/%7Esgtatham/putty/0.54/htmldoc/Chapter8.html#8.2.12 Dealing with private keys in other formats].  We will not cover that here.  It is easier to simply generate a new key pair.
  
After downloading PuTTYgen, double-click on the PuTTYgen icon.  At the very bottom of the dialog box, there is a section called "Parameters".  Under "Type of key to generate:", click the radio button for "SSH2 RSA".  Note the PuTTY default of "SSH1 (RSA)" will *not* work with most MCS systems, so you must do this step! You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.
+
After downloading PuTTYgen, double-click on the PuTTYgen icon.  At the very bottom of the dialog box, there is a section called "Parameters".  Under "Type of key to generate:", click the radio button for "RSA".  Note that "SSH1 (RSA)" will *not* work with most MCS systems. You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.
  
 
Now under "Actions" in the middle, click on the "Generate" button.  Follow the directions of moving the mouse around in the blank section to generate randomness.  It will then say "Please wait while a key is generated."  This doesn't take long at all.
 
Now under "Actions" in the middle, click on the "Generate" button.  Follow the directions of moving the mouse around in the blank section to generate randomness.  It will then say "Please wait while a key is generated."  This doesn't take long at all.

Latest revision as of 19:36, 10 March 2017

< SSH keys

If you use cygwin for SSH, see the unix instructions. We recommend skimming that section for background an insight on what the keys are for if you haven't already read it.


Contents

[edit] SecureCRT

If you use SecureCRT, the version of SecureCRT on the windows software page supports keys. Simply generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (RSA keys are fine, despite what the text above the selection box says). Choose a good passphrase, MCS Requires strong passphrases. 2048 is an adequate key length. Make note of where it's installing the key. It's probably something like:

C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity

If you upgraded from an old version, it might be:

C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity

Say "Yes" to the global public key question.

Now, the tricky part. SecureCRT stores your public key in a funky format. You have a few options to get it into the format you need, do any one of the below.

  • Use Berkeley's SSH-key converter - quick and easy.
  • Copy the public key (identity.pub) to a machine that has OpenSSH installed and run: ssh-keygen -i -f identity.pub > id_rsa.pub
  • E-mail the identity.pub file(s) to systems@mcs.anl.gov, along with a phone number and time at which you can be reached, and we will convert it for you.

Now, make SecureCRT use the key.

  • Click "File" then "connect", and for each existing entry, in the list (or for new ones you add) click the "Properties" button (it looks like a hand holding a card).
  • In the Authentication section under "Connection", change "Primary" to be "PublicKey". Choose "Properties" and make sure it's using your global file.
  • Click "Options", "Global Options", and under SSH2 heading, check both boxes in the "Agent" section.

Now, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)

NOTE: If you converted a previously SSH1 session to use SSH2, check your port forwarding configuration. It may have been messed up. The checkbox for local IP address restrictions should be unchecked. If it's not, uncheck it.

[edit] PuTTY

If you would like to use PuTTY as your ssh client, the first thing you should do is download the latest client. We have found that various older versions give funky problems when trying to use version2 keys. It only takes 10 seconds - no fancy installer, no rebooting.

Close any current PuTTY connections, move the current PuTTY executable (putty.exe) to the recycle bin, and download a new putty.exe from here. Your current preferences and saved connections will not go away. When you open the new PuTTY, all those things will still be there.

While you are grabbing the latest client, also grab PuTTYgen (puttygen.exe), which is the tool you will use to generate a new ssh key pair.

You can use PuTTYgen to load and convert an existing key you may have generated with OpenSSH to PuTTY's key format. See: Dealing with private keys in other formats. We will not cover that here. It is easier to simply generate a new key pair.

After downloading PuTTYgen, double-click on the PuTTYgen icon. At the very bottom of the dialog box, there is a section called "Parameters". Under "Type of key to generate:", click the radio button for "RSA". Note that "SSH1 (RSA)" will *not* work with most MCS systems. You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.

Now under "Actions" in the middle, click on the "Generate" button. Follow the directions of moving the mouse around in the blank section to generate randomness. It will then say "Please wait while a key is generated." This doesn't take long at all.

[edit] Upload your public key
[edit] The public key goes in your MCS ~/.ssh/authorized_keys file

Now you will see at the top your "Public key for pasting into OpenSSH authorized_keys file:". Highlight that whole block of characters, including the first line of ssh-rsa, and Copy it to the clipboard in Windows using CTRL-C. Don't shut the dialog box - there is more to do later.

Go to the personal account management page, log in, click the "Personal Information" link in the sidebar, and click the "Add New SSH Public Key" link next to Credentials and paste your key into the web form. If you have trouble with this procedure, email systems@mcs.anl.gov with the error you are getting.

You can also click on the "Save public key" button to save this text-block as a file locally on your Windows box, so that you have it around for later in case you need to reference it again.

[edit] Saving the private key on your Windows machine:

You will definitely need to save the private key on your Windows box. To do this, first enter a "Key passphase" in the box provided, and re-type it to confirm in the "Confirm passphrase" box just below that. MCS requires the use of strong passphrases.

You will need to remember this passphrase! Make sure you choose a strong one. Then click on the "Save private key" button. You can name it whatever you want. It will be saved with a ".ppk" extension. Do not change this.

You are now done generating your key-pair, and may close the PuTTYgen dialog box.

[edit] Setting up PuTTY to use keys and opening an SSH session

If you have used PuTTY before, double-click on the PuTTY icon to open the application. You can click on one of your previously saved sessions and hit the "load" button. But don't hit "Open" yet.

If you have not used PuTTY before, enter a hostname under "Hostname (or IP address)", like login.mcs.anl.gov. Make sure the radio button for SSH is clicked, and the port says 22.

On the "Category" tree on the left-hand side of the dialog box, click on "Auth" under Connection->SSH->Auth. This should be "Options Controlling SSH Authentication". The only box that needs to be checked is "Attempt keyboard interactive auth (SSH2)". Under "Private key file for authentication:", click the "Browse..." button off to the right, and locate the .ppk file you saved earlier. Click "Open" and it will return you to the SSH Auth dialog box with the private key file location entered properly in the box.

Go back and click on "Session" at the top of the "Category" tree on the left side. You may want to name and save this session, so it will use keys from now on. Enter a short name under "Saved Sessions:" like "mcs_login". Then click the "Save" button.

You are now ready to click the "Open" button at the bottom to launch your SSH session using keys.

You will get a window that says:i
login as: [Enter your Unix username]

Then it will say:
Authenticating with public key "<name of the rsa key you created>"
Passphrase for key "<name of the rsa key you created>":

Enter the passphrase you used while saving your private key to this Windows box. You're in!

For more information on using PuTTY, see the PuTTY docs, especially Chapter 8 on SSH public keys.

[edit] SSH.com

Until we customize the details for MCS, Berkeley has a good FAQ on this.

Personal tools