Difference between revisions of "SSH keys:Windows"

From CELS IT Wiki
Jump to: navigation, search
Line 20: Line 20:
* Use [https://svnkeys.berkeley.edu/ Berkeley's SSH-key converter] - quick and easy.
* Use [https://svnkeys.berkeley.edu/ Berkeley's SSH-key converter] - quick and easy.
* Copy the public key (identity.pub) to a machine that has OpenSSH installed and run: <pre>ssh-keygen -i -f identity.pub > id_rsa.pub</pre>
* Copy the public key (identity.pub) to a machine that has OpenSSH installed and run: <tt>ssh-keygen -i -f identity.pub > id_rsa.pub</tt>
* E-mail the identity.pub file(s) to systems@mcs.anl.gov, along with a phone number and time at which you can be reached, and we will convert it for you.
* E-mail the identity.pub file(s) to systems@mcs.anl.gov, along with a phone number and time at which you can be reached, and we will convert it for you.

Revision as of 16:25, 30 September 2008

< SSH keys

If you use cygwin for SSH, see the unix instructions. We recommend skimming that section for background an insight on what the keys are for if you haven't already read it.


If you use SecureCRT, the version of SecureCRT on the windows software page supports keys. Simply generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (RSA keys are fine, despite what the text above the selection box says). Choose a good passphrase, MCS Requires strong passphrases. 2048 is an adequate key length. Make note of where it's installing the key. It's probably something like:

C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity

If you upgraded from an old version, it might be:

C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity

Say "Yes" to the global public key question.

Now, the tricky part. SecureCRT stores your public key in a funky format. You have a few options to get it into the format you need, do any one of the below.

  • Use Berkeley's SSH-key converter - quick and easy.
  • Copy the public key (identity.pub) to a machine that has OpenSSH installed and run: ssh-keygen -i -f identity.pub > id_rsa.pub
  • E-mail the identity.pub file(s) to systems@mcs.anl.gov, along with a phone number and time at which you can be reached, and we will convert it for you.

Now, make SecureCRT use the key.

  • Click "File" then "connect", and for each existing entry, in the list (or for new ones you add) click the "Properties" button (it looks like a hand holding a card).
  • In the Authentication section under "Connection", change "Primary" to be "PublicKey". Choose "Properties" and make sure it's using your global file.
  • Click "Options", "Global Options", and under SSH2 heading, check both boxes in the "Agent" section.

Now, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)

NOTE: If you converted a previously SSH1 session to use SSH2, check your port forwarding configuration. It may have been messed up. The checkbox for local IP address restrictions should be unchecked. If it's not, uncheck it.


If you would like to use PuTTY as your ssh client, the first thing you should do is download the latest client. We have found that various older versions give funky problems when trying to use version2 keys. It only takes 10 seconds - no fancy installer, no rebooting.

Close any current PuTTY connections, move the current PuTTY executable (putty.exe) to the recycle bin, and download a new putty.exe from here. Your current preferences and saved connections will not go away. When you open the new PuTTY, all those things will still be there.

While you are grabbing the latest client, also grab PuTTYgen (puttygen.exe), which is the tool you will use to generate a new ssh key pair.

You can use PuTTYgen to load and convert an existing key you may have generated with OpenSSH to PuTTY's key format. See: Dealing with private keys in other formats. We will not cover that here. It is easier to simply generate a new key pair.

After downloading PuTTYgen, double-click on the PuTTYgen icon. At the very bottom of the dialog box, there is a section called "Parameters". Under "Type of key to generate:", click the radio button for "SSH2 RSA". Note the PuTTY default of "SSH1 (RSA)" will *not* work with most MCS systems, so you must do this step! You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.

Now under "Actions" in the middle, click on the "Generate" button. Follow the directions of moving the mouse around in the blank section to generate randomness. It will then say "Please wait while a key is generated." This doesn't take long at all.

The public key goes in your MCS ~/.ssh/authorized_keys file:

Now you will see at the top your "Public key for pasting into OpenSSH authorized_keys file:". If you like, at this point you can change the "Key comment:" to add something like -<name of machine where generated>. Now highlight that whole block of characters, including the first line of ssh-rsa, and Copy it to the clipboard in Windows using CTRL-C. Don't shut the dialog box - there is more to do later.

You can get this onto MCS Unix systems in two ways: go to the personal account management page, log in, and paste the public key block into the SSH Public Key section and click on the "Update SSH Public Key" button. Follow the directions to call the HelpDesk at 630-252-6813 to get the key activated. Or, if you can come in through the VPN, do that, ssh to fuzzy using your plain Unix password, and then follow the directions under "First: Preparing your MCS environment" at the top of this page. You can also email the key to systems@mcs.anl.gov, with a phone number where you can be reached. We will call to verify your identity.

Next, open ~/.ssh/authorized_keys in your favorite editor, and paste the public key block into the file (making sure it is all actually one single line of text, no returns). Exit the editor, saving the authorized_keys file.

You can also click on the "Save public key" button to save this text-block as a file locally on your Windows box, but this is just to have it around for later in case you want to file-transfer it somewhere later, or email it, etc.

Saving the private key on your Windows machine:

You will definitely need to save the private key on your Windows box. To do this, first enter a "Key passphase" in the box provided, and re-type it to confirm in the "Confirm passphrase" box just below that.

You will need to remember this passphrase! Make sure you choose a strong one. Then click on the "Save private key" button. You can name it whatever you want. It will be saved with a ".ppk" extension. Do not change this.

You are now done generating your key-pair, and may close the PuTTYgen dialog box.

Setting up PuTTY to use keys and opening an SSH session

If you have used PuTTY before, double-click on the PuTTY icon to open the application. You can click on one of your previously saved sessions and hit the "load" button. But don't hit "Open" yet.

If you have not used PuTTY before, enter a hostname under "Hostname (or IP address)", like terra.mcs.anl.gov. Make sure the radio button for SSH is clicked, and the port says 22.

On the "Category" tree on the left-hand side of the dialog box, click on "Auth" under Connection->SSH->Auth. This should be "Options Controlling SSH Authentication". The only box that needs to be checked is "Attempt keyboard interactive auth (SSH2)". Under "Private key file for authentication:", click the "Browse..." button off to the right, and locate the .ppk file you saved earlier. Click "Open" and it will return you to the SSH Auth dialog box with the private key file location entered properly in the box.

Go back and click on "Session" at the top of the "Category" tree on the left side. You may want to name and save this session, so it will use keys from now on. Enter a short name under "Saved Sessions:" like terra. Then click the "Save" button.

You are now ready to click the "Open" button at the bottom to launch your SSH session using keys.

You will get a window that says:i
login as: [Enter your Unix username]

Then it will say:
Authenticating with public key "<name of the rsa key you created>"
Passphrase for key "<name of the rsa key you created>":

Enter the passphrase you used while saving your private key to this Windows box. You're in!

For more information on using PuTTY, see the PuTTY docs, especially Chapter 8 on SSH public keys.


Until we customize the details for MCS, Berkeley has a good FAQ on this.