If you use cygwin for SSH, see the unix instructions. I recommend skimming that section for background an insight on what the keys are for if you haven't already read it.
If you use SecureCRT, the version of SecureCRT on the windows software page supports keys. Simply generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (RSA keys are fine, despite what the text above the selection box says). Choose a good passphrase, MCS Requires strong passphrases. 2048 is an adequate key length. Make note of where it's installing the key. It's probably something like:
C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity
If you upgraded from an old version, it might be:
C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity
Say "Yes" to the global public key question.
Now, the tricky part. SecureCRT stores your public key in a funky format. To get it into the format OpenSSH recognizes:
- If you are on-site or using the VPN, log on to fuzzy.mcs.anl.gov using SSH2 and password authentication. If not, please email the "Identity.pub" file you created to firstname.lastname@example.org as per the instructions at the top of the page. Then proceed to Step 6.
- If it does not already exist, you'll need to create your .ssh directory in your MCS unix home directory on the remote machine. Type "mkdir ~/.ssh" followed by "chmod 700 ~/.ssh".
- On the local machine, use Notepad.exe to open the Identity.pub file that was created with the Key Generation wizard.
- With the Identity.pub file opened in the Notepad application, open the Edit menu and choose Select All. Once everything is selected, open the Edit menu again and select Copy.
- On the remote machine, complete the following steps:
% cat > ~/.ssh/windows-machine-name.ident(where "windows-machine-name" is the name of your machine)
- Click on the SecureCRT paste button to paste the contents of the Clipboard (which should now contain the contents of your Identity.pub file).
- Issue a CTRL+D to close the Identity.pub file.
- Convert the key to one that OpenSSH will recognize using the following command:
% ssh-keygen -i -f ~/.ssh/windows-machine-name.ident >> ~/.ssh/authorized_keys
- Make SecureCRT use the key.
- Click "File" then "connect", and for each existing entry, in the list (or for new ones you add) click the "Properties" button (it looks like a hand holding a card).
- In the Authentication section under "Connection", change "Primary" to be "PublicKey". Choose "Properties" and make sure it's using your global file.
- Click "Options", "Global Options", and under SSH2 heading, check both boxes in the "Agent" section.
Now, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)
NOTE: If you converted a previously SSH1 session to use SSH2, check your port forwarding configuration. It may have been messed up. The checkbox for local IP address restrictions should be unchecked. If it's not, uncheck it.
If you would like to use PuTTY as your ssh client, the first thing you should do is download the latest client. We have found that various older versions give funky problems when trying to use version2 keys. It only takes 10 seconds - no fancy installer, no rebooting.
Close any current PuTTY connections, move the current PuTTY executable (putty.exe) to the recycle bin, and download a new putty.exe from here. Your current preferences and saved connections will not go away. When you open the new PuTTY, all those things will still be there.
While you are grabbing the latest client, also grab PuTTYgen (puttygen.exe), which is the tool you will use to generate a new ssh key pair.
You can use PuTTYgen to load and convert an existing key you may have generated with OpenSSH to PuTTY's key format. See: Dealing with private keys in other formats. We will not cover that here. It is easier to simply generate a new key pair.
After downloading PuTTYgen, double-click on the PuTTYgen icon. At the very bottom of the dialog box, there is a section called "Parameters". Under "Type of key to generate:", click the radio button for "SSH2 RSA". Note the PuTTY default of "SSH1 (RSA)" will *not* work with most MCS systems, so you must do this step! You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.
Now under "Actions" in the middle, click on the "Generate" button. Follow the directions of moving the mouse around in the blank section to generate randomness. It will then say "Please wait while a key is generated." This doesn't take long at all.
Now you will see at the top your "Public key for pasting into OpenSSH authorized_keys file:". If you like, at this point you can change the "Key comment:" to add something like -<name of machine where generated>. Now highlight that whole block of characters, including the first line of ssh-rsa, and Copy it to the clipboard in Windows using CTRL-C. Don't shut the dialog box - there is more to do later.
You can get this onto MCS Unix systems in two ways: go to the personal account management page, log in, and paste the public key block into the SSH Public Key section and click on the "Update SSH Public Key" button. Follow the directions to call the HelpDesk at 630-252-6813 to get the key activated. Or, if you can come in through the VPN, do that, ssh to fuzzy using your plain Unix password, and then follow the directions under "First: Preparing your MCS environment" at the top of this page. You can also email the key to email@example.com, with a phone number where you can be reached. We will call to verify your identity.
Next, open ~/.ssh/authorized_keys in your favorite editor, and paste the public key block into the file (making sure it is all actually one single line of text, no returns). Exit the editor, saving the authorized_keys file.
You can also click on the "Save public key" button to save this text-block as a file locally on your Windows box, but this is just to have it around for later in case you want to file-transfer it somewhere later, or email it, etc.
Saving the private key on your Windows machine:
You will definitely need to save the private key on your Windows box. To do this, first enter a "Key passphase" in the box provided, and re-type it to confirm in the "Confirm passphrase" box just below that.
You will need to remember this passphrase! Make sure you choose a strong one. Then click on the "Save private key" button. You can name it whatever you want. It will be saved with a ".ppk" extension. Do not change this.
You are now done generating your key-pair, and may close the PuTTYgen dialog box.
Setting up PuTTY to use keys and opening an SSH session
If you have used PuTTY before, double-click on the PuTTY icon to open the application. You can click on one of your previously saved sessions and hit the "load" button. But don't hit "Open" yet.
If you have not used PuTTY before, enter a hostname under "Hostname (or IP address)", like terra.mcs.anl.gov. Make sure the radio button for SSH is clicked, and the port says 22.
On the "Category" tree on the left-hand side of the dialog box, click on "Auth" under Connection->SSH->Auth. This should be "Options Controlling SSH Authentication". The only box that needs to be checked is "Attempt keyboard interactive auth (SSH2)". Under "Private key file for authentication:", click the "Browse..." button off to the right, and locate the .ppk file you saved earlier. Click "Open" and it will return you to the SSH Auth dialog box with the private key file location entered properly in the box.
Go back and click on "Session" at the top of the "Category" tree on the left side. You may want to name and save this session, so it will use keys from now on. Enter a short name under "Saved Sessions:" like terra. Then click the "Save" button.
You are now ready to click the "Open" button at the bottom to launch your SSH session using keys.
You will get a window that says:i
login as: [Enter your Unix username]
Then it will say:
Authenticating with public key "<name of the rsa key you created>"
Passphrase for key "<name of the rsa key you created>":
Enter the passphrase you used while saving your private key to this Windows box. You're in!
Until we customize the details for MCS, Berkeley has a good FAQ on this.