SSH Key Authentication, How To

From SwinBrain

In this article we will look at setting up key authentication using SSH and the PuTTY SSH client. Using key authentication you can provide a key file to verify your identity with logging into a server. This is very useful if you are frequently logging in, such as when using CVS.

This is a How To article designed to give step-by-step instructions. Search SwinBrain and the external links if you require more detailed information about this topic.

Contents

PuTTY SSH Client

PuTTY is a Telnet and SSH client. It allows you to connect using these protocols to remote hosts. There are several utilities related to PuTTY. These include the following programs.

  • PuTTY - the wikipedia:Telnet and wikipedia:SSH client itself
  • PSCP - an SCP client, i.e. command-line secure file copy
  • PSFTP - an SFTP client, i.e. general file transfer sessions much like FTP
  • PuTTYtel - a Telnet-only client
  • Plink - a command-line interface to the PuTTY back ends
  • Pageant - an SSH authentication agent for PuTTY, PSCP and Plink
  • PuTTYgen - an wikipedia:RSA and wikipedia:DSA key generation utility.

These can be downloaded from the PuTTY homepage.

Setup Keyfile Authentication

PuTTY allows you to use wikipedia:RSA and wikipedia:DSA keyfiles for authentication. This allows you to login using a private key, avoiding having to enter your password at each login. You need to ensure that you keep your keyfile secure, as anyone with that file will be able to login as you.

Start by downloading the following programs. Copy them into a directory on your machine that you will be easily able to access. We suggest using c:\apps\putty. You can download these from the PuTTY homepage.

  • PuTTY.exe
  • PLink.exe
  • PuTTYgen.exe
  • Pageant.exe

Create your key (once)

In order to use the keyfile authentication you need to create a putty keyfile in the .PPK format. This only needs to be done once as long as you don't lose your key or your passphrase. The following steps will guide you through the creation of this keyfile.

  • Run PuTTYgen
  • Click Generate
  • Move the mouse around until the key is generated
  • Enter a passphrase (twice)
  • Click on "Save private key". Note: this file should be kept secure! Do not save it on the local hard disk of a lab computer! Some places you might want to save your key:
    • USB disk
    • Floppy disk
    • \\mercury.it.swin.edu.au
    • X:\
  • You should save it with a name like mercury.ppk, though the name is not critical
  • Click "Save public key" button. Save it as mercury.key (This step is not strictly required but is highly recommended)
  • Do NOT close puttygen yet. It is needed for the next section

Add your key to the server

Now that we have created the keyfile itself, we need to give the server the public key portion. The server will use this key to authenticate you at login.

  • Copy the text out of the box labeled "Public key for pasting into OpenSSH authorized_keys file:"
  • Log into mercury.it.swin.edu.au using PuTTY
  • Run these commands. You must substitute **** with the text copied in the previous step. In putty you click the right mouse button to paste. The command might wrap over many lines, this is OK
    • mkdir .ssh
    • chmod 700 .ssh
    • echo "****" >> ~/.ssh/authorized_keys
    • chmod 0600 ~/.ssh/authorized_keys
    • exit
  • Close PuTTYgen, and PuTTY

At this point you have created and registered the key file. You can now use your private key, the mercury.ppk, to login to mercury.

Using the Private Key

Now that we have the private key and the server knows our public key, we need to be tell PuTTY about the private key so that it can use it for authentication. This is the purpose of the Pageant program. Remember, these steps should be performed every time you log into windows, before you use any SSH commands. Load your private key into Pageant using the following steps. The PuTTY programs will then be able to use your key when connecting to the server.

  • Start the putty key agent Pageant
  • Double click on the Pageant tray icon
  • Click on “Add Key”
  • Open your .ppk file created above
  • Enter the passphrase for the key
  • Close the Pageant window. The tray icon should remain running

Testing PuTTY and plink

Now to test the setup. Load PuTTY and connect to the server. You still need to enter your user name, but PuTTY should use the key stored in Pageant to do the authentication. If you still need to enter your password then review the previous steps and make sure you didn't miss anything.

To test plink, the command line SSH tool, use the following steps. This test is important if you want to use plink with programs like CVS.

  • Start a windows command prompt cmd.exe
  • Make sure that plink.exe is available on your path using the following commands.
    • echo %path%
    • If you cant see the directory where you installed putty do the following, using your path to the putty program.
    • set path=c:\apps\putty;%path%
  • Connect to the server using the following command
  • plink mercury.it.swin.edu.au
  • You may see a prompt like the one shown below
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 ea:46:17:4b:15:cc:1f:26:12:78:08:3a:d7:c0:83:e1
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n)
  • If you are prompted to Store key in cache then respond with y
  • You will be prompted for a username login as:
  • Enter your username
  • You should not be prompted for a password. If you are then your setup is not complete

Automating the key agent

If you have a persistent windows desktop (ie. You are not using a lab machine) then you can configure the agent to start when you log in. The agent can load your key and prompt you for your password. To set this up follow these steps:

  • Right click on the Start button
  • Select Explore All Users
  • Expland the Programs directory
  • Select the Putty directory
  • Right click on Pageant (in the right hand window pane)
  • Select Copy
  • Close the window
  • Right click on the Start button
  • Select Explore
  • Expland the Programs directory
  • Select the Startup directory
  • Right click in the right hand window pane
  • Select Paste Shortcut
  • Right click on the new icon
  • Select Properties
  • Edit the Target string and append a space and then the full path and filename of your .ppk file.

Summary

PuTTY is a SSH client that can be used to securly connect to a server and issue commands. These steps show how to setup a keyfile authentication.

[edit]Links: Topic Brains
Return to Swin Brain