ARCHIVED: Using SSH Secure Shell for Windows, how do I set up public key authentication?

Note: This document assumes you are using SSH Secure Shell for Windows, produced by Tectia, on your local computer and OpenSSH on the remote host.

Public key authentication is a security method you can use to remotely log into a server. Because it uses encrypted keys, it can be more secure than merely using a password. For secured client systems, you can use public key authentication to eliminate the need to enter a password when connecting to a server.

There is a potential security risk in configuring public key authentication to allow access without a password to a server. Because the login process is automatic, your accounts may be compromised if someone gains access to your workstation. Other users can launch the SSH client and access your account without knowing your password. UITS recommends that you password protect the keys themselves. You'll still need to enter a password (for the private key rather than for the server), but public key authentication is intended to provide added security. Avoiding password authentication can be convenient, but that should not override security concerns. Analyze your situation before implementing public key authentication in a way that allows you to avoid entering your password to a server.

To set up public key authentication from SSH Secure Shell for Windows:

1. In SSH Secure Shell, from the Edit menu, select Settings.... In the window that opens, select Global Settings, then User Authentication, and then Keys.
2. Under "Key pair management", click Generate New.... In the window that appears, click Next.
3. In the Key Generation window that appears:
   1. From the drop-down list next to "Key Type:", select from the following:
      • If you want to take less time to initially generate the key, select DSA.
      • If you want to take less time during each connection for the server to verify your key, select RSA.
      
      
   2. From the the drop-down list next to "Key Length:", select at least 1024. You may choose a greater key length, but the time it takes to generate the key, as well as the time it takes to authenticate using it, will go up.

   Although experts debate whether DSA or RSA is superior, for all practical purposes, the debate is irrelevant to your day-to-day use. The differences are minute, and are important only to cryptologists. The only practical difference you will see is a small difference in the time it takes to authenticate (RSA is faster). Just make sure your key length is set to at least 1024.

4. Click Next. The key generation process will start. When it's complete, click Next again.
5. In the "File Name:" field, enter a name for the file where SSH Secure Shell will store your private key. Your public key will be stored in a file with the same name, plus a .pub extension.
6. Important: Here you must decide whether or not to secure your private key with a password. If you do not, then authentication will occur automatically, and you won't be prompted to enter any password. If you do, you'll receive a prompt each time asking for your "Passphrase for Private Key", which will be the password you create here, not your IU password. Again, refer to the warning above regarding the potential security risk in not securing the key. UITS strongly recommends that you enter a passphrase when generating a public and private key pair. If you choose not to, anyone who has access to your private key can authenticate to your account automatically.

   In the boxes next to "Passphrase:", enter a passphrase for your private key, or leave the boxes empty if you do not want to protect your private key with a passphrase.

7. To complete the key generation process, click Next, and then Finish.
8. At the Settings screen, click OK.
9. Connect to your remote host using your normal password. Once you have connected, from the Edit menu, select Settings....
10. In the window that opens, select Global Settings, then User Authentication, and then Keys.
11. Under "Public Key Management", click Upload....
12. In the window that opens, change the entry next to "Destination folder:" so that it reads .ssh.
13. Below that, in the "Authorization file:" field, change the entry from authorization to authorized_keys (note the underscore).
14. When you have finished, click Upload, and then OK.
15. On the remote host, convert your public key to the format used by OpenSSH and add it to your authorized_keys file, with the following command:

      ssh-keygen -f ~/.ssh/filename.pub -i >> ~/.ssh/authorized_keys

    Replace filename.pub with the name of the file containing your public key (i.e., the file with the .pub extension from step 5 above).

16. If you wish, you may now delete the public key file from your account on the remote host by entering the following:

      rm ~/.ssh/filename.pub

    Replace filename.pub with the name of the file containing your public key. When you are prompted, confirm the deletion.

    UITS recommends that you delete the file, but it's not absolutely necessary. While it may be a risk to leave an unused copy of your authentication key, a malicious user would have to break into your account to see it. Malicious users who know Unix basics could just as easily read or steal the authorized_keys file if they are already in your account. However, it's still a good idea to delete that copy of the key. It's no longer necessary, and it's always good security practice to remove potential risks, even if you cannot predict how they can be used.

You are now finished. Repeat steps 8-14 for each remote host you want to log into using public key authentication.

The next time you make a connection to the remote host, when you see the connection dialog box, change the "Authentication Method:" field to Public Key. You will be prompted for the passphrase for your private key (if you supplied one). This passphrase is not sent to the remote host. If you did not supply a passphrase for your private key, you will not receive a request for a passphrase when connecting to the remote host. The terminal will simply open.

To change the authentication method permanently, before ending your session, from the File menu, select Save Settings. Alternatively, modify the SSH profile for that server, as follows:

1. In your SSH terminal window, click Profiles, and then select Edit Profiles....
2. In the list on the left, select the profile you want to modify. Then on the right, select the Authentication tab.
3. Under "Authentication methods:", select Public Key. Then click the up arrow in the upper right corner across from the heading "Authentication methods:" as many times as necessary to move it to the top.
4. Click OK.