ARCHIVED: Using SSH Secure Shell for Windows, how do I set up public key authentication?
Note: This document assumes you are using SSH Secure Shell for Windows, produced by Tectia, on your local computer and OpenSSH on the remote host.
Note: SSH Secure Shell Client for Windows is no longer available for download from IUware or SSH Communications. For alternative SSH and SFTP clients, see SFTP clients recommended for use at IU
Public key authentication is a security method you can use to remotely log into a server. Because it uses encrypted keys, it can be more secure than merely using a password. For secured client systems, you can use public key authentication to eliminate the need to enter a password when connecting to a server.
There is a potential security risk in configuring public key authentication to allow access without a password to a server. Because the login process is automatic, your accounts may be compromised if someone gains access to your workstation. Other users can launch the SSH client and access your account without knowing your password. UITS recommends that you password protect the keys themselves. You'll still need to enter a password (for the private key rather than for the server), but public key authentication is intended to provide added security. Avoiding password authentication can be convenient, but that should not override security concerns. Analyze your situation before implementing public key authentication in a way that allows you to avoid entering your password to a server.
To set up public key authentication from SSH Secure Shell for Windows:
- In SSH Secure Shell, from the menu, select . In the window that opens, select , then , and then .
- Under "Key pair management", click . In the window that appears, click .
- In the
Key Generation
window that appears:- From the drop-down list next to "Key Type:", select from the
following:
- If you want to take less time to initially generate the key, select .
- If you want to take less time during each connection for the server to verify your key, select .
- From the the drop-down list next to "Key Length:", select at least . You may choose a greater key length, but the time it takes to generate the key, as well as the time it takes to authenticate using it, will go up.
Although experts debate whether DSA or RSA is superior, for all practical purposes, the debate is irrelevant to your day-to-day use. The differences are minute, and are important only to cryptologists. The only practical difference you will see is a small difference in the time it takes to authenticate (RSA is faster). Just make sure your key length is set to at least 1024.
- From the drop-down list next to "Key Type:", select from the
following:
- Click . The key generation process will start. When it's complete, click again.
- In the "File Name:" field, enter a name for the file where SSH
Secure Shell will store your private key. Your public key will be
stored in a file with the same name, plus a
.pub
extension. - Important: Here you must decide whether or not to
secure your private key with a password. If you do not, then
authentication will occur automatically, and you won't be prompted to
enter any password. If you do, you'll receive a prompt each time
asking for your "Passphrase for Private Key", which will be the
password you create here, not your IU password. Again, refer to the
warning above regarding the potential security risk in not securing
the key. UITS strongly recommends that you enter a passphrase when
generating a public and private key pair. If you choose not to, anyone
who has access to your private key can authenticate to your account
automatically.
In the boxes next to "Passphrase:", enter a passphrase for your private key, or leave the boxes empty if you do not want to protect your private key with a passphrase.
- To complete the key generation process, click , and then .
- At the Settings screen, click .
- Connect to your remote host using your normal password. Once you have connected, from the menu, select .
- In the window that opens, select , then , and then .
- Under "Public Key Management", click .
- In the window that opens, change the entry next to "Destination folder:"
so that it reads
.ssh
. - Below that, in the "Authorization file:" field, change the
entry from
authorization
toauthorized_keys
(note the underscore). - When you have finished, click , and then .
- On the remote host, convert your public key to the format used by
OpenSSH and add it to your
authorized_keys
file, with the following command:ssh-keygen -f ~/.ssh/filename.pub -i >> ~/.ssh/authorized_keys
Replace
filename.pub
with the name of the file containing your public key (i.e., the file with the.pub
extension from step 5 above). - If you wish, you may now delete the public key file from your account
on the remote host by entering the following:
rm ~/.ssh/filename.pub
Replace
filename.pub
with the name of the file containing your public key. When you are prompted, confirm the deletion.UITS recommends that you delete the file, but it's not absolutely necessary. While it may be a risk to leave an unused copy of your authentication key, a malicious user would have to break into your account to see it. Malicious users who know Unix basics could just as easily read or steal the
authorized_keys
file if they are already in your account. However, it's still a good idea to delete that copy of the key. It's no longer necessary, and it's always good security practice to remove potential risks, even if you cannot predict how they can be used.
You are now finished. Repeat steps 8-14 for each remote host you want to log into using public key authentication.
The next time you make a connection to the remote host, when you see the connection dialog box, change the "Authentication Method:" field to
. You will be prompted for the passphrase for your private key (if you supplied one). This passphrase is not sent to the remote host. If you did not supply a passphrase for your private key, you will not receive a request for a passphrase when connecting to the remote host. The terminal will simply open.To change the authentication method permanently, before ending your session, from the
menu, select . Alternatively, modify the SSH profile for that server, as follows:- In your SSH terminal window, click , and then select .
- In the list on the left, select the profile you want to modify. Then on the right, select the tab.
- Under "Authentication methods:", select . Then click the up arrow in the upper right corner across from the heading "Authentication methods:" as many times as necessary to move it to the top.
- Click .
This is document amzx in the Knowledge Base.
Last modified on 2018-01-18 13:48:13.