Connection using public and private keys
When connecting to a remote server, the SSH (Secure SHell) protocol can use a variety of authentication methods. The most well-known method is authentication by password. When you have to connect repeatedly to several machines by SSH, it can become tiresome to type your password each time. A solution is then to use a key pair, one public and the other private. The public key is placed on the remote server to which you want to connect and when connecting, only the individual with the corresponding private key can connect.
To use the key pair access method, you need to proceed as follows:
- on the local machine (i.e. the one whose keyboard you're using), you produce a key pair associated with a password;
- you copy the public key (never the private one!) to the remote server;
- on the remote server, you place the public key in a list of authorized public keys;
- you ensure that the program which manages access to the private key (called ssh-agent) is running on the local machine;
- you enter the password associated with the key pair using the agent program;
- you can now connect securely to the remote server without having to type your password during every connection.
Important Security NoteOn some Calcul Québec servers, there needs to be a key pair without a password for the execution of certain programs whose processes are started using SSH. On Briarée for example, we create this key pair when your account is created; you should never need to do it yourself and you shouldn't delete this key pair. On Colosse, you have to create the key pair yourself. Under no circumstances should you use the public key created on a Calcul Québec server to connect to another server (for example, a CVS or SVN server using SSH as its access method). Instead use the public key from your local machine by following the instructions below and by adding the line
For Local Machines Using OpenSSH
We explain here how to use a key pair generated using OpenSSH, an SSH client available for Unix, Linux, OS X and Cygwin. OpenSSH can be easily installed on these platforms if it isn't already available by default.
The steps to follow are the following:
- You create a key pair on the command line using the command ssh-keygen. This command will ask you to choose a password to protect access to the private key. You must choose a password for the private key in order to maintain a minimum of security on Calcul Québec machines. You obtain a private key with the name $HOME/.ssh/identity, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. The public key corresponding to this private key will have the same name but with the file extension .pub.
- You then copy the public key to the remote server. If the private key has the name $HOME/.ssh/id_dsa, we do the following:
[localname@localserver $] scp $HOME/.ssh/id_dsa.pub name@server:.ssh/localname_localserver.pub name@server's password: id_dsa.pub 100% 405 0.4KB/s 00:00 [localname@localserver $]
- You add this file's contents to the end of the file $HOME/.ssh/authorized_keys on the remote server:
[name@server $] mkdir -p $HOME/.ssh # Create the directory if it doesn't exist [name@server $] cd $HOME/.ssh [name@server $] cat localname_localserver.pub >> authorized_keys
- On the local machine, verify that the program ssh-agent is running for the user in question (in general the window manager will take care of starting ssh-agent for you):
[localname@localserver $] ps -f -u $USER | grep ssh-agent localname 7800 7761 0 09:20 ? 00:00:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/tcsh -c "/usr/bin/dbus-launch --exit-with-session gnome-session" localname 12538 8608 0 15:33 pts/5 00:00:00 grep ssh-agent [localname@localserver $]
- You run the command ssh-add to access the private key. You enter the key's password when the program asks for it:
[localname@localserver $] ssh-add Enter passphrase for /home/localname/.ssh/id_dsa: Identity added: /home/localname/.ssh/id_dsa (/home/localname/.ssh/id_dsa) [localname@localserver $]
- You can then make SSH connections as often as you want without having to enter a password:
[localname@localserver $] scp file.c name@server:src [localname@localserver $] ssh name@server
For Local Machines Using PuTTY
We explain here how to use a public/private key pair using the PuTTY software, an SSH client for Windows. We assume to begin with that the Windows computer possesses a complete PuTTY installation from this installer.
= Key Generation
- Start the application PuTTYgen, in Start/Programs/PuTTY/PuTTYgen.
- Choose "SSH2 RSA", which is more secure than "SSH2 DSA" (Étape 1, in the figure below).
- Click on the button "Generate" (Étape 2).
- Move the mouse in the program to generate some random noise for the keys.
- Enter a comment, for example something which identifies the machine such as username@localmachine (Étape 3).
- Enter a non-empty password. This password is associated with the private key and is totally independent of your password on the remote server (Étape 4).
- Click on "Save Private Key" and save it in the file id_rsa.ppk in the directory C:\Documents and settings\Username\My Documents\Putty (or on other versions of Windows in C:\Users\Username\Documents\Putty) (Étape 5).
- Copy the text in the box "Public Key to Paste into OpenSSH..." (Étape 6).
- Paste it into Notepad.
- Save the file in ANSI format in the same directory with the name id_rsa_win.pub (no .txt extension).
- Close PuTTYgen and Notepad.
Transferring the Public Key to the Server
- Start the application PSFTP in the menu Start/Programs/PuTTY/PSFTP
- In the new window, enter in the following order:
- the command open servername where servername is the name of the server where you want to install the public key,
- your username on this server,
- the password corresponding to your account on this server,
- the command cd .ssh,
- the command lcd "C:\Documents and settings\Username\My Documents\Putty", where Username is your user name on Windows
- if you have put the private key file elsewhere, then use that directory, e.g. lcd "C:\Users\Username\Documents\Putty".
- and finally the command put id_rsa_win.pub.
- Close the application PSFTP.
Add the Public Key to the List of Authorized Public Keys
- Start the application "PuTTY" in the menu Start/Programs/PuTTY/PuTTY. The "PuTTY Configuration" window will appear on the screen,
- In the "Host Name (or IP address)" textbox, enter user@server_name.
- Click on the button "Open".
- In the new window which appears, enter your password for this server.
- Enter the following commands:
[name@server $] cd .ssh [name@server $] echo >> id_rsa_win.pub [name@server $] cat id_rsa_win.pub >> authorized_keys
Starting PuTTY Agent
PuTTY Agent is the program which manages access to the private keys used by PuTTY. There are different ways of starting it:
- Manually: double-click on the file id_rsa.ppk and this will automatically start PuTTY Agent with your key.
- To start the agent automatically at login: create a shortcut of the file id_rsa.ppk in the menu Start->Programs->Startup.
In both cases, a window will open and ask you to provide the password to access your private key.
If the agent isn't running with the key, no password-less SSH connection will be possible.
Start the PuTTY application as above and attempt to connect to the same machine. You should be able to connect without having to enter your password.