Using SSH Keys

Using SSH keys, you can connect to machines in the linux lab without having to type your UW NetID password. For some classes where you need to be able to launch processes on multiple machines without entering any password at all, this is required. SSH uses public-key cryptography, which means that there is a public key and a private key. It is crucial that you keep your private key well-protected; anyone who obtains your private key will be able to log in to any account you have configured to accept that key.

How you accomplish this will largely depend on what program(s) you use, but I'll try to cover a number of them.

Create a key pair

An important note about passphrases and security

When you create an ssh key, you can set a passphrase associated with it. This is like a password, but calling it a passphrase encourages you to use something longer, like a line from a song lyric, or a nonsense phrase that you can remember. Anything you do with your private key will require that you enter the passphrase. If someone obtains your private key file, they will still need to know your passphrase in order to use it.

If you set an empty passphrase on your private key (that is, no passphrase at all), anyone who obtains your private key file will be able to masquerade as you on any system that accepts your ssh key. If you keep your private key on a public system such as the CSS linux lab, and there is a security breach of that system, it is possible that your key may be stolen. For this reason, I do not recommend using an ssh key you create and store on the linux lab machines for connecting to any other systems. However, I think it's an acceptable risk to use a passwordless ssh key created on the linux lab systems for connecting within the linux lab – an attacker who gains access to your private key file is most likely already able to masquerade as you anyway, so you're not losing much. It is still very important to protect your private key, though. Accidentally changing the permissions on your home directory, .ssh directory, and key file could expose your key to everyone on the system, not just an attacker.

When possible, I recommend creating and storing your private key on your own personal laptop or desktop system.

Linux / OS X

In a terminal, run the command ssh-keygen:

[jdlarios@uw1-320-00 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/net/metis/home/staff/jdlarios/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /net/metis/home/staff/jdlarios/.ssh/id_rsa.
Your public key has been saved in /net/metis/home/staff/jdlarios/.ssh/id_rsa.pub.
The key fingerprint is:
90:b9:2e:1f:e0:61:8a:c4:e0:c7:05:40:9f:a4:be:8a jdlarios@uw1-320-00

This will create a pair of files in your ~/.ssh/ directory: id_rsa is your private key and id_rsa.pub is your public key. If you entered a passphrase during the key creation, this is the passphrase associated with the private key. If you want to change this passphrase, you can use ssh-keygen again to do that:

[jdlarios@uw1-320-00 ~]$ ssh-keygen -p -f ~/.ssh/id_rsa
Enter old passphrase:
Key has comment '/net/metis/home/staff/jdlarios/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Windows

You can create the key pair on a linux system and then copy it to your Windows machine, or you can download a utility to create they key pair directly on your Windows machine.

  1. Launch puttygen.exe:
  2. Click the “Generate” button and then move the mouse around under the progress bar:
  3. If you want a passphrase for this key, enter it in the appropriate fields, and then save both the public and private keys. The public key can go anywhere, but the private key should be kept somewhere secure.
  4. Copy the “Public key for pasting into OpenSSH authorized_keys file” text and paste it into a new text document, and save that document somewhere you can find it, preferably with the files you saved in the previous step. This is the text you'll want to use in the next step.

Configuring your linux lab account

In order to use the key you just created, you'll need to configure your linux lab account to accept it. To do that, connect to a linux lab machine using your regular username and password (this may be the last time you have to connect this way). If you've connected graphically, launch the Terminal application, which can be found in Applications → System Tools.

If you created your key on your own machine, open the public half in a text editor and copy the contents. The public key will look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIw[...]GzoV7mvGn7yfVWYkdgIehsx75vwQ== jdlarios@uw1-320-00

The private key will look like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtnCXL6Mxq5fpnIuMfgG6/iA6VSy7dMxeisAXEsqc28k0gaRx
EsSKPHdDupDl8DtpiyU1M7x9MHj9cbAwL/wugPbYFfzSGM2ekPP7CuFVrjjGw0KE
[...]
KD0HeM7OYfHq6CeX53dEnXB6eoUJsPZJ552oxkaiOq340F5uAebNeoL7DVsSV6rW
hUb6RLnO+wefYC6YSPCt6iEJQfanCASxr/6n3U/L+t7IE/6mng4=
-----END RSA PRIVATE KEY-----

If you see something like that, you've opened the wrong file.

Once you've selected the public half of your key and copied it to the clipboard, you need to paste it into the file ~/.ssh/authorized_keys – you can either use your favorite text editor from the command line, a graphical text editor such as gedit, or a command line. Don't try to edit that file in a word processor unless you know how to make it save to a plain text file – saving it as anything else will render it nonfunctional. If you don't already have the authorized_keys file, you will need to create it. A simple way to create it if it doesn't exist and add the key to it at the same time is with the following command:

cat >> ~/.ssh/authorized_keys

Run that command, paste your key into the terminal window, press return, and then press control-d. Then run this command:

chmod 600 ~/.ssh/authorized_keys

If you created your keypair on a linux lab system, you can skip the copying and pasting and just do the whole thing from the command line:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Configuring Your SSH Client

Now that you've configured your linux lab account to accept the key, you have to configure your ssh client to send it.

Linux / OS X

If you saved your key in the default location (~/.ssh/id_rsa), command line ssh should automatically try to use it. Try connecting – if you created a key with an empty passphrase, you should be connected with no prompting. If you used a passphrase, enter it when prompted. If that worked, great! Skip down to the section on using an SSH Agent.

If you saved your key somewhere other than the default location, you'll need to tell ssh where it is. You do this with the -i flag or with the IdentityFile option in your ~/.ssh/config file. If you saved your private key in ~/.ssh/test_key, for example, the command to connect using it would be something like:

ssh -i ~/.ssh/test_key yourid@uw1-320-lab.uwb.edu

Windows

TeraTerm Pro

TeraTerm Pro, which is referred to as “SSH Telnet” on the campus Windows systems, only supports the deprecated version 1 SSH protocol. The CSS linux lab only supports version 2 of the SSH protocol, so TeraTerm Pro cannot be used to connect to the linux lab machines.

Tectia SSH

The other SSH client in the standard Windows setup on campus is hidden fairly deep in the menu. You can find it under Start → Programs → Connectivity → UWICK Applications → SSH Secure FTP → Terminals → Secure Terminal. While it may be possible to get this working with ssh keys, I have found it to be somewhat unstable, and difficult to diagnose when it fails. I don't recommend it. If you can get it to work, more power to you. It's a commercial product, so you're unlikely to have this on your own machine.

PuTTY

This is my favorite SSH client for Windows. It's free, it can be installed system-wide or run from a USB flash drive, and it's stable and works. I believe it's going to be part of the Windows environment in the campus labs soon, but if not (or if you're doing this on your own equipment), you can download it (if you didn't already during the key creation step) from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

You can use the key you created with puttygen.exe directly, but it's much more useful to use an SSH agent to manage your keys, so look in that section for instructions.

Using an SSH Agent

While you can connect to systems individually using your new ssh key, wouldn't it be nice if you only had to specify your key once, and then all your connections used it automatically? That's what an SSH agent does.

Linux / OS X

I don't recommend doing this step if you're just setting up password-less logins between linux lab systems. For that, creating an ssh key with no passphrase on a lab machine and then adding it to your ~/.ssh/authorized_keys file also on a lab machine will do the trick. Once you've connected to one lab machine, any further connections from there to any other lab machine won't require a password.

The following steps are for if you have your own linux or OS X machine that you want to connect from.

Add the following to your ~/.bashrc or ~/.profile:

SSH_ENV="$HOME/.ssh/environment"

# start the ssh-agent
function start_agent {
  echo "Initializing new SSH agent..."
  # spawn ssh-agent
  ssh-agent | sed 's/^echo/#echo/' > "$SSH_ENV"
  echo succeeded
  chmod 600 "$SSH_ENV"
  . "$SSH_ENV" > /dev/null
  ssh-add
}

# test for identities
function test_identities {
  # test whether standard identities have been added to the agent already
  ssh-add -l | grep "The agent has no identities" > /dev/null
  if [ $? -eq 0 ]; then
    ssh-add
    # $SSH_AUTH_SOCK broken so we start a new proper agent
    if [ $? -eq 2 ];then
      start_agent
    fi
  fi
}

# check for running ssh-agent with proper $SSH_AGENT_PID
if [ -n "$SSH_AGENT_PID" ]; then
  ps -ef | grep "$SSH_AGENT_PID" | grep ssh-agent > /dev/null
  if [ $? -eq 0 ]; then
    test_identities
  fi
# if $SSH_AGENT_PID is not properly set, we might be able to load one from
# $SSH_ENV
else
  if [ -f "$SSH_ENV" ]; then
    . "$SSH_ENV" > /dev/null
  fi
  ps -ef | grep "$SSH_AGENT_PID" | grep ssh-agent > /dev/null
  if [ $? -eq 0 ]; then
    test_identities
  else
    start_agent
  fi
fi

Log out and log back in, and if you created an ssh key without a passphrase in the default location, you should now be able to ssh to the linux lab without entering a password. If you saved your key somewhere else, you'll need to add it with the ssh-add command, like so:

ssh-add ~/.ssh/test_key

To see what keys the agent knows about, use the command ssh-add -l:

[jdlarios@uw1-320-00 ~]$ ssh-add -l
2048 51:e1:07:6d:c2:06:fa:b9:4a:75:2f:02:3b:20:2f:62 /net/metis/home/staff/jdlarios/.ssh/id_rsa (RSA)

You can have SSH forward your agent information to the target machine, allowing you to ssh from there into any other machine that uses the same key. To do that, add -A to your ssh command line, for example:

ssh -A jdlarios@uw1-320-lab.uwb.edu

To have ssh always forward agent information so you don't have to add -A, you can add the line:

ForwardAgent yes

to your ~/.ssh/config file.

Windows

Download and install at least putty.exe and pageant.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html – I recommend downloading all of them, but those two are the fewest you need.

  1. Launch pageant.exe – a new icon which looks like a computer wearing a hat should appear in your system tray.
  2. Right-click on the pageant icon and select “Add key”.
  3. Navigate to and select the private key you saved earlier. If you saved it with a passphrase, enter the passphrase when prompted.
  4. Right-click on the pageant icon and select “New session” (for now – next time, you'll be able to use the session we're about to create).
  5. In the “Session” options, enter the hostname you want to connect to – uw1-320-lab.uwb.edu is a good one if you don't have a preference:
  6. In the “Connection → SSH → Auth” options, make sure “Allow agent forwarding” and “Allow attempted changes of username in SSH-2” are checked:
  7. In the “Connection → Data” options, enter your UW NetID for the “Auto-login username”:
  8. Back in “Session” options, enter a session name (something like “CSS Linux Lab”) in the “Saved Sessions” box and click “Save”.
  9. Click “Open”. You should be connected without having to enter a password, even if your ssh key requires one – the Pageant ssh agent has stored your credentials and passed them along to the remote machine.
  10. Next time, you can connect by right-clicking on the Pageant icon, going to “Saved sessions” and choosing the session you just saved.

tsvnc graphical connection

If you are Using tsvnc to connect to the CSS linux lab, it will use an SSH agent if one is running.

Other Resources

Navigation

The best way to find something here is to use the search box in the upper right or the site index link below.

Print/export
Mobile QR Link