Public Keys for SSH Authentication
Using public key authentication instead of a password ensures a much higher level of security when using SSH to sign into your server. After generating a public and private key pair, the private key is kept on the computer you log in from and the public key is kept on the server you want to log in to (in this case, the server hosting your PSU webspace and Unix home directory). This makes your login process more secure, because authentication requires something that you have (your private key) as well as something that you know (your public key's passphrase).
Creating a Public and Private Key Pair
PuTTY is an SSH client for Windows that comes with a program called PuTTYgen, a key generation utility that will produce a private and public key pair. For more information about obtaining and setting up PuTTY, go to Secure Shell (SSH).
Once you have PuTTY installed on your computer, you can create a public and private key pair with PuTTYgen by following these steps:
- Select the Start button in the bottom left-hand corner of your desktop.
- Select All Programs, then PuTTY.
- Select PuTTYgen.
- In the program window that comes up, change "Number of bits…" from 1024 to 4096.
- For "Type of key to generate," select "SSH-2 RSA".
- Select the Generate button.
- Move your mouse around the blank area to generate randomness and fill the status bar.
- Wait while the key is generated, then enter the following information:
- Key comment: You may leave the default comment, which contains the key type and the date it was generated, or change it to something else. Another common format is your name and the name of the computer (ex: "john@john-pc"). The comment is displayed whenever PuTTY asks you for your passphrase.
- Key passphrase: Enter a strong passphrase here. PuTTY documentation recommends avoiding a "song lyric, quotation or other well-known sentence". Try to create a passphrase of 10 to 30 characters with word breaks, mixed case, number, and special characters (ex: "VikingS $CORE another ^g0al^"). You also have the option of leaving the passphrase blank, but this will save your key unencrypted. Do not forget your passphrase, as there is no way to recover it.
- Confirm passphrase: Enter the same passphrase you just created.
- Select "Save private key".
- In the dialog box that appears, select a directory to save your private key, type in a file name, and select Save.
- Select "Save public key".
- In the dialog box that appears, select a directory to save your public key, type in a file name and add ".pub" to the end, then select Save.
- You have now successfully created and saved your public and private keys. Leave PuTTYgen open, so that you can copy and paste the public key when configuring the SSH server to accept it.
Configuring the SSH Server to Accept the Public Key
To configure the SSH server to accept your public key, you will need to create a file called "authorized_keys" in your .ssh directory. Follow the steps below to create and configure that file:
- Follow the steps at Secure Shell (SSH) to get to the shell prompt of PuTTY.
- Type "cd .ssh" and press Enter to enter the .ssh directory. If the command returns "No such file or directory," follow steps 2.a through 2.b to create it:
- Type "mkdir .ssh" and press Enter to create the directory.
(Note: You can then check to make sure it exists by typing "ls -a" and locating it in the list of directories.)
- Type "cd .ssh" and press Enter to get into the directory.
- Type "mkdir .ssh" and press Enter to create the directory.
- Type "vim authorized_keys" and press Enter to created the a file for the public key and bring up a text editor.
- Go back to PuTTYgen and copy the public key from the box entitled "Public key for pasting into OpenSSH authorized_keys file".
(Note: If you closed PuTTYgen, you can reopen it and retrieve your key by selecting the Load button and opening your private key file. You will need your passphrase to open it.)
- Return to PuTTY and type "i", then right-click your mouse. This should paste the public key into PuTTY.
- Press Esc, then type ":x" and press Enter to save the file and leave the text editor. It should return something similar to "authorized_keys [New File]" to confirm that the file has been saved.
- Type "ls -l" and press Enter to check permissions on your public key and ensure that it is not group-writable or world-writable. A list of files should appear on your screen.
- Locate the "authorized_keys" file and examine the first string of characters. It should read "-rw-r--r--". If it does not look like this, continue to the next step to modify permissions. Otherwise, you are finished.
(Note: These characters should be read as three separate set of permissions: yours, your group's, and the world. For instance, if the file's permissions looks like this: "-rw-rw-r--", that means that your permissions are "rw-" meaning you can read, write, but not execute. Your group's permissions are also "rw-". The world's permissions are "r--" meaning they can read, but not write or execute.)
- To change the permissions, type "chmod g-w authorized_keys" and press Enter.
- Type "chmod o-w authorized_keys" and press Enter.
- Type "ls -l" and press Enter to check permissions again. The last six characters in the permissions for the "authorized_keys" file should now be "r--r--". This means that your file is only writable by you.
Logging into the SSH Server with the Public Key
To configure the SSH server to accept your public key, you will need to write it to the "authorized_keys" file in your .ssh directory. Follow the steps below to create and configure that file:
- Open PuTTY.
- For Host Name, enter "odin.pdx.edu".
- For Port, type 22.
- For Connection type, make sure SSH is selected.
- From the Category list on the left, select Connection > SSH > Auth.
- Select the Browse button beside "Private key file for authentication" text box.
- In the dialog box that appears, located and select your private key file, then select Open.
- From the Category list on the left, select Session.
- In the Saved Sessions text box, type a name for your session and select Save. In the future, you can simply select this session and then Load to skip these steps.
- Select Open.
- In the prompt, type your Odin username and press Enter.
- Enter your passphrase for the public key when prompted and press Enter.
- You should now be logged into the SSH server.
Contact the Helpdesk for additional assistance.