SSH - PuTTYgen
This article will take you through generating RSA keys using PuTTYgen on Windows for secure SSH authentication with OpenSSH.
Introduction
One effective way of securing SSH access to your slice is to use a public/private key. This means that a 'public' key is placed on the server and the 'private' key is on our local workstation. This makes it impossible for someone to log in using just a password, provided you have setup SSH to deny password-based authentication (which you can learn how to do here).
Generate Keys
PuTTYgen
In Windows we will use PuTTYgen to generate our public and private keys. Download PuTTYgen from the official website and open it. Click the Generate button as seen below. You will notice that it generates the keys for you. All you need to do now is save the public and private keys by clicking the buttons stating as such.
Open up your public key, copy it to the clipboard (ctrl+a, ctrl+c) and paste it at the very end of ~/.ssh/authorized_keys on your Slice. If that file doesn't already exist, you will have to create it (nano ~/.ssh/authorized_keys).
Usage
To make use of your newly generated RSA key pair, you will need to tell PuTTY to use it when connecting to your Slice. Do this by opening PuTTY and going to the "SSH" -> "Auth" section. Browse to where you saved the keys and load the private key as seen below:
Make PuTTY use the key every time you connect to your Slice by saving this configuration. After loading your key as shown above, go back to "Session" and save your session:
Once you have saved your session, your key will be loaded automatically upon connecting to your Slice.
Summary
Opting for a key-based authentication to your SSH server is beneficial in many ways. By eliminating the possibility of SSH brute-force attacks targeted towards your Slice, the chances of it being compromised are decreased by an order of magnitude.
Josh
Article Comments:
Reed Botwright commented Wed Feb 04 21:48:08 UTC 2009:
Awesome! I just went through this entire process and then again on my laptop to set up access. A tip for Slicers is that you can use the console on the Slice Manager to add another key if you are in a bind. Make sure you allow javascript access to the browser so you can paste in the key, or have some way to transfer the Unix-specific key (the one you copy out of the window in PuTTYgen) to your server. Any subsequent keys can just be concatenated on the end of the file of public keys. Make sure you have the appropriate privileges. Of course, the easier way to do this is to set up the second key using your first PuTTY or other SSH access.
Marc commented Fri Feb 06 21:07:36 UTC 2009:
If you have a current private key on a linux or mac box you can import into putty with puttygen you will have to get it on your windows box somehow
1 - open puttygen 2 - File -> Load Private Key -> choose to were your private key is 3 - You will get a notice saying "Successfully imported foeign key..." 4 - click on the "Save Private key" button and choose where to save it. 5 - Then use the steps in the above article to launch your session using the Private key.
John commented Sun Feb 15 00:07:47 UTC 2009:
No matter how many times I try to do this whenever I try to log into my slice it tells me "Server refused our key" and then asks me for my password.
I'm on Ubuntu 8.10 ... I know that's not much to go on, but I'm completely at a loss. Any ideas?
Steve commented Sun Feb 15 20:00:06 UTC 2009:
You can also use Putty's own Authentication Agent, Pageant (http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe) as opposed to statically linking your Private key in
SSH -> Auth.Saves a lot of Putty session tweaking, and having to enter the passphrase everytime you want to start up a new SSH session (if you don't unload your key or exit pageant between sessions).
@John, have you tried the alternative format in
~/.ssh/authorized_keys? I.e. the one liner startingssh-rsa ....Christopher Stoudt commented Sun Feb 22 23:41:17 UTC 2009:
We are trying to secure our ssh connection. Everytime we login we get "Server refused our key". THis happens every time i connect no matter how many users i create. Please help asap. The only way i was able to access was to rollback the iptables to the default non secure settings.
Ismail commented Thu Mar 12 23:36:13 UTC 2009:
Christopher and John
The problem you have is if you are using openssh server with ssh2 then authorized_keys file should be one line format. Typically you will want to select the entire contents of the box using the mouse, press Ctrl+C to copy it to the clipboard, and then paste the data into a PuTTY session which is already connected to the server.(You can do this before you save the public key). Again, check the content of the authorized_keys, it should be one line format.
Another reason; you may use ssh.com (not likely) for ssh server and try to use OpenSSH public key for server. That doesnt work. You need to convert your key to ssh.com format from conversion menu in puttygen.
zoltan commented Sun Apr 05 18:53:35 UTC 2009:
@John, and anyone with the same problem:
How to set up SSH keys: Frustration with "Server refused our key"
http://andremolnar.com/howto_setupsshkeyswithputtyandnotgetserverrefusedour_key
This worked for me.
typer474 commented Sun Apr 19 10:53:21 UTC 2009:
@zoltan That's a great site and really helped out. Thanks!
seanl commented Tue May 19 19:13:33 UTC 2009:
i tried this and had some sucess but in the end used this guide which is simple, concise and just works. http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/pka-putty.html
Yang commented Thu Sep 03 01:45:29 UTC 2009:
There's one potential very dangerous loophole on this. What would happen when you lost your private key and have prohibited password authentication as well as root login in /etc/ssh/sshd_config?
Anyway to rescue the server when this happens? It sure CAN happen to anyone.
PickledOnion commented Thu Sep 03 14:24:52 UTC 2009:
Yang,
Sure, simply use the console in the Slicemanager. This is a direct connection to your Slice. You can then log in and change the settings (remove the keys, etc).
The web console is perfect for such occurrences.
PickledOnion