Question
- How do I generate an SSH public/private key pair?
Environment
- Oregon State University
- Windows
Explanation
This article will walk you through the steps to create and use key authentication for SSH server login.
Key authentication is a more secure log-in process that eliminates the use of passwords in favor of cryptological keys. Generally, a user generates a key pair using their computer. These keys use complex encryption algorithms to produce an irreplicable code consisting of letters and numbers. The complexity of these keys makes them virtually impossible to “crack”. When creating a key pair, you will receive both a private and public key.
Your Private Key is secret and should never be shared – treat it as you would your password. It is protected by a passphrase and stored (only) on your computer. Private keys prove your identity when logging in to an SSH server.
Your Public Key is meant to be shared. This is the key that will be placed on any SSH server you access. The public key can only be decrypted when paired with the private key.
Think of your keys as mathematically dependent functions. When your corresponding public key is paired with your private key, it acts as a one-way decryption cipher. Your private key cannot be derived from your public key.
Resolution
Generating an SSH Key Pair
For Windows operating systems, we’ll leverage the PuTTY SSH suite for key generation.
-
Download and install the latest version of PuTTY for Windows https://www.putty.org/
-
Once installed, search and open “PuTTYgen” by clicking the magnifying glass on your taskbar.
-
Once opened, make sure “RSA” is selected under “type of key to generate,” then click “Generate”
-
Once clicked, you’ll see a green progress bar in the window. Move your cursor around in the blank area to generate randomness and fill the green bar.
-
After your key is generated, change the “key comment” field to [username]@[ComputerName], as shown below
-
Next, use the provided fields to enter a passphrase. This will not be your ONID or account password, but, rather, the password you enter each time you use the key. In the event someone does get your private key, they won’t be able to use it without this passphrase.
-
Once you’ve completed both those fields, click “Save public key”
-
Choose a location to save your public key. This can be a folder on your desktop or wherever is most accessible to you. The prefix of the file name can be whatever you like, but make SURE to include “.pub” at the end of the file name. This will help you differentiate between your public and private keys.
-
Now, click “Save private key”
-
As before, choose a location to save your private key. You should NEVER share this key with anyone; make sure it is stored locally on your computer (i.e. not on the cloud.) Again, you can name this whatever you like. Ensure “Save as type” is set to “PuTTY Private Key Files (*.ppk)”.
-
Now, head back to PuTTYgen. It conveniently lets you copy your public key directly from the program. Highlight the full text from the box.
-
Right-click with your mouse and select “Copy”
-
Now that you have your public key, send it over to the server owner whose system you’re trying to access. They will need to place it in the server’s authorized keys file to allow you access with key authentication. Since your public key can be shared freely, the best way to share your key is using a (still secure) service like Box Drive. Check with the server owner or IT support group to confirm their process.
Logging-in to an SSH server using key authentication
Once your public key has been added to the server you’re trying to access, there is one change you’ll have to make in the PuTTY SSH client before connecting.
-
Open “PuTTY”
-
In the left column, expand the “SSH” menu by clicking the plus next to it
-
Then, click “Auth”
-
Click “Browse” under the “Private key file for authentication” field
-
Choose your private key file that you saved earlier. This should end in the .ppk file extension. Then, click “Open”
-
Return to the “Session” tab at the top of the left column and enter the connection details for the server you’re trying to access
-
Under the “Saved Sessions” section, enter a name for this server/connection, then click “Save”
-
Finally, click the new entry from the box below and click “Open”
-
In the new window, enter your SSH username if prompted and press “Enter”
-
It should then prompt you to enter “Passphrase for key…” Enter the passphrase you created in step 6 of the generation process, then press “Enter” (Note: text will not appear on the screen, but type normally!)
-
You should now be logged in with your key!
MobaXterm SSH key usage
- Download MobaXterm from https://mobaxterm.mobatek.net/
- There are 2 options when choosing Free, you do not need to pay for a license.
- Grab either a portable copy (non-install, handy if using from a flash drive) or install method (install as an application on Windows)
- Launch MobaXterm in the manner appropriate to which version you grabbed in Step 1.
- Click Session in top left of Window. In this Window make sure SSH is highlighted.
- Enter the server address for the remote host, and click "specify username" if the device you're using to connect is not shared. This will save login credentials for you.
- Leave port 22 as the SSH port, and click OK
- This will immediately launch a new tab with the server shell executing. It should prompt for credentials if this is the first time you're connecting with MobaXterm.
- After inputting credentials MobaXterm will offer to save them for you. This is effectively the same as putting a password onto your private key when generating a key for the first time. If you do not wish to save your credentials you can click No or the X. (if you click yes but do not set a password by clicking cancel/X this is the same as clicking No)
- Once this is done and you've Duo authenticated you should be connected! MobaXterm will also save a session in your home tab for easy access.
- Once connected you will notice tabs on the left sidebar, these allow for SFTP/SCP, Macros, tools, and saved/favorited sessions. This can help provide easy access while still using the tab on the active SSH connection. The SCP/SFTP option is especially helpful, and MobaXterm comes with a built-in editor that will recognize syntax in code files, and helps allow for different options when accessing files.
Copying SSH public key to remote host
- The easiest method is to use ssh-copy-id to copy public key to remote host.
- command: ssh-copy-id -i ~/.ssh/mykey user@host (fill in mykey, user, and host with your info)
- Another method is to securely connect and then copy the public key file to the .ssh directory of the remote host.
- Another method copies the contents of your public key and appends this information to the authorized_keys file in .ssh.
- cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> .ssh/authorized_keys' (filling in user and hostname with your information)
- DO NOT FORGET TO USE >> !! Using > will overwrite the file instead of appending to it.
If you're using MobaXterm this will likley be done for you. PuTTY will also likely do the same thing. However, if you run into issues authorizing every time you try to connect, you can certainly check for the public key entry, or appending your public key information to the remote host.
For assistance, contact the Service Desk.