I’m using OpenSSH on Windows XP as my server and my client is also Windows XP. After installing OpenSSH on the server, I ran a batch script to create password entries in my *passwd* and *group* files:
cd C:\Program Files\OpenSSH\bin
mkgroup -l >> ..\etc\group
mkpasswd -l -u [user name without these brackets] >> ..\etc\passwd
Then, I edited the sshd_config located in c:\program files\openssh\etc. First, I changed the default port to 443, as 22 is blocked by my company, from which I’m going to connect.
I also like to edit the banner.txt file as a reminder of where I have connected, but I guess this may be a security risk….
Anyway, I’d like to use public/private key exchange to authenticate with OpenSSH instead of the default method of username/password- all while using PuTTY to connect to my server.
Basic steps are:
- On the server, use the command-line to get OpenSSH to create public/private keys
- Copy text out of the generated public key into the authorized_keys file in /etc folder (unless you’ve indicated elsewhere in sshd_config) Note, you may have to create this file if you have not already done so.
- Next, you pull off the private key to your remote client. This is what you’ll reference in PuTTY.
- After pulling it off, you need to use puttygen to convert this RSA private key into a .ppk file that PuTTY needs.
- Then, you reference that file in your PuTTY ‘SSH/Auth’ config area.
- Next, test the connection.
- If it works using the key file, edit the sshd_config and disable name/password authentication: (PasswordAuthentication no) Be careful with this last one, because if you’re not positive key file authentication is working, you’ll lock yourself out and will have to actually go to the server to re-edit the config file to open it back up.
Specific steps:
Create Public/Private Keys
On your server to which you’d like to connect, do the following.
- Start, Run… ‘cmd’ [Enter] to open Command window.
- Enter the command: ssh-keygen -q -f c:\id-rsa -t rsa
- Enter the passphrase that’s long and contains numbers and upper cases, but one also that you won’t mind typing when you connect in the future.
- Enter that password again.
This will have created an id-rsa and an id-rsa.pub file. The id-rsa file looks like:
—–BEGIN RSA PRIVATE KEY—–
AAD8F76ASDFA09SD8F7A09SD8F7A098DS7F4KJH13RE9Q8W7E4YI134….
(for 14 lines)
—–END RSA PRIVATE KEY—–
While the id-rsa.pub file looks like:
ssh-rsa AKJH234LH243K5234…(200 Characters worth)= username@computer-name
Copy public key into authorized_keys file
- Create or edit the authorized_keys file as referred to in your sshd_config. Mine says, “AuthorizedKeysFile /etc/authorized_keys”.
- Open/create this file and paste in the contents of id-rsa.pub. Of course, if you don’t have an authorized_keys file, you can just rename the id-rsa.pub file and place it in the appropriate directory. Some people like to create an .ssh folder and reference this in the config, but I just left the (Windows) OpenSSH default values as they were and put my info in there.
- On linux boxes, you’d need to ‘mkdir ~/.ssh’ and then ‘cat id-rsa.pub > ~/.ssh/authorized_keys’ (note that “>>” will append to that file)
Restart OpenSSH(?)
- Not sure if this is required, but it’s fairly easy to do: net stop opensshd, net start opensshd. But, if you’re doing all of this remotely, don’t do this, or you’ll be screwed. Instead, you should have a restart shortcut and restart the entire server, which will restart openssh in the process. You can create a shortcut whose program target is %windir%\system32\SHUTDOWN.exe -r -t 01
Pull off the private key file onto your remote client
Use PuttyGen to recreate private key file into one PuTTY can use
- Start Puttygen.exe
- Load the transferred private key
- Notice the Key Comment of “imported-openssh-key”. This is what appears when you connect in PuTTY. You might want to change this to reflect the name private key you’re using as a reminder.
- Next, enter the passphrase that you used to create this key file on the server.
- Confirm the passphrase by entering it again
- Then, click Save Private Key
- Save your .ppk file in a location to which you’ll be referring in your Putty config. Perhaps you have a centralized keys folder, or perhaps you have individual folders for the various locations to which you’ll be connecting- say, a sub-folder in each of your different web projects
Config PuTTY to connect to your server
I use port tunneling to connect to my server. I want to use XP Remote Connection, which uses port 3389, so that’s what I forward.
My PuTTY config:
- Set up the SSH/Auth to use your newly created .ppk file
- Configure the Tunneling
- I’m going to use Remote Desktop Connection, which uses port 3389, so I’m going to forward my localhost one to the remote computer’s. If I were going to use VNC or something to remote-control my server, I might also forward 5900. I’m probably going to do this as to get Remote Desktop Connection to work in this manner, I have to right-click on it’s executable and tell it to run in Win98 mode as XP prevents localhost port forwarding.
- I’ve also read of some people forwarding 127.0.0.2’s 3389 and then using Remote Desktop Connection to connec to 127.0.0.2, but I’ve not gotten this to work.
- Finally, save the Configurations for later use
Test
- Load the saved configuration and Open it
- Enter user name for target computer
- Click on the thumbmail below to see this image, and notice the banner.txt text as well as the key file comment. Enter the passphrase as requested.
- If your passphrase matches that used in the generation of the key file, you’re in. You’ll see a message as to the date/time/location when/where you last logged in.
Remote Control
- What I typically do next is to start up my remote-control software. I use Microsoft’s Remote Desktop Connection (mstsc.exe). To use this on XP with the above method, you must locate this executible and tell it to run in Windows 98 compatibility mode. Doing so will allow you to connect through your PuTTY tunnel as follows:
- Yep, I connect to my own computer. Remote Desktop Connection wants to connect to computers using port 3389, but, using PuTTY, I’ve forwarded my local port 3389 to the remote one. So, when I try to connect to my local port 3389, the connection request will get forwarded by PuTTY to the remote computer and that remote computer will answer the call. I then log into that computer using its Windows name/password.
Edit Sshd_Config to disable name/password authentication
- Once we’re satisfied that this key file authentication is working, edit the sshd_config file and change the line saying *PasswordAuthentication yes* to *PasswordAuthentication no*.
- When OpenSSH restarts (perhaps by your Restart shortcut), name/password login will not be permitted. To test, you can remove the path to the key file in the Putty config and try to connect. You’ll be immediately closed down by the remote server.
I also found some info here about tunneling across SSH and using VNC or Remote Desktop Connection.
Great work,
I have linked to you from here “How to use VNC with SSH encrypted tunnelling”: http://marcfearby.com/computing/vnc-over-ssh-tunneling
Good site! Successes in future.
I wonder if web industry affected by crisis as well? and to what extend? Will the admins continue this web?
Does anyone knows what should we expect in 2010? they promise more problems on wall stree? I are heading toward dipression?
After reading through the article, I just feel that I need more info. Could you suggest some more resources please?
Regards
Always bear in mind that your own resolution to succeed is more important than any one thing.
@Rebecca, you seem to know what you are talking about. Do you care shooting me your e-mail? I would like to speak more with you.
I grasp this can be extremely boring and you’re skipping to a higher comment, however I simply wished to throw you a massive thanks – you cleared up some things for me!