Our hosting servers require the use of SSH keys to login, instead of using passwords to validate your identity. SSH keys are comparable to using a key to unlock your house vs a 4 digit code. The SSH key is presented to the server via the client you use to connect. There are two parts to an SSH key, a public key and a private key. The public key gets "installed" on the servers you want to connect to, and the private key stays with you and is never given out. It's similar to having locks installed on multiple doors all operated by the same key that only you have on your key ring.
The first part of using SSH keys is generating them:
Generating new keys on a Windows workstation (Easiest, most compatible):
- Backup the old keys if you want to use the same name. Your keys can be saved anywhere you want on your workstation, so the directions for backing up your keys vary for everyone. You can have multiple key pairs, so as long as you use a new name you will not lose your old keys.
- Generate the new keys using PuTTYgen. This is a key generator that comes with the PuTTY SSH client. (If you don't have the full suite of PuTTY tools installed, you can get them from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html .) To generate the keys, Launch PuTTYgen. At the bottom of the window, choose "SSH-2 RSA" for the key type, and enter "2048" for the number of bits, then click the "Generate" button. After you click "Generate", it will show you a progress bar and ask you to randomly move your mouse over the blank area of the window. This generates random data used to generate the key. When it's done, it will show you a window like this:
Fill in your email address in the "comment" field, and enter a passphrase. The passphrase will be needed to "unlock" the key each time you load it into a client. When you're done, click on the "Save public key" button. Save it to someplace you'll remember (typically the "My Documents" folder is best), with a name like "mykey.pub". (Having the .pub at the end signifies that it's the public key.) Next, click on the "Save private key" button. Save it to the same place with the same name, but this time use .ppk as the extension. So for example, save it as "mykey.ppk".
- Lastly you need to copy the public key to the server. The key files are simple text files, so you can open them with notepad and copy/paste them into a file on the server, or you can use SCP to copy them to the server. The recommended path to save the public key is "~/.ssh/id_rsa.pub"
Generating new keys on the hosting server:
- First, backup the keys you have (if any). Your keys are stored in your home directory inside the ".ssh" sub-directory. The easiest way to backup your keys is to make a sub-directory inside ".ssh" and copy the keys there. Note: These directions assume you are using only one key. If you have more then one key on the server, you cannot follow these directions and you should call us for help if you need it:
% cd ~/.ssh
% mkdir key_backup_20121129
% cp id_* key_backup_20121129
% rm id_*
- Generate the new keys.
% ssh-keygen -t rsa -b 2048 -C "youremailaddress"
It will then ask you for where to save the key. Just choose the default by pressing enter.
Next it will ask for a passphrase. This will be needed every time you try to load the private key for use on your client.
When it's done, you'll have two new files in your ~/.ssh directory: "id_rsa", which is your private key, and "id_rsa.pub", which is your public key.
- Copy the keys to your workstation. You can either just display the files using "cat" and copy/paste them into a file on your workstation, or use SCP to copy them off the server to your workstation.
Adding the key to the server:
Allowing the key to be used is the next step. Once your public key is on the server, you need to add it to the "authorized_keys" file in your ".ssh" directory. Assuming your public key is "id_rsa.pub" in your ".ssh" directory, use this to make your public key the only authorized key:
% cd ~/.ssh
% cat id_dsa.pub > authorized_keys
If you want to add your public key to the a list of authorized keys, instead of it being the only key:
% cd ~/.ssh
% cat id_dsa.pub >> authorized_keys
Adding the key to your workstation:
Now that the server will allow access with your key, your Windows workstation needs to know to use the key. The simplest way to do this is with "Pageant
", which is part of the PuTTY package. It is an authentication agent that many programs use in addition to PuTTY, like FileZilla and WinSCP. To use Pageant
, first start it from your start menu. It will launch in the System Tray, and looks like a computer with a hat on it. Double click it it will open up its key list. Click on "Add Key", find your private key, then click "Open". It will then ask for your passphrase. After you enter your passphrase, you'll see your key in the list.
Now that Pageant
is running and has your key, you can try connecting with your key. Launch PuTTY. Enter the address of the server you want to connect to, and change the "Connection Type" to SSH. On the left side, navigate to Connection -> SSH -> Auth. Make sure "Attempt authentication using Pageant
" is checked, and "Allow agent forwarding" is checked. When you click "Open", it will connect to the server and prompt you for your username. If everything is setup right, it will not ask for your password and you'll be logged in.
Using SSH Keys With FileZilla or WinSCP
FileZilla and WinSCP both support Pageant
, so as long as it's running and has your keys loaded, you do not need to tell them about your keys. When you connect to the server with SCP
, leave the password field blank and it will use Pageant
to send your keys to the server.