Logging in, made simple: Setting SSH keys

Tagged:

Now that you have access to your account, you may find that the double-login is holding you down. Besides being slower than a usual login, it can make transferring files between your computer and HCS more difficult because you have to work through FAS as an intermediate. However, by setting SSH keys, you will be able to securely access your HCS account from a designated computer without authenticating with FAS first! Read on to find out how to make accessing your group account as easy as one double-click.

As usual, the process is different depending on whether you use a Mac or a PC. Incidentally, if you're on a Linux computer, the Mac directions will work fine for you as well. Just substitute Gnome Terminal or Konsole (or other equivalent) for Terminal.app and the relevant keyboard shortcuts for copying & pasting.

Using a Mac/Linux

Open Terminal (on a Mac, in Applications>Utilities) and type:

ssh-keygen -t dsa

It will begin generating a pair of DSA keys for you. This process might take a minute or two. At the next prompt,

Generating public/private dsa key pair.
Enter file in which to save the key (/Users/jharvard/.ssh/id_dsa):

simply hit return to save the key in the default location.

Enter passphrase (empty for no passphrase):

You will then be prompted for a passphrase. You don't have to specify one, but it's recommended that you do. Everytime you connect to HCS however, you will need to remember this passphrase, so choose something memorable but difficult for others to guess. Basically, you are setting a password for your own keys so that other people are unable to use them even if they steal your SSH key files. Whatever you choose, you will have to enter it twice, and then you will be informed that your keys have been saved.

After you have generated the key, you now need to grant access to this key on your HCS account. First, you need to copy the key's contents to your clipboard. To display the key you just created, type

cat .ssh/id_dsa.pub

and then copy all the output that results. To do that, highlight it in the Terminal and press Command-C. You should be highlighting all the text that looks like this:

ssh-dss AAAAB3NzaC1kc3MAAACBAPn9BVNNZry4SEdR9Kwf2yAV/jxtMlPjTXLFRgw/LCnT
2OOWsdreSJQ/+s2q1TxL3Dj5ZwCxyS9Al7+s5QxY1JDJW1tKBlDglo+6tPML7RsVyCLwCOzb
EWmgzcq/95PzpEaZyJCUW2IGcQkDRtTNx7D+V24aM+28NtjCOCR2GroKTHAAAAFQDDJMwUmB
YNuwdwBzvyN+MAiRlVlwAAAIB3eiqyWOODw6gXmOkKfL/e7PgihyPJFHZKnOQcQktHK41L4U
QYCwfEPemuVvhDl7ECHPzlx5LxnBdLgvsNzODBUXzi+UXAIjg0t06pLfvlKi7RZ+9pVBD4z7
BGEVUDjlnYaI2eivbLt30M3Fc8USFnMjDvNkMRrhoSlwcCtglYUwAAAIEA6qykkPCK4qo+DG
XarB+nALSb0Xqx/ND3ZlUJmFu4SDJbryN+ss5qXM6cepxCAn/QIXGOW+giTR1GOQf6oIhiux
iUjy60X7RfyBrpPkq1++LQVEmjTi7qutFqJayIc25O/CyJRoObuT+Zu/a4kik3CaapaVh6TC
UruSQwVzKI6iM= jharvard@jharvardmac.local

Now login to your HCS account through FAS, so type ssh jharvard@fas.harvard.edu and then after entering your FAS password and getting the fas% prompt enter ssh group-name@hcs.harvard.edu. We will use the access utility, made by HCS, to add your key to the access list. Simply type access once you're in your home directory on HCS. You will then be in the access utility, where you can see who has access to the account and grant or remove access. You want to add an OpenSSH keyfile, so press S.

Paste your 1-line SSH key. Invalid keys are ignored. Input is invisible.

Paste in your SSH key by hitting Command-V on a mac or ctrl-V on Linux, then hit enter.

When the screen refreshes you should see your key in the list, as in something like

[3] SSH Key: ssh-dss AAAAB3N...== jharvard@jharvardmac.local

If this is true, then congrats, you're all set. Hit Q to get out of access, then logout of HCS and then FAS, and then see if you can ssh group-name@hcs.harvard.edu straight from your own system. If you made a passphrase when creating your keys, you'll be prompted for it to decode the private key, and with any luck, you just let yourself into HCS directly! If something went wrong, check the last bit of this page for troubleshooting tips.

On a PC

The process here is a bit longer than with a Mac, but hang in there. We've tried to make this guide as simple and straightforward as possible. First, make sure you have PuTTY and PuTTYgen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. Now, load up PuTTYgen. Select SSH-2 DSA and set the key length to 1024, as shown below:

Then click "Generate" to create a SHH key pair. Now for the fun part: move your mouse around to create random data for the key generator. Seriously. Whip it around however you like.

Once that is finished, you need to add a comment to your key and choose a passphrase, as shown below. The comment should be something that can identify the computer you're currently using to create this key.

Select "Save public key", and save the file as "key.txt" wherever you'd like. Remember the location so that you can access it in the future. Then select "Save private key", and save the file in the same directory that you saved your public key. The private key should be named "key.ppk".

Now, select your entire public key, right click, and select Copy.

Now you need to connect to your HCS account in the old way, to upload the key that you just made. If you're not familiar with this, you should check out the first tutorial. Login to your HCS account through FAS, using PuTTY. Then, after authenticating with your FAS password, enter ssh group-name@hcs.harvard.edu at the fas% prompt. As you know, you will log straight into HCS without a password since you are coming from FAS. Now we will use the access utility, made by HCS, to add your key to the access list. Simply type access once you're in your home directory on HCS. You will then be in the access utility, where you can see who has access to the account and grant or remove access. You want to add an OpenSSH keyfile, so press S.

Paste your 1-line SSH key. Invalid keys are ignored. Input is invisible.

Paste in your SSH key from the Clipboard (you copied it from Notepad, remember) by hitting Shift-Insert on your keyboard (PuTTY uses different shortcuts from most other Windows apps, because terminal programs usually need the Control key). Then hit enter.

When the screen refreshes you should see your key in the list, as in something like

[3] SSH Key: ssh-dss AAAAB3N...== jharvard@jharvardwindows.local

If you see it, then congrats, you're all set. Hit Q to get out of access, and then close your session by going to File>Disconnect.

Now we need to tell PuTTY to connect to HCS with the SSH key. Open up PuTTY and type hcs.harvard.edu in the Host Name box.

Select Data under Connection in the navigation menu, and enter your HCS account name in the "Auto-login username" box.

Now select Auth, under SSH, under Connection in the navigation menu, and click Browse.

Navigate to the folder where you saved your SSH keys, and select the private key file, key.ppk.

Now select Session at the top of the navigation menu, and save this session configuration by choosing a name and putting it in the box below "Saved Sessions", and clicking Save. We used "HCS" in the image below.

Now you're all set! Select Open to start a connection. If this is your first time connecting, you may see a message like the following:

Just select OK, and you should be at your account prompt. In the future, to connect to your account, just open PuTTY and double-click on HCS (or whatever you saved this connection as), or select HCS and then click Load and then Open.

On a PC (old method)

The process here is a bit longer than with a Mac, but hang in there. We've tried to make this guide as simple and straightforward as possible.

Open SecureCRT and close the Connect window if it comes up at startup. The first place you want to go is Tools>Create Public Key...

This will bring up a wizard on public keys. Select Next to continue.

The next screen is on key types; DSA is fine.

Now you are prompted to create a passphrase. You will have to enter this everytime you use the key. It is optional, but recommended. Also, enter in the bottom field a note of your username and your machine name (or alternatively, a hint for your passphrase).

Leave the key length at the recommended value of 1024 bits.

Now for the fun part: move your mouse around to create random data for the key generator. Seriously. Whip it around however you like.

Here you should change the format to OpenSSH Key Format. Don't worry about where it saves it; leave the default.

The wizard will finish and it will ask you if this should be your global key. Go ahead and say Yes.

Now you will need to go and find your generated key. The default directory it saved it should have been C:\Documents and Settings\jharvard\Application Data\VanDyke\Identity.pub. No, it's not a Microsoft Publisher document, just a text file. Right-click it and open it with Notepad. You want to select all text and then go to Edit>Copy.

Now you need to connect to your HCS account in the old way, to upload the key that you just made. If you're not familiar with this, you should check out the first tutorial. Login to your HCS account through FAS, using PuTTY. Then, after authenticating with your FAS password, enter ssh group-name@hcs.harvard.edu at the fas% prompt. As you know, you will log straight into HCS without a password since you are coming from FAS. Now we will use the access utility, made by HCS, to add your key to the access list. Simply type access once you're in your home directory on HCS. You will then be in the access utility, where you can see who has access to the account and grant or remove access. You want to add an OpenSSH keyfile, so press S.

Paste your 1-line SSH key. Invalid keys are ignored. Input is invisible.

Paste in your SSH key from the Clipboard (you copied it from Notepad, remember) by hitting Shift-Insert on your keyboard (PuTTY uses different shortcuts from most other Windows apps, because terminal programs usually need the Control key). Then hit enter.

When the screen refreshes you should see your key in the list, as in something like

[3] SSH Key: ssh-dss AAAAB3N...== jharvard@jharvardwindows.local

If you see it, then congrats, you're all set. Hit Q to get out of access, and then close your session by going to File>Disconnect.

Now take a breather; we're almost done. We can now create a session for you that you can click in the Connect dialog to go straight into HCS. Go to File>Connect... but this time go for the New Session button.

Another wizard pops up. SecureCRT loves wizards. Hit next.

Type in the following information; of course, substitute group-name with your HCS account name.

Now you need to name this connection something. Pick whatever you want. Name it "Fluffy" if you please.

Once you click Finish, you'll be back at your connection screen with your newly made connection selected. But hold on a minute. We need to set some more options! With your HCS connection selected, go to the Properties button.

You'll see a lot of junk that doesn't really matter. What does matter is that you should click on SSH2 in the tree on the left side and turn off all Authentication methods except PublicKey. If you don't do this, SecureCRT will be stupid and try to ask for a password, which won't work.

Say OK and you're back at the Connections window. Now you can double-click on your brand new HCS connection.

It's your first time connecting, so it will probably give you this freaky dialog. Just hit Accept & Save and you'll never see it again.

Finally, if you had a passphrase for your key, enter it now; if you didn't you won't see this dialog.

That's it! You should be in; if not, something went wrong. See the final section for some tips.

So what now?

Troubleshooting

OK, what if it didn't work. The mostly likely reason is that our access program mangled its job and didn't add your key correctly, or you pasted it wrong, say without the last ten characters or something. In that case, you will have to roll up your sleeves and fix the mess. Get back into your HCS account the old-fashioned way, through FAS, and edit your authorized_keys file by typing:

pico .ssh/authorized_keys

The way this file is supposed to work, is one SSH key per line (even though the lines get very long), with no other line breaks. Each SSH key needs the ssh-dss identifier at the beginning and ends with a space followed by a user identifier like jharvard@example.com. If it's messed up, try mucking with it in pico until you get it right, then hit Control-X to exit and choose Y or N to save/discard changes.

If you think you did everything right, your authorized_keys looks fine, and you're followed all the settings above to a T, you could try asking us at acctserv@hcs what to do. We'll give you our best shot.

Why did I go through all this again?

Now you can connect straight to your HCS account without going through FAS. This is not only more convenient and secure, but it is the way to go if your FAS account is about to expire or if you have problems with FAS dropping your SSH connections too often. Plus, it will make uploading files so much easier through a graphical client, which will be the focus of the next tutorial.