SSH Public Key

Contents 1.0 Server 2.0 Client 3.0 CLI Configuration Using SCP from the command line Using SSH2 for command line Additional Resources Revision History Scope This document outlines how to configure the SSH cleient & daemon for NT/W2K/XP to accept public key authentication. This was done on server version SSHServerSetup312.exe This document uses version 3.2 of the client and server software from SSH.COM.

1.0 Server

To begin the configuration of the server, go to the Start menu and select Programs > SSH Secure Shell Server > Configuration . Click on User Authentication and select Allow for Public Key Authentication. NOTE: You can also edit the configuration file directly Using a text editor, open C:\Program Files\SSH Communications Security\SSH Secure Shell Server\sshd2_config Under ## Authentication methods add in public key as an AllowedAuthentication mode. It should look like the line below: AllowedAuthentications "publickey,password," Restart server

2.0 Client

To configure SSH for NT/W2K/XP for public key authentication This was done on client version 3.2.0 Connect to the server you would like to set up public key authentication with. Click Edit > Settings > Global Settings > User Keys. Click Generate New Keypair. Click Next. Choose RSA and a key length of at least 2048, then click Next. After the key generation has indicated that it is complete, click Next. Fill in the Name, Comments and a strong Passphrase then click Next. NOTE: For machine automation leave passphrase blank. 8. Click Upload Private Key. Click Finish. Example: Upload Private Key NOTE: If get the below message you can safely ignore it. 9. To configure the connection to use the key ensure that Public Key is first (or only mode of authentication. 10. On connection you will be prompted for passphrase. Enter the passphrase and click OK.

3.0 CLI Configuration

1. Generate user public keys with the following command: Type ssh-keygen2 at command prompt 2. You will be asked to enter a passphrase in compliance with InfoSec's password policy. This will create a public and private key. NOTE: For machine automation leave passphrase blank C:\>ssh-keygen2 Generating 2048-bit dsa key pair 6 OOo.oOo.oOo. Key generated. 2048-bit dsa, username@machinename, Thu Jul 18 2002 21:10:08 Passphrase : Again : Private key saved to C:/Documents and Settings/username/Application Data/SSH/UserKeys/id_dsa_2048_a Public key saved to C:/Documents and Settings/username/Application Data/SSH/UserKeys/id_dsa_2048_a.pub 3. If you want to manually upload the public key (id_dsa_2048_a.pub) it goes into the Documents and Settings\username\.ssh2 directory of the SSH server 4. Add a line to the file 'authorization': in the same directory key " id_dsa_2048_a.pub " Using SCP from the command line C:\>scp2 testfile.txt username@10.0.0.1:/ Passphrase for key " id_dsa_2048_a " with comment "[2048-bit dsa, username@hostname, Fri Jul 19 2002 14:00:32]": testfile.txt | 601B | 0.6 kB/s | TOC: 00:00:01 | 100% Using SSH2 from the command line C:\>ssh2 username@10.0.0.1 Passphrase for key "C:/Documents and Settings/username/Application Data/SSH/id_dsa_2048_a" with comment "[ 2048-bit dsa, username@hostname, Fri Jul 19 2002 14:00:32]": Authentication successful. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. UNIX NOTE: To use Public Keys from a windows client to an open SSH server you have to copy the public key from windows host to Unix host. CD to ~/.ssh UNIX clients that are using SSH to connect to a NT/W2K/XP server will need a local account setup on the NT/W2K/XP box. Windows Domain authentication is not supported. Once the local account is created the user will need to login to the NT/W2K/XP server either locally or via terminal services to create a profile. SSH-KEYGEN -i -f publickeyfilename.pub >> authorized_keys2 To use Public Keys from a OpenSSH client to an windows server you have to convert the keys from OpenSSH's format. SSH-KEYGEN -e -f publickeyfilename.pub > publickeyfilename.SECSH.pub Examples: To setup a trust from a Windows host to a unix host: 1. Generate the keypair on the windows host: cd %D\.ssh2 ssh-keygen2 -P -t rsa id_win_rsa 2. Copy the public key to the unix server, ~/.ssh/id_win_rsa.pub. 3. On the unix server: cd to ~/.ssh ssh-keygen -i -f id_win_rsa.pub >> authorized_keys2 rm id_win_rsa.pub To setup a trust from a unix host to a windows host: 1. Generate the keypair on the unix host: · cd ~/.ssh · ssh-keygen -t rsa -N "" 2. Convert the pub key: · ssh-keygen -e -f id_rsa.pub > id_rsa_SECSH.pub · Securly copy the public key (id_rsa_SECSH.pub) to the windows host, %D\.ssh2\id_rsa_SECSH.pub · rm id_rsa_SECSH.pub 3. On the windows host: · cd %D\.ssh2 · add a line to the file 'authorization': "key id_rsa_SECSH.pub" NOTE: Domain accounts are not supported from UNIX clients. You will need to login locally to the NT/W2K/XP box running the SSH2 daemon to establish a profile

Additional Resources SSH Support Pages, SSH Communications Security http://www.ssh.com/support/

Related Posts by Categories