Every time you log on to a computer over SSH you have to authenticate yourself to gain access to a machine.
Key based authentication in SSH is called public key authentication. This provides additional security from man-in-the-middle attacks, and with a little more configuration it can provide single sign-on.
For single sign-on SSH comes with a program called ssh-agent, which can hold user's decrypted private keys in memory and use them to authenticate logins. This means the user has to login only once, as subsequent logins require no passphrase.
Some of these instructions may work on other UNIX systems but have not been tested.
Steps
Create Keys & Setup CSIF
To start off, you will need to log onto any of the CSIF machines. Once there, run the following commands to generate and setup your keys on the CSIF machines. Remember to replace USERNAME with your login username.
$ cd ~/.ssh/
$ ssh-keygen -t rsa -C "USERNAME@csif" -f "USERNAME@csif"
When it asks you for a password, enter a secure but memorable password for your key. Don’t worry, you will only need to type it once per reboot.
Once you generate your keys, run the following command to add it to your authorized keys list.
Transfer private key to local machine
You now need to transfer your private key to the machine you wish to SSH from. If you need help with this please see the documentation on Remote File Transfering.
Setup Local Machine
Once you have the key to your local machine, you need to set it up. This is slightly different between Linux and Windows environments.
Linux (Linux/Mac OS X/Windows Subsystem for Linux)
If you are running a Linux environment, You can do everything through the terminal. First move your private key to the local machines ~/.ssh folder.
You will then need to create a file named config in ~/.ssh using your text editor of choice. Put the following lines into the file, replacing USERNAME with your username:
User USERNAME
AddKeysToAgent yes
IdentityFile ~/.ssh/USERNAME@csif
Once you are done, make sure everything has the right permissions by typing these commands
$ chmod 600 USERNAME@csif
You can now SSH with the key; however, you will need to type the key’s passphrase every time you wish to SSH. To have your computer save this passphrase please see the Setting Up an SSH agent section below.
For more information on SSH client configuration files, try: https://man.openbsd.org/ssh_config
Windows
If you are on windows there are a few ways to do things. If you are using Windows Subsystem for Linux (WSL) use the UNIX instructions above. If you are using a terminal emulator like PuTTY or MobaXTerm keep reading. This guide assumes you are using PuTTY and have both PuTTY and PuTTYgen installed
- Convert your key to something your terminal emulator can use
- Open PUTTYgen and go to Conversions -> import Key
- Select your private key and save it as .ppk
- Upload your key to the program
- In PuTTY’s sidebar go to Connection>SSH>Auth
- In the Private key file for authentication section, browse for the key that you just created
- Log in with your key file and key password
- (optional) go to Connection>Rlogin and enter your CSIF username
- Go back to the main Session page and enter the pc you wish to connect to
- In the Saved Sessions section enter a name and click save to save the configuration so you don’t need to redo it every time
- Click Open to connect and see if your key worked
Setting Up an SSH Agent
Finally, to make it so that you do not need to enter the key’s passphrase every time (only once per reboot) we need to setup an SSH agent to manage your key’s passphrase for you. You will need to perform these steps on your local computer.
Set up is different between Linux and Windows with Putty environments.
Linux (Linux/Mac OS X/Windows Subsystem for Linux)
If you are using a linux environment, you will be using a program called ssh-agent. Chances are, it is already installed for you. You can check to see if it is installed by running ssh-agent -h. If it says unknown options then ssh-agent is installed. If it is not installed please install it using your operating system’s packet manager.
Once you know ssh-agent is installed open up the file ~/.profile in your favorite text editor. If the file does not exist, then create it.
At the end of the file, paste in these lines of code:
ssh-add -l 2>/dev/null >/dev/null
if [ $? -ge 2 ]; then
ssh-agent -a "$SSH_AUTH_SOCK" >/dev/null
fi
Once this is done, reboot for the changes to apply.
You should now be set up with ssh-agent. SSH will now only only prompt for a password the first time you ssh after each reboot.
Windows
If you are on windows there are a few ways to do things. If you are using Windows Subsystem for Linux (WSL) use the Linux instructions above. If you are using PuTTY keep reading.
By default PuTTY cannot remember your passphrase, you need a second program called Pageant to do this for you. You can download and install this from the official site here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
To have Pageant store your passphrase so PuTTY can use it, please follow the following steps:
- Launch Pageant from the start menu
- Open up Pageant by double clicking on it in the system tray in your taskbar.
- Click the add key button and add the private key that you are using in PuTTY
- Enter the key passphrase
- Click OK and Close
You are now done. You can ssh in with PuTTY as many times as you like without entering a password as long as you do not close Pageant or reboot your machine.
You will need to redo these steps every time you close Pageant or reboot your machine.