Secure Network Access for Windows

• Introduction
  • History
  • SSH basics
  • Where to get
• Generating SSH Keys
  • Generating new SSH keys
  • Converting existing openSSH keys
  • Changing the passphrase
• Using Putty SSH
• Create/change authorized_keys file
• Using the Putty program
• Create shortcuts
• Using Putty Agent
• Secure File Transfers
• Create sessions
• Uning WinSCP
• Port Forwarding, Tunneling

1.1 History

This document describes how to connect to computers in the Departments internal network. In the early days of the Internet one could simply use the Telnet and Ftp protocols to connect to the computers. But those protocols are very insecure (they send the passsword in plain text over the network), so we don't allow them anymore. Even for connections from computers in the Department to other computers in the Department Telnet and Ftp are strongly discouraged.

The proper protocol for all connections is SSH (Secure Shell). SSH comes in two flavors, SSH1 and SSH2. All new computers and all new users should use SSH2.

1.2 SSH basics

SSH is based on public-key cryptography, using cryptosystems where encryption and decryption are done using separate keys, and it is unfeasible to derive the decryption key from the encryption key. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. SSH implements public key authentication protocol automatically, using either the RSA or DSA algorithms.

The private key can and should be protected with a passphrase. The passphrase can be any string; it is hashed with MD5 to produce an encryption key for 3DES, which is used to encrypt the private part of the key file. With passphrase, authorization requires access to the key file and the passphrase. Without passphrase, authorization only depends on possession of the key file (that can be stolen without you being aware of that!).
NEVER NEVER NEVER make your private key passphrase equal to your Unix or Windows password. That password is probaly send over the network for various protocols and may be known by a lot of people.

The file .ssh/authorized_keys in the homedirectory of the user lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The client proves that it has access to the private key and the server checks that the corresponding public key is authorized to accept the account.

1.3 Where to get

You can always get the latest version at the official sites for Putty and WinSCP

On the computers at the Department you can run Putty and WinSCP directly from the software server:
\\sw\pkg\putty\putty.exe
\\sw\pkg\putty\puttygen.exe
\\sw\pkg\putty\pageant.exe
\\sw\pkg\winscp\winscp.exe

If you want to install the programs on your computer you can use the installation files in our local depot:
\\sw\pkg\depot\putty\
\\sw\pkg\depot\winscp\

2.1 Generating new SSH keys

Start the PuTTYgen.exe program. Select the SSH2 DSA key type (see the red circle in the picture below).

Press the Generate button and move the mouse over the window to create some randomness. Enter a passphrase to protect your private key (see the red circle in the picture below). The passphrase can be any string. You don't have to use strange characters to make the passphrase more secure, because the passphrase is never sent over the network. Just use a phrase you can remember and (preferably) can type fast.

Save the private key on your local computer. Handle the private key with great care. Never send the private key via E-mail or another insecure channel.
If you use Putty on a desktop computer at the University, you can store the key on the H: disk.

Save the public key on your local computer. You can send this public key via E-mail if you like. But before you can use SSH, you must add the public key to the authorized_keys file on the target computer. Unfortunately the public key from the PuTTYgen program is not properly formatted to use directly in the authorized_keys file. See the section Using Putty SSH for instructions to properly format the public key.

You can now close the PuTTYgen window.

2.2 Converting existing openSSH Keys

If you already have a valid SSH2 (openSSH) key from a Linux/Unix computer, you can use that key in Putty with some minor tweaks. The private key must be converted. But the public key is the same so key management is a bit easier that using two separate keys.

• Start the PuTTYgen.exe program.
• Load the existing key
  • File->Load Private Key
  • browse to the location of the key, H:\.ssh
  • view files of all types
  • select the file id_dsa
  • enter the passphrase to open the private key
• Press the Save Private Key button. You can save the key in the H:\.ssh directory. PuTTYgen will automatically add the .ppk suffix so you won't overwrite the existing key.
• Close the PuTTYgen program.

2.3 Changing the passphrase

You can change the passphrase of an existing SSH2 key without having to create a new SSH2 key. This does not increase the security (unlike changing a normal password), because the passphrase is never send over the internet. But if you have problems typing the passphrase or simply just don't like it anymore, you can change it.

• Start the PuTTYgen.exe program.
• Load the existing key
  • File->Load Private Key
  • browse to the location of the key, H:\.ssh
  • select the SSH2 key
  • enter the passphrase to open the private key
• Type the new passphrase twice, overwriting the old lines. (see the red circle in the picture below)
• Press the Save Private Key button. You can overwrite the old key in the H:\.ssh directory.

3.1 Create/change authorized_keys file

Before you can use Putty, you must add your public key to the authorized_keys file on the target system. For the Informatica Department servers this file is located at H:\.ssh\authorized_keys
Each line of the file contains one key (empty lines and lines starting with a '#' are ignored as comments). Each line has up to 4 fields:

1. from="pattern-list" (Optional)
   You can restrict the use of this public key depending on where you come from, e.g. if you always logon from within the UU network, you could limit use of the key to that network only, which is in general a good idea.
2. ssh-dss
3. public-key bits
   Cut and paste the public key, make sure the key is one single line, and make sure there are no spaces in the key.
4. comment (Optional)
   The comment is not used by the ssh protocol. You can use this field to identify your key.

Example:

from="*.uu.nl" ssh-dss AAAB3NzaC1kc3MAAACAaJ6qpH8o+l28xCibNRCGcYT q3iVhW+WpR4Uxh1VJ9s2gQkQ5FcQraJVlBfe9WTK0n48k7UxL4RbxA20fEhjF5UgO y0MYm/DQRUjujRmlAMuob9cIv2Io8oDr0TwX2bqJB85JMVlI04JSZgnkggbngISwl uIGDgsHlPxTwEbNAD0AAAAVALxsIqnL+us9SXk3XDpv0wkLj7iPAAAAgAinbtcugt gqoZmyf5Qkh/5b0Ut3DDqOY3Z6CT3MQH8TR2CEffC/fGx/NYt71wxGC+hGs8Mxf09 AZS4/adfi4yXZ7DKkKtpAjxOAf0aRS2RgcfhAyzLv9ojbBHmodDSdOBmQV7CtoSta o8XC+b0Votb7Eyt4YTjqbYWMQyPcitB9AAAAgFZSO7zTov2khcpVXVW2kdgT1WqIg iGfJiWfsLUjEhRLUJNxrtup4o1npn7fN4TWTvXKTCciVE5HlvQgdBclA0WwDanOgV iKyN7dgXbZ6fRZPODPCLY+SysdI8pstS8EsgKu/25GryvWwDqiyxvKlzdoZhHrVW8 WgmtJzE8Z4BhW "this is my UU key" (must be a single line; line-breaks inserted for readability only)

Note: if you want to create the authorized_keys file, you may find it hard to create a .ssh (dot ssh) directory. The Windows Explorer won't create a dot-directory because it thinks you forgot the filename... One solution is to open a dosbox (cmd.exe) and type mkdir H:\.ssh

3.2 Using the Putty program

Putty allows you to create sessions for computers you connect to, so you don't have to type all parameters over and over again.

Open the Putty.exe program.
Fill in the hostname of the server. The computers that can be used from outside the Department are shell.cs.uu.nl or staff.science.uu.nl (staff) and students.science.uu.nl (students).

Go to the Connection section in the left window. Under Data, type the username want to use:

Got to the SSH menu and make sure SSH2 is the preferred protocol. Because on our shell servers the SSH1 protocol doesn't work anymore, you may also select the 2 only button:

Go to the Auth menu under SSH and browse to your private key file:

Go back to the Session menu and save this session under a proper name:

Once you have created one or more sessions you can start to use them.

Open the Putty.exe program.
Select the session you want to use and click on the Open button. A new window will open.
If this is the first time you connect to the computer Putty will warn you that it doesn't know the computer yet. Click on the Yes button to confirm that this is the computer you want to connect to.

You must now type your passphrase to open the private key and you will be connected to the remote computer.

3.3 Create shortcuts

For easier access to a saved session you can create a shortcut (on the desktop or in your start menu).

• Create a shortcut from the Putty.exe program.
• Right-click on the shortcut and select Properties.
• Go to the Shortcut tab.
• On the Target line, append: -load "name of the session".
• Click OK.
• You can now move the shortcut to wherever you like.

When you make a lot of connections to other computers via Putty you have to type the passphrase many times a day. The Putty-agent (pageant.exe) program can help you cope with this. The pageant program will ask you to type the passphrase once to open the private key and will remember this for all new Putty connections. For as long as you are logged on to your computer, because pageant does not store the passphrase on disk.

Using Pageant in manual mode:

• Start the Pageant.exe program.
• In the system tray on your screen you will see a new icon:
  
• Right-click on this icon and select Add Key.
• Browse to H:\.ssh\ and open your private key.
• Pageant will ask for your passphrase.
• Start as many Putty sessions as you like, Pageant will provide the SSH key without any user interaction.

To make life even more relaxed, you can let Pageant load SSH keys automatically.

• Create a shortcut from the Pageant.exe program.
• Right-click on the shortcut and select Properties.
• Go to the Shortcut tab.
• On the Target line, append the full path to your private SSH key.
  
• Click OK.
• When you move this shortcut to the Startup folder in the Start Menu in your Windows Profile, Pageant will load your SSH key automatically when you log on to the computer.

WinSCP is a graphical program for secure file transfers. WinSCP can use Putty keys and uses the Putty Agent if you started the agent.

Open the WinSCP.exe program.
If you have not defined sessions yet WinSCP will look like:

Fill in the hostname of the server. The computers that can be used from outside the Department are shell.cs.uu.nl (staff) and students.science.uu.nl (students).
And enter the location of your private Putty SSH key file:

Got to the SSH menu and make sure SSH2 is the preferred protocol. Because on our shell servers the SSH1 protocol doesn't work anymore, you may also select the 2 only button:

In the Preferences menu you can choose for a Explorer like view or for a Norton Commander like view.
Click on the Save... button at the bottom to save the session.

Open the WinSCP.exe program (if you didn't start it yet).
If you have defined sessions (see the previous section) you will see them in the right pane.

Select a session and click on Login (or simply double-click on a session). If you don't have Putty Agent running a window will popup, asking for your passphrase. Type your passphrase and click OK.
If all works well, a window will appear. The example below shows the Norton Commander layout:

You can copy files between your local computer and the server (both ways) by drag and drop. WinSCP will ask for conformation before copying the file(s):