Semlab : Muri : System : Howto : SSH for transparent login

This document describes how to use SSH to get secure and encrypted access to our Unix servers, for both login and file transfer, without ever having to type your password. (Note on why this is OK.)

Overview: here we'll 1) install the SSH client software for Windows, 2) generate a cryptographic key pair used for authentication, and 3) copy the key onto your Windows box so you can use it for login.

If you're not using Windows, you may still find step 2) of this useful as it will also enable transparent logins between Unix machines in the same cluster, so you can hop between machines without having to type your password each time, and if you also follow step 3) you can use this between Unix machines in different clusters (i.e., between the CSLI machines and the Leland workstations, etc.).

Install the SSH client software for Windows
What you need for our purposes (getting CVS to work) is just a command-line SSH client, but a command-line SCP client is also handy, and a graphical SSH/terminal client is also useful, so I recommend you install this version of TeraTerm SSH put together by the Stanford Graphics Laboratory, which includes all of the above.
- Install TeraTerm
- Set the environment variable HOME to your user directory, C:\Documents and Settings\[your Windows username]
- edit C:\WINNT\scp.bat (if you did not install Windows to C:\WINNT, substitute the correct directory) and remove both lines that start with "set home=".
Generate a public/private key pair used for authentication
Here is where we actually generate the cryptographic key, unique to you, that you'll be using instead of a password to prove you are you.
- Log into hugin and give the command "ssh-keygen"
- When it asks for the file to save the key in, just press Enter to accept the default
- When it asks for the passphrase, just hit Enter again. (Note that, by creating this key with an empty passphrase, you ARE agreeing that the key files must be kept safe where other people, especially malicious ones, can't get them.)
- And hit Enter again to confirm the empty passphrase. You've just created two files, identity (which is the private key used to prove who you are -- KEEP THIS SAFE!), and identity.pub (the corresponding public key, which lets the server verify your identity without having to even know the contents of the "identity" file).
- type "cd .ssh" to change into the ssh settings directory
- type "cp identity.pub authorized_keys" -- this tells the server to allow the {identity, identity.pub} key pair to be used for authentication.
Side note: this keypair has the side effect of letting you type "ssh hugin", "ssh turing", etc. to log in to a different machine in the CSLI cluster without having to type your password. What actually happens when you do this is as follows: the FROM computer (where you're already logged in and executing this command) sends the "identity" file to the TO computer, where you want to log in. The TO computer has a copy of "authorized.keys", and (via the math behind public-key cryptography) it can verify that the identity key given machines the authorized key. Then it lets you log in. The upshot is you can jump *from* any computer containing "identity" in the right spot (~/.ssh/identity on Unix) *to* any computer containing "authorized_keys" in the right spot (~/.ssh/authorized_keys) without typing your password. Since all the computers in the CSLI cluster give you the same view of your home directory, once you've set this up on hugin as above it works for all of them.
If you want to be able to log in to other Unix computers with the same key, for example the Leland workstations, it suffices for them to have a copy of authorized_keys in the same spot (~/.ssh/), and for the reverse direction they need ~/.ssh/identity in the same place.
Since the file "identity" is now effectively your password (you can still use your password instead, but this file will let anyone who has it log in as you without your password), keep it safe. On Unix, both it and the ~/.ssh directory should have 0700 permissions. ("chmod 700 ~/.ssh" to be safe.)
Copy the key to your Windows machine
- on Windows, open a command prompt
- type "cd %HOME%", which, assuming you set HOME as specified above, is roughly equivalent to Unix "cd ~". This should put you in C:\Documents and Settings\[your username]; if not, something is wrong with your HOME variable.
- type "scp username@hugin.stanford.edu:.ssh/identity .ssh/identity", which copies the file from ~/.ssh/identity on Hugin to the corresponding directory (which will be created by the scp command anyway) on the local machine. You can omit the username@ part if your Unix and Windows usernames are the same; if they differ then it's necessary. If all goes well, this is the last you will have to type your password! (If this step fails, it is probably because it depends on the scp program creating $HOME/.ssh/ as a directory, which it will always do -- assuming HOME is set correctly. So if this fails, either HOME is not set correctly, or c:\winnt\scp.bat is trashing it and you need to remove the "set home=" lines from it.)
- Protect your private key: do "start .ssh" to open the SSH data directory as a folder window, right-click on its background (not on any of the files in it) and choose Properties. Go to the Security tab, and uncheck the "allow inheritable permissions from parent..." checkbox at the bottom (click Copy when it prompts you with Copy/Remove/Cancel). Then click on everyone who isn't you in the top list (Administrators and SYSTEM, most likely) and click Remove. Finally, click OK.
- Now, a test: type "ssh -l username hugin.stanford.edu" -- this should log you in without prompting for a password. You can just type exit after you've confirmed this works.
- If you want the GUI TeraTerm app to work the same way, without needing a password, a couple more steps are necessary: you need to copy C:\Program Files\SGLSSH\teraterm.ini to another file in the same directory, say username.ini for your username. Now start Teraterm with the option -F=username.ini and use its setup menu to customize it for you: choose Setup/SSH Authentication, and enter your username in the "user name" field, click the "use RSA key to log in" radio button, click the "Private key file" button, and browse to your private key file in C:\Documents and Settings\username\.ssh\identity. Now OK this dialog, choose Setup/Save Setup, and make sure you overwrite your custom username.ini (not the shared teraterm.ini). /ul>

Note: why it's OK to set up passwordless logins, why you'd want to do this, and why SSH is a better option for this than other tools. First, why you'd want to: it's convenient, makes it very easy to log in from your Windows machine to the Unix machines as well as hopping from one Unix machine to another without having to reauthenticate each time, and most importantly for our purposes here, facilitates the use of SSH as the file transfer mechanism for CVS. Second, why it's still secure: you will generate a cryptographic key which will substitute for your password, and you will still need to prevent this key (which is much harder to guess or crack than any conceivable password) on each login. You do still need to keep this key safe; I recommend storing it only on systems with secure multiuser file systems (Unix, or NT/2000 using NTFS). Third, why SSH is better than alternatives such as rlogin: it's much harder to fool (because of the cryptographic key) than these weaker forms of authentication.