Using SSH at Loyola

Using ssh at Loyola

There is a slight problem here.

Once upon a time, you connected via ssh by typing in a hostname, and then your username, and finally your password. The latter two were sent over an encrypted channel, but this was still password authentication.

Nowadays, "brute-force" password attacks are common. Therefore, connections from outside Loyola are restricted to so-called RSA authentication (or, more generically, public-key authentication, or PKA):

you create a public/private keypair on your personal workstation
you install the public key on random/infinity (they have the same filesystem, so a key on one is automatically on the other)
you then connect. You still have to supply your username, but authentication is then based on the RSA encryption mechanism, and no password is required.
If you are connecting from within Loyola, the default SSH port 22 is fine. But it is blocked from outside Loyola, so from home you will eventually have to use the special port 22222 (five 2's).

The gotchas are generating and installing that key. (Also, if anyone compromises your home machine, they can automatically get into your random/infinity account, but in the ultimate scheme of things this is probably not a serious concern.)

SSH clients for windows

You can use either the well-known standalone puTTY program (google for it), or else you can install the cygwin package including openSSH (I think it's in the network utilities section). The latter behaves pretty much like the typical unix ssh, which would also be found on macs.

The SSH protocol comes in two versions, ssh1 and ssh2. You should use ssh2.

Generating keys

For puTTY, you generate the key with the program puTTYgen; you have a choice between RSA authentication and DSA (which is similar, but I've never used it). To create randomness you are asked to move the mouse or type on the keyboard. You also have the option to protect your key with a passphrase; you can do that, but it's optional. When you are done, the dialog box shows your public key in a window, from which you can copy/paste (it's an ascii string); you also have the option to save your private key. You need to deal with both.

For the private key, you can save it anywhere, but later you'll have to find it when running ssh; it's probably simplest to keep it in your Documents folder, or else in a subfolder named ssh. The key is associated with you, not with random/infinity, so it probably makes sense to name it for your home machine or for you yourself rather than for random or infinity.

For openSSH, you type ssh-keygen -t rsa. This generates your private key id_rsa and your public key id_rsa.pub in your directory $HOME/.ssh.

Installing your public key

Either way, you now need to get your public key to random/infinity, and place it as a line (a very long line) in the file $HOME/.ssh/authorized_keys. Either way, you probably will need to be on campus to do this, because otherwise you are restricted to rsa authentication, and you don't have that working yet.

For a desktop system, put the public-key file onto a USB drive and bring it in to a lab. For laptops, bring the whole machine.

For openSSH, you can use the companion scp (secure copy) to copy the file from your laptop to random/infinity (command line: scp id_rsa.pub random:.ssh to copy to your .ssh directory), or you can use the (non-command-line) application sftp (secure ftp). Both of these require passwords, which is ok within Loyola. Then, in an ssh session (again, password authenticated), append the key to $HOME/.ssh/authorized_keys, either by cat id_rsa.pub >> authorized_keys or by editing with the nano command-line editor.

For puTTY, perhaps the easiest approach is first to put the public key onto your clipboard (either by opening the public key file in an editor, or by copying it directly from the puTTYgen window). Then connect to random/infinity, change directory to .ssh, edit with nano authorized_keys, navigate to the end of the file, and paste in the line by right-clicking the mouse. You do need to make sure it's all logically one line; when I tried this, nano inserted a line break right after the initial ssh-rsa and I had to join the lines with the delete key. Generally nano will not break the ~320-character keystring itself, even though it will wrap on the screen.

Finally, a third way is to email me your public key (not your private key!) and I'll get it installed for you. My having your public key does not give me any access to your account.

Connecting with your RSA keys

OpenSSH will attempt to use RSA authentication automatically. For puTTY, you have to ask (at least the first time). When you start puTTY, you quickly get to a connection dialog box ("session"). Somewhere down among the options on the left side is a section for ssh, and below that is a section for auth. Click on that, and there's a place to browse for your private key. Do that, and then connect, and you should be in. I believe that puTTY remembers this for future sessions.