Using ssh keys to access BlueM

Access to BlueM is only allowed using the secure communications protocals available from ssh. Normally, you ssh to BlueM and enter in your password to login. However, ssh allows connections without entering a password. Instead you use something called a passphrase which you enter when you login. So what is the advantage? A passphrase can be empty or blank. If you have an empty passphrase you do not need to enter it when you login. An empty passphrase presents a slight security risk. However, it is also possible for a "real" nontrivial passphrase to be cached, so that you only need to enter it once a day.

This document describes how to set up a passphrase and use it to login to BlueM. We will discuss using both empty passphrases and the preferred method of logging into BlueM, using a cached nonempty passphrase. We assume you are using a Windows machine along with the puTTY application. The related application puTTYgen will be used to generate the keys required to access BlueM. puTTYgen and puTTY can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

If you are using Linux/OSX then the procedure is discussed here

There is a video of the procedure discussed in this document available from

http://geco.mines.edu/ssh/puttyra.mov

Open puTTYgen by clicking on its icon.

Then click on the SSH-2 DSA radio button in the lower right hand corner. Then click on the Generate button directly above. See figure 1. After you click on the Generate button you will be asked to randomly move your mouse. Your movements are essentially a seed for a random number generator.

Figure 1

After the key is generated click on Save private key and save the key with the name id_dsa_ra. You will be asked if you want to save the key without a passphrase. Click yes.

Figure 2

Then save the public key using the Save public key button. Again, save this key using the name id_dsa_ra. The file names will not conflict because puTTYgen appends ".ppk" to the private filename.

Do not close puTTYgen yet.

The contents of id_dsa_ra need to be copied to your authorized_keys file on BlueM.

Open puTTY and connect to BlueM as you always have. For example, in the HostName(or IP address) box type your BlueM username followed by "@bluem.mines.edu" then click on Open. You should get connected to BlueM and you will asked for your password.

Figure 3. Entering a connection to BlueM with your
username and BlueM's address.

The file on BlueM that you will need to modify is authorized_keys in the hidden directory .ssh. So first change to this directory.

cd .ssh

Using your favorite editor open the file authorized_keys. Go back to puTTYgen and copy the Public key as shown in figure 4. Make sure you grab the whole string. Paste this string in at the end of your authorized_keys file. Add a linefeed before and after your pasted text for good measure.

Figure 4. Getting a copy of your key from PuTTY
Key Generator.

IMPORTANT:

The text that you copy from id_dsa_ra.pub is a single line. Some times when you do the copy/paste linefeeds are added. Make sure that you are only pasting a single line and remove extra linefeeds if required.

Log out of BlueM and close puTTYgen.

Open puTTY again and enter your username and @ra.mines.edu as you did before. Now click on the "+" next to "SSH" in the bottom left portion of the window. The SSH menu will expand so you can click on Auth.

Figure 5. The puTTY window after expanding the
"SSH" menu and clicking on Auth.

This will open a new pane. Click the two boxes below Authenticate Parameters. Then click on Browse and Open the file id_dsa_ra.ppk.

Figure 6. Selecting the key file id_dsa_ra.ppk.

When the file is openned the current pane will close and you will be brought back to the puTTY Configuration window. Click on Open and you should get a connection to BlueM without being asked for your password.

Additional Security while Maintaining Easy Access

There is a slight risk associated with using empty passphrases. If someone were to gain access to your machine, either by hacking or stealing a laptop, then they would have free access to BlueM.

Fortunately there is way to have the best of both worlds. You can have a nontrivial passphrase but not need to enter it in every time you login. There is a companion application to puTTY called pageant that provides this capability. pageant can also be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

There is a video of pageant in use available from

http://geco.mines.edu/ssh/puttyra2.mov

First we need to create a ssh key that has a passphrase. Open puTTYgen by clicking on its icon.

Then click on the SSH-2 DSA radio button in the lower right hand corner. Then click on the Generate button directly above. See figure 7. After you click on the Generate button you will be asked to randomly move your mouse. Your movements are essentially a seed for a random number generator.

After the key is generated enter a passphrase twice as shown in figure 7 click on Save private key and save the key with the name "for_ra".

Figure 7. Entering a passphrase in puTTYgen.

Then save the public key using the Save public key button. Again, save this key using the name for_ra. The file names will not conflict because puTTYgen appends ".ppk" to the private filename.

Do not close puTTYgen yet.

The contents of for_ra need to be copied to your authorized_keys file on BlueM.

Open puTTY and connect to BlueM as you always have. For example, in the HostName(or IP address) box type your BlueM username followed by "@bluem.mines.edu" as shown in Figure 3. then click on Open. You should get connected to BlueM and you will asked for your password.

The file on BlueM that you will need to modify is authorized_keys in the hidden directory .ssh. So first change to this directory.

cd .ssh

Using your favorite editor open the file authorized_keys. Go back to puTTYgen and copy the Public key as shown in figure 4. Make sure you grab the whole string. Paste this string in at the end of your authorized_keys file. Add a linefeed before and after your pasted text for good measure.

IMPORTANT:

The text that you copy from id_dsa_ra.pub is a single line. Some times when you do the copy/paste linefeeds are added. Make sure that you are only pasting a single line and remove extra linefeeds if required.

Now double click on pageant to open it . pageant does not have a window but there is an icon in the lower menu bar to show that it is running. See figure 8.

Figure 8. The pageant icon.



Figure 9. The pageant menu.

If you right click on the pageant icon a menu will be displayed as shown in figure 9. Select "add Key". This will bring up a window in which you can select a ssh key. Open the file "for_ra." A new window will open for you to enter your passphrase as shown in figure 10. Enter it and select "OK." pageant is now holding the validated ssh key for puTTY. You can use puTTY to logon to BlueM without entering a password or a passphrase.

Figure 10. The pageant passphrase window.

You can continue to logon to BlueM until you either exit pageant or select its "View Keys" menu followed by a "Remove Key".

Some Linux Journal articles on SSH