Using SSH from Windows

Installing an SSH client

SSH is not supported natively on Windows so an SSH client must be installed. PuTTY is an excellent and actively developed open source SSH client. PuTTY’s home page is located here:

https://www.chiark.greenend.org.uk/~sgtatham/putty/

The latest 32bit version (which will work on 64bit and 32bit processors) is always available from this this link.

The file that is linked to is a standalone binary so does not require installing and will simply run when double clicked.

Logging into a linux server

When PuTTY is opened it will display the basic options page. A linux server can be logged into from this page by entering the hostname or IP address of a server in the “Host Name” field. Shown here:

Then click the “Open” button at the bottom. The first time that you connect to a new server (or after a server is re-imaged or re-installed) the following warning will appear:

Hit “Yes” to continue connecting. A command line terminal will open with a prompt to enter a username:

Enter the user that you want to log in as and hit Enter. You will then be prompted for the password and logged into the server’s command line.

Streamlining PuTTY

The simple connection described above requires manually entering the hostname or IP address and authentication details for every connection. PuTTY provides a mechanism to save a connection and all its setting for quick access. PuTTY calls these saved connections “Sessions”.

The process for creating a saved sessions is as follows:

  1. Open PuTTY and enter the hostname of the server you want to connect to.
  2. Enter a name for the session into the Saved Sessions field.
  3. Click Save.

A saved session will be displayed under “Default Settings” when PuTTY is opened:

In order to use a saved sessions:

  1. Click on the saved session name.
  2. Click "Load"
  3. Click "Open"

Or, simply double-click on the saved session name.

A session can be updated to include new configuration once it has been created. In order to do this:

  1. Highlight the sessions name.
  2. Click “Load”.
  3. Set new configuration.
  4. Click “Save”.

The session will now include any new settings such as those described below.

Set auto-login username

Putty can be configured to automatically enter a username when logging into a server. This is done as follows:

  1. Load the session.
  2. Click on “Data” under the “Connection” section.
  3. Enter the desired username in the “Auto-login username” field.
  4. Save the session.

SSH Keys

A secure protocol, in addition to encryption, demands that authentication. The two principle ways of doing this with SSH are:

  1. Passwords.
  2. Cryptographic keys.

Password authentication is the default method for logging in via SSH and will be enabled by default on all Memset servers. Password authentication is secure but there are several advantages to disabling password authentication and instead relying on SSH keys. SSH keys are more secure than passwords as they are all but impossible to brute force attack on the server end. An attacker must have access to the private key to log into the server. They are also more efficient because any server that has the public key can be logged into from any computer that has the private key. This means that a single key (and password) can be used to securely log into any number of servers.

Every SSH key pair is unique. Therefore, in order to start using an SSH key pair they must first be generated.

Generating a key pair

PuTTY cannot generate a key pair, however, PuTTY’s author has also written a tool to generate a key pair suitable to use in PuTTY. This tool is called PuTTYGen. The latest version is always available via this link.

When PuTTYGen is opened it will default to the following parameters for an SSH key pair:

  • RSA
  • 2048 bits

RSA refers to the encryption algorithm and 2048 bits is the length of the key. A longer key is more secure but incurs a performance penalty. However, with modern computers, a key length of 4096 bits will not cause any noticeable performance issues and will be secure for a much longer time as attackers computers get more powerful.

Therefore, a bit length of 4096 should be entered into the “Number of bits in the generated key” field.

Create the new key by hitting the “Generate” button. When the keys have been generated you will see the following screen:

In order to save the key pair:

  1. Enter a secure password here.
  2. Click “Save private key” to save the private key to a file.
  3. Copy and paste the public key displayed in the square into a text file (make sure you get all of it by scrolling down). This will be needed later to copy to the server.

Now is also a good time to save both files (or their contents) into a password manager for secure portability.

Using SSH Keys

SSH keys can only be used once the public key has been copied to the server. It must be added to the ~/.ssh/authorized_keys file of the user you intend to log in as.

In order to do this log into your server via SSH using a username and password. Then open the authorized_keys file with your favourite text editor, nano is shown here: 

cd .ssh
nano authorized_keys

Then paste the entire public key shown above in the PuTTYGen save screen. The public key must only occupy a single line. Then exit the server.

Next, open PuTTY and load the session for that server. Then expand the SSH category and highlight the “Auth” section. Hit the “Browse” button and find the private key you saved from PuTTYGen.

Before hitting “Open” go back to the “Session” page and click “Save”. The key will always now be used for this session.

Finally, hit “Open”. You will be prompted for the password of the private key and not the password for the server.

This method of using the SSH keys means that the key’s password must be entered every time a connection is opened. However, it will always be the same password i.e. the key’s password, no matter which server is being logged into. This is convenient in that only a single password needs to be remembered.

However, this process can be further streamlined by loading the key into memory so that a password is only required a single time and not for every connection.

Loading an SSH key into memory

When an SSH key is loaded into memory it will be available for use whenever a new connection is made to a server. PuTTY will automatically check for the presence of a loaded key when it initiates a new connection and will use it automatically, without prompting for a password, if one is present.

PuTTY cannot load the key into memory but a program by the same developer does. This program is called Pageant. The latest binary is available from this link.

Pageant is a simple program that only loads private SSH keys. All that is required to do so is to hit the Add key button, locate the private key and open it.

Once the private key that was created with PuTTYGen is opened and loaded with Pageant it looks like the following:

Pageant can load multiple private keys.

PuTTY will attempt to use all the private keys loaded into memory with Pageant when making a connection to a server. If the private key is loaded with Pageant and the username already configured in PuTTY a connection will be made without requiring any user input.

Furthermore, WinSCP, an FTP replacement, will also use any keys loaded into Pageant. WinSCP is a recommended replacement for FTP under Windows. Please see the Replacing FTP with SSH documentation for instructions on using WinSCP.

Disabling password authentication on the server

The security benefits of using SSH keys can be maximised by disabling password authentication on the server. Almost all of the simple automated attacks against SSH are people or bots attempting to guess username and password combinations. When password authentication is disabled this method of attack is rendered useless. It is, therefore, highly recommended to disable password authentication on the server.

Before you follow the steps below, make sure you have a copy of your server's root password as it will be required to regain access to the server if there are any problems with SSH as a result of this work.

The steps to disable password authentication are as follows:

  1. Log into the server as root.
  2. Change to SSH's configuration directory: 
    cd /etc/ssh/
  3. Open sshd_config with your favorite text editor. Here nano is used: 
    nano sshd_config
  4. Edit the following line: 
    Before edit:
PasswordAuthentication yes

After edit:
PasswordAuthentication no
  5. Save and exit.
  6. Check for any errors in the new configuration with the following command: 
    sshd -t
  7. Restart SSH if there are no reported errors. On modern distributions this is done with the following command: 
    systemctl restart sshd.service
  8. Log out and log back in to check that everything is working correctly.

If you are not able to log back into the server Memset provides an out-of-band access to all their servers via MemShell. Please refer to the MemShell documentation for more information. The root password for your server will be required to access the server via MemShell.

Secure communications with SSH

Last updated 22 June 2017, 06:53 GMT