Windows "direct" SSH access with PuTTY

This article explains how to access the SSH service on a D-ITET computer behind the ETH firewall from a Windows client outside of the ETH network (e.g. from home, abroad, ...) using the PuTTY SSH client software, without the VPN client. There are two solutions presented here, but the simple solution should work fine in most cases.

Simple solution

What you need

You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html:

• putty.exe

Configuration steps

1. Log in to you ETH-external computer

2. In this example scenario, we want to connect to the student exercise room (targethost) computer tardis-a01 which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ.

3. In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter login.ee.ethz.ch. Under "Connection type:" choose "SSH". Under "Saved sessions", enter tardis-a01.ee.ethz.ch or another comprehensive name describing the target host.

4. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, fill in the "Remote Command:" field as follows (or with the appropriate target server you want to reach):

   ssh tardis-a01

5. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click tardis-a01.ee.ethz.ch (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration.

6. Now use the "Open" button to connect to the chosen target server.

Advanced solution

Use this solution, if the simple solution doesn't work for you or if you intend to use public-key based authentication with a key manager.

What you need

You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html:

• putty.exe
• puttygen.exe
• plink.exe
• pageant.exe

Make sure these programs are installed in a path referenced by the PATH environment variable, or all files must be in the same directory with putty.exe. On Windows the default value of the PATH variable is "C:\Windows\system32;C:\Windows". This is needed for putty to find and execute its helper programs plink and pageant.

Configuration steps

Step 1: Generating a public/ private key pair

1. Log in to your ETH-external computer

2. Create a new folder called "keys" on that computer, e.g. C:\keys.

3. Run

   puttygen

   Make sure, that the type of key to generate is set to "RSA", then click then "Generate" button in the main window. Move your mouse pointer over the puttygen window during the key generation, to generate some random data for the key generation.

4. When the keys are generated, copy-paste the the ssh-public key (from the textfield described with "Public key for pasting into OpenSSH authorized_keys file") into a text file called

   C:\keys\putty_ssh_pubkey.txt

   There should be only one long line in that text file with no additional line breaks.
5. In the fields "Key passphrase:" / "Confirm passphrase:" of the puttygen window, enter a passphrase to protect the generated private key. Make sure you don't forget that password, as you will need it later... (please do not set an empty password; if your keys are stolen, one might be able to login with your keys without additional credentials!)

6. Then save the generated public and private keys using the buttons "Save public key" / "Save private key" into two separate files, e.g.

   C:\keys\putty_pubkey

   and

   C:\keys\putty_privkey.ppk

7. Close the puttygen application

Step 2: Installing the public key in the ssh authorized_keys file

1. Log in to your ETHZ workplace computer.

2. Copy the SSH public key generated on your ETH-external computer C:\keys\putty_ssh_pubkey.txt to your ETHZ workplace computer, e.g. to H:\keys\putty_ssh_pubkey.txt

3. Open the command prompt on your ETHZ workplace computer (hit Windows-R on the keyboard to open the run window). Enter

   cmd

   (the command prompt window should open)

4. Enter in the command prompt window

   type H:\keys\putty_ssh_pubkey.txt >> H:\.ssh\authorized_keys

5. Note: if the .ssh directory does not yet exist, it must be created first using

   md H:\.ssh

   Make sure the permissions are correct. Under Linux, they should be "drwx------". Verify this on a managed Linux computer from which you can access your ITET home by entering the following command in a terminal

   ls -lsad $HOME/.ssh

   If the permissions are not correct, adjust them using the command

   chmod 700 $HOME/.ssh

Step 3: Configuring pageant (a key agent for PuTTY)

1. Log in to your ETH-external computer

2. Open the command prompt (hit Windows-R on the keyboard to open the run window). Enter

   cmd

   (the command prompt window should open)

3. Enter in the command prompt window

   pageant C:\keys\putty_privkey.ppk

4. Enter the passphrase (the one entered in "step 1") when prompted in a small popup window
5. A small computer icon with a blue screen should now appear in the system tray.
6. Right-click that icon, choose "New session" from the context menu. The PuTTY window should now pop up; Configure it as described in "step 4".

Step 4: Configuring a remote ssh server for PuTTY with proxy

1. Log in to you ETH-external computer

2. In this example scenario, we want to connect to the student exercise room (targethost) computer tardis-a01 which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ.

3. In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter tardis-a01.ee.ethz.ch (or whatever targetserver you intend to reach). Note the hostname should be a fully qualified DNS name (i.e. with ".ee.ethz.ch" appended). Under "Connection type:" choose "SSH". Under "Saved sessions", enter tardis-a01.ee.ethz.ch or another comprehensive name describing the host. Then click the "Save" button.

4. In the configuration tree, navigate to "Connection", then "Data". On the panel shown, enter your ETH username (loginname) in the field "Auto-login username".

5. In the configuration tree, navigate to "Connection", then "Proxy". On the panel shown, choose Local for the "Proxy type". As "Proxy hostname", enter login.ee.ethz.ch and set the "Port" field to 22. Choose Yes for the option "Do DNS name lookup at proxy end:". In the "username" field, enter your ETH username (but leave the password field right next to it empty!). In the textfield "Telnet command or local proxy command" enter the following line:

   plink -v -ssh -agent -hostkey fc:a8:00:5b:64:90:86:a1:fb:49:75:ef:55:58:90:b3 -nc %host:%port %user@%proxyhost

   NOTE: the value specified for the "-hostkey" parameter may change over (a longer) time. It must correspond to the current MD5 hash (for the ssh-rsa key format) of the login.ee.ethz.ch (proxy) host key, as listed on https://ssh-fingerprints.ee.ethz.ch/ . If you try to connect using no or the wrong hostkey, typical symptoms are that the putty will hang during the connect attempt or it will show some error messages like "authentication faiure". Finally, choose Yes for the option "Print proxy diagnostics in the terminal window".

6. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, make sure "SSH protocol version" 2 is chosen.

7. In the configuration tree, navigate to "Connection", then "SSH", then "Auth". Make sure the following settings are selected (and all others unselected): [x] Display pre-authentication banner. [x] Attempt authentication using Pageant. [x] Attempt "keyboard-interactive" auth (SSH-2). [x] Allow agent forwarding.

8. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click tardis-a01.ee.ethz.ch (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. Close the PuTTY window.

Establishing an SSH session

1. Log in to your ETH-external computer

2. Make sure pageant is running. If the icon is not in your system tray (because pageant does not run), start pageant first manually (i.e. run pageant.exe with your private key file path as the first argument, e.g. use Windows-R, then enter

   pageant C:\keys\putty_privkey.ppk

   Next, enter the passphrase when asked. Both the private key file and the passphrase were defined in "step 1" of the "Configuration steps" section (see above).

3. When the pageant icon appears in the system tray (caution, sometimes it is hidden in a folded system tray because to too many icons there), right-click the icon, then choose the "Saved sessions" submenu and finally the click the host name you intend to connect to; in our example it would be tardis-a01.ee.ethz.ch. A PuTTY terminal window should open and the connection to the target host should be established without further user interactions (i.e. no username or password must be entered).

4. NOTE: Each time you log in to a new windows session/ each time you startup your computer, the pageant service must be started first before PuTTY can be used in the way as described above. You could create a desktop shortcut (icon) the the pageant.exe binary and specify the path to the private key file as a command line option to the pageant binary path in the shortcut's property tab. You could even move that shortcut in your autostart folder, so pageant would be started automatically every time you login to your Windows desktop (however this would also mean to have an additional passphrase popup window when the system comes up, even when you don't need it).