|
Size: 7159
Comment:
|
← Revision 72 as of 2021-09-27 06:50:47 ⇥
Size: 10440
Comment: Do not reference the tardis-c machines, decomissioned
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Windows "direct" SSH access = | #rev 2020-09-04 davidsch |
| Line 3: | Line 3: |
| This article explains how to access the SSH service on a D-ITET computer behind the ETH firewall from a Windows client outside of the ETH network (e.g. from home, abroad, ...) using the PuTTY SSH client software, ''without'' the [[Workstations/Network/VPN|VPN]] client. | <<TableOfContents(3)>> |
| Line 5: | Line 5: |
| = What you need = | = Windows "direct" SSH access with PuTTY = |
| Line 7: | Line 7: |
| You will need the following programs that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html: | This article explains how to access the SSH service on a D-ITET computer behind the ETH firewall from a Windows client outside of the ETH network (e.g. from home, abroad, ...) using the PuTTY SSH client software, ''without'' the [[Workstations/Network/VPN|VPN]] client. There are two solutions presented here, but the simple solution should work fine in most cases. = Simple solution = == What you need == You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html: * putty.exe == Configuration steps == 1. Log in to you ETH-external computer 1. In this example scenario, we want to connect to the student exercise room (targethost) computer {{{tardis-a01}}} which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ. 1. In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter {{{login.ee.ethz.ch}}}. Under "Connection type:" choose "SSH". Under "Saved sessions", enter {{{tardis-a01.ee.ethz.ch}}} or another comprehensive name describing the target host. 1. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, fill in the "Remote Command:" field as follows (or with the appropriate target server you want to reach): {{{ ssh tardis-a01 }}} 1. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click {{{tardis-a01.ee.ethz.ch}}} (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. 1. Now use the "Open" button to connect to the chosen target server. = Advanced solution = Use this solution, if the simple solution doesn't work for you or if you intend to use public-key based authentication with a key manager. == What you need == You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html: |
| Line 13: | Line 41: |
| Make sure these programs are installed in the system path (or all in the same directory), so the helper programs {{{puttygen, plink, pageant}}} needed will be found by PuTTY. | Make sure these programs are installed in a path referenced by the '''PATH''' environment variable, or all files must be in the same directory with putty.exe. On Windows the default value of the PATH variable is "C:\Windows\system32;C:\Windows". This is needed for {{{putty}}} to find and execute its helper programs {{{plink}}} and {{{pageant}}}. |
| Line 15: | Line 43: |
| = Configuration steps = | == Configuration steps == |
| Line 17: | Line 45: |
| == Step 1: Generating a public/ private key pair == 1. Make a new folder called "keys" in your home directory, e.g. {{{H:\keys}}}. 1. Run {{{puttygen}}}. Make sure, that the type of key to generate is set to "RSA", then click then "Generate" button in the main window. Move your mouse pointer over the puttygen window during the key generation, to generate some random data for the key generation. 1. When the keys are generated, copy-paste the the ssh-public key (from the textfield described with "Public key for pasting into OpenSSH authorized_keys file") into a text file (called {{{H:\keys\putty_ssh_pubkey.txt}}}). There should be only one long line in that text file with no additional line breaks. 1. In the fields "Key passphrase:" / "Confirm passphrase:" of the puttygen window, enter a passphrase to protect the generated private key. Make sure you don't forget that password, as you will need it later... 1. Then save the generated public and private keys using the buttons "Save public key" / "Save private key" into two separate files, e.g. "{{{H:\keys\putty_pubkey}}}" and "{{{H:\keys\putty_privkey.ppk}}}". |
=== Step 1: Generating a public/ private key pair === 1. Log in to your ETH-external computer 1. Create a new folder called "keys" on that computer, e.g. {{{C:\keys}}}. 1. Run {{{ puttygen }}} Make sure, that the type of key to generate is set to "RSA", then click then "Generate" button in the main window. Move your mouse pointer over the puttygen window during the key generation, to generate some random data for the key generation. 1. When the keys are generated, copy-paste the the ssh-public key (from the textfield described with "Public key for pasting into OpenSSH authorized_keys file") into a text file called {{{ C:\keys\putty_ssh_pubkey.txt}}} There should be only one long line in that text file with no additional line breaks. 1. In the fields "Key passphrase:" / "Confirm passphrase:" of the puttygen window, enter a passphrase to protect the generated private key. Make sure you don't forget that password, as you will need it later... (please do not set an empty password; if your keys are stolen, one might be able to login with your keys without additional credentials!) 1. Then save the generated public and private keys using the buttons "Save public key" / "Save private key" into two separate files, e.g. {{{ C:\keys\putty_pubkey }}} and {{{ C:\keys\putty_privkey.ppk }}} |
| Line 25: | Line 61: |
| == Step 2: Installing the public key in the ssh authorized_keys2 file == 1. Open the command prompt (Windows-R, enter "cmd", the command prompt window should open) 1. Enter {{{H:}}} 1. Enter {{{cd keys}}} 1. Enter {{{type putty_ssh_pubkey.txt >> H:\.ssh\authorized_keys_2}}} 1. Note: if the {{{.ssh}}} directory does not yet exist, it must be created first (using mkdir H:\.ssh). Make sure the permissions are correct (under ''Linux'', they should be "drwx------"; if not correct use {{{chmod 700 .ssh}}}) |
=== Step 2: Installing the public key in the ssh authorized_keys file === 1. Log in to your ETHZ workplace computer. 1. Copy the SSH public key generated on your ETH-external computer {{{C:\keys\putty_ssh_pubkey.txt}}} to your ETHZ workplace computer, e.g. to {{{H:\keys\putty_ssh_pubkey.txt}}} 1. Open the command prompt on your ETHZ workplace computer (hit Windows-R on the keyboard to open the run window). Enter {{{ cmd }}} (the command prompt window should open) 1. Enter in the command prompt window {{{ type H:\keys\putty_ssh_pubkey.txt >> H:\.ssh\authorized_keys }}} 1. Note: if the {{{.ssh}}} directory does not yet exist, it must be created first using {{{ md H:\.ssh }}} Make sure the permissions are correct. Under ''Linux'', they should be {{{"drwx------"}}}. Verify this on a ''managed Linux computer'' from which you can access your ITET home by entering the following command in a terminal {{{ ls -lsad $HOME/.ssh}}} If the permissions are not correct, adjust them using the command {{{ chmod 700 $HOME/.ssh }}} |
| Line 32: | Line 77: |
| == Step 3: Configuring pageant (a key agent for PuTTY) == 1. Open the command prompt (Windows-R, enter "cmd"), the command prompt window should open. 1. Enter {{{pageant H:\putty_privkey.ppk}}} 1. Enter the passphrase (the one entered in Step 1) when prompted |
=== Step 3: Configuring pageant (a key agent for PuTTY) === 1. Log in to your ETH-external computer 1. Open the command prompt (hit Windows-R on the keyboard to open the run window). Enter {{{ cmd }}} (the command prompt window should open) 1. Enter in the command prompt window {{{ pageant C:\keys\putty_privkey.ppk }}} 1. Enter the passphrase (the one entered in "step 1") when prompted in a small popup window |
| Line 37: | Line 87: |
| 1. Right-click that icon, choose "New session" from the context menu. The PuTTY window should now pop up; Configure it as described in step 4. | 1. Right-click that icon, choose "New session" from the context menu. The PuTTY window should now pop up; Configure it as described in "step 4". |
| Line 39: | Line 89: |
| == Step 4: Configuring a remote ssh server for PuTTY with proxy == 1. In this example scenario, we want to connect to the student exercise room (targethost) computer {{{tardis-c01}}} which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ. 1. In the configuration tree, navigate to "Session". In the "Host Name (or IP address)" field, enter {{{tardis-c01.ee.ethz.ch}}} (or whatever targetserver you intend to reach). Note the hostname should be a fully qualified DNS name (i.e. with ".ee.ethz.ch" appended). Under "Connection type:" choose "SSH". Under "Saved sessions", enter {{{tardis-c01.ee.ethz.ch}}} or another comprehensive name describing the host. Then click the "Save" button. |
=== Step 4: Configuring a remote ssh server for PuTTY with proxy === 1. Log in to you ETH-external computer 1. In this example scenario, we want to connect to the student exercise room (targethost) computer {{{tardis-a01}}} which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ. 1. In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter {{{tardis-a01.ee.ethz.ch}}} (or whatever targetserver you intend to reach). Note the hostname should be a fully qualified DNS name (i.e. with ".ee.ethz.ch" appended). Under "Connection type:" choose "SSH". Under "Saved sessions", enter {{{tardis-a01.ee.ethz.ch}}} or another comprehensive name describing the host. Then click the "Save" button. |
| Line 44: | Line 95: |
| plink -v -ssh -agent -hostkey 3b:b0:1a:8a:ea:0a:e5:ea:bb:9e:bb:5c:ef:24:c3:92 -nc %host:%port %user@%proxyhost }}} NOTE: the value specified for the "-hostkey" parameter may change over time. It must correspond to the current MD5 hash of the {{{login.ee.ethz.ch}}} host key, as listed on https://ssh-fingerprints.ee.ethz.ch/ . Finally, choose {{{Yes}}} for the option "Print proxy diagnostics in the terminal window". 1. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, make sure "SSH protocol version" {{{2}}} is chosen. |
plink -v -ssh -agent -hostkey fc:a8:00:5b:64:90:86:a1:fb:49:75:ef:55:58:90:b3 -nc %host:%port %user@%proxyhost }}} NOTE: the value specified for the "-hostkey" parameter may change over (a longer) time. It must correspond to the current MD5 hash (for the ''ssh-rsa'' key format) of the {{{login.ee.ethz.ch}}} (proxy) host key, as listed on https://ssh-fingerprints.ee.ethz.ch/ . If you try to connect using no or the wrong hostkey, typical symptoms are that the putty will hang during the connect attempt or it will show some error messages like "authentication faiure". Finally, choose {{{Yes}}} for the option "Print proxy diagnostics in the terminal window". 1. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, make sure "SSH protocol version" '''2''' is chosen. |
| Line 48: | Line 99: |
| 1. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click {{{tardis-c01.ee.ethz.ch}}} (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. Close the PuTTY window. | 1. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click {{{tardis-a01.ee.ethz.ch}}} (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. Close the PuTTY window. |
| Line 51: | Line 102: |
| = Establishing an SSH session = 1. Make sure {{{pageant}}} is running. If the icon is not in your system tray (because pageant does not run), start pageant first manually (i.e. run pageant.exe with your private key file path as the first argument, e.g. use Windows-R, then enter {{{pageant H:\keys\putty_privkey.ppk}}}, enter the passphrase when asked. Both the private key file and the passphrase were defined in step 1 of the "Configuration steps" section (see above). 1. When the pageant icon appears in the system tray (caution, sometimes it is hidden in a folded system tray because to too many icons there), right-click the icon, then choose the "Saved sessions" submenu and finally the click the host name you intend to connect to; in our example it would be {{{tardis-c01.ee.ethz.ch}}}. A PuTTY terminal window should open and the connection to the target host should be established without further user interactions (i.e. no username or password must be entered). 1. NOTE: Each time you log in to a new windows session/ each time you startup your computer, the {{{pageant}}} service must be started first before PuTTY can be used in the way as described above. You could create a desktop shortcut (icon) the the pageant.exe binary and specify the path to the private key file as a command line option to the pageant binary path in the shortcut's property tab. You could even move that shortcut in your autostart folder, so pageant would be started automatically every time you login to your Windows desktop (however this would also mean to have an additional passphrase window showing up when the system comes up). |
== Establishing an SSH session == 1. Log in to your ETH-external computer 1. Make sure {{{pageant}}} is running. If the icon is not in your system tray (because pageant does not run), start pageant first manually (i.e. run pageant.exe with your private key file path as the first argument, e.g. use Windows-R, then enter {{{ pageant C:\keys\putty_privkey.ppk }}} Next, enter the passphrase when asked. Both the private key file and the passphrase were defined in "step 1" of the "Configuration steps" section (see above). 1. When the pageant icon appears in the system tray (caution, sometimes it is hidden in a folded system tray because to too many icons there), right-click the icon, then choose the "Saved sessions" submenu and finally the click the host name you intend to connect to; in our example it would be {{{tardis-a01.ee.ethz.ch}}}. A PuTTY terminal window should open and the connection to the target host should be established without further user interactions (i.e. no username or password must be entered). 1. NOTE: Each time you log in to a new windows session/ each time you startup your computer, the {{{pageant}}} service ''must be started first before PuTTY can be used'' in the way as described above. You could create a desktop shortcut (icon) the the pageant.exe binary and specify the path to the private key file as a command line option to the pageant binary path in the shortcut's property tab. You could even move that shortcut in your autostart folder, so pageant would be started automatically every time you login to your Windows desktop (however this would also mean to have an additional passphrase popup window when the system comes up, even when you don't need it). |
Windows "direct" SSH access with PuTTY
This article explains how to access the SSH service on a D-ITET computer behind the ETH firewall from a Windows client outside of the ETH network (e.g. from home, abroad, ...) using the PuTTY SSH client software, without the VPN client. There are two solutions presented here, but the simple solution should work fine in most cases.
Simple solution
What you need
You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html:
- putty.exe
Configuration steps
- Log in to you ETH-external computer
In this example scenario, we want to connect to the student exercise room (targethost) computer tardis-a01 which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ.
In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter login.ee.ethz.ch. Under "Connection type:" choose "SSH". Under "Saved sessions", enter tardis-a01.ee.ethz.ch or another comprehensive name describing the target host.
In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, fill in the "Remote Command:" field as follows (or with the appropriate target server you want to reach):
ssh tardis-a01
Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click tardis-a01.ee.ethz.ch (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration.
- Now use the "Open" button to connect to the chosen target server.
Advanced solution
Use this solution, if the simple solution doesn't work for you or if you intend to use public-key based authentication with a key manager.
What you need
You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html:
- putty.exe
- puttygen.exe
- plink.exe
- pageant.exe
Make sure these programs are installed in a path referenced by the PATH environment variable, or all files must be in the same directory with putty.exe. On Windows the default value of the PATH variable is "C:\Windows\system32;C:\Windows". This is needed for putty to find and execute its helper programs plink and pageant.
Configuration steps
Step 1: Generating a public/ private key pair
- Log in to your ETH-external computer
Create a new folder called "keys" on that computer, e.g. C:\keys.
Run
puttygen
Make sure, that the type of key to generate is set to "RSA", then click then "Generate" button in the main window. Move your mouse pointer over the puttygen window during the key generation, to generate some random data for the key generation.When the keys are generated, copy-paste the the ssh-public key (from the textfield described with "Public key for pasting into OpenSSH authorized_keys file") into a text file called
C:\keys\putty_ssh_pubkey.txt
There should be only one long line in that text file with no additional line breaks.- In the fields "Key passphrase:" / "Confirm passphrase:" of the puttygen window, enter a passphrase to protect the generated private key. Make sure you don't forget that password, as you will need it later... (please do not set an empty password; if your keys are stolen, one might be able to login with your keys without additional credentials!)
Then save the generated public and private keys using the buttons "Save public key" / "Save private key" into two separate files, e.g.
C:\keys\putty_pubkey
and
C:\keys\putty_privkey.ppk
- Close the puttygen application
Step 2: Installing the public key in the ssh authorized_keys file
- Log in to your ETHZ workplace computer.
Copy the SSH public key generated on your ETH-external computer C:\keys\putty_ssh_pubkey.txt to your ETHZ workplace computer, e.g. to H:\keys\putty_ssh_pubkey.txt
Open the command prompt on your ETHZ workplace computer (hit Windows-R on the keyboard to open the run window). Enter
cmd
(the command prompt window should open)Enter in the command prompt window
type H:\keys\putty_ssh_pubkey.txt >> H:\.ssh\authorized_keys
Note: if the .ssh directory does not yet exist, it must be created first using
md H:\.ssh
Make sure the permissions are correct. Under Linux, they should be "drwx------". Verify this on a managed Linux computer from which you can access your ITET home by entering the following command in a terminal
ls -lsad $HOME/.ssh
If the permissions are not correct, adjust them using the command
chmod 700 $HOME/.ssh
Step 3: Configuring pageant (a key agent for PuTTY)
- Log in to your ETH-external computer
Open the command prompt (hit Windows-R on the keyboard to open the run window). Enter
cmd
(the command prompt window should open)Enter in the command prompt window
pageant C:\keys\putty_privkey.ppk
- Enter the passphrase (the one entered in "step 1") when prompted in a small popup window
- A small computer icon with a blue screen should now appear in the system tray.
- Right-click that icon, choose "New session" from the context menu. The PuTTY window should now pop up; Configure it as described in "step 4".
Step 4: Configuring a remote ssh server for PuTTY with proxy
- Log in to you ETH-external computer
In this example scenario, we want to connect to the student exercise room (targethost) computer tardis-a01 which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ.
In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter tardis-a01.ee.ethz.ch (or whatever targetserver you intend to reach). Note the hostname should be a fully qualified DNS name (i.e. with ".ee.ethz.ch" appended). Under "Connection type:" choose "SSH". Under "Saved sessions", enter tardis-a01.ee.ethz.ch or another comprehensive name describing the host. Then click the "Save" button.
- In the configuration tree, navigate to "Connection", then "Data". On the panel shown, enter your ETH username (loginname) in the field "Auto-login username".
In the configuration tree, navigate to "Connection", then "Proxy". On the panel shown, choose Local for the "Proxy type". As "Proxy hostname", enter login.ee.ethz.ch and set the "Port" field to 22. Choose Yes for the option "Do DNS name lookup at proxy end:". In the "username" field, enter your ETH username (but leave the password field right next to it empty!). In the textfield "Telnet command or local proxy command" enter the following line:
plink -v -ssh -agent -hostkey fc:a8:00:5b:64:90:86:a1:fb:49:75:ef:55:58:90:b3 -nc %host:%port %user@%proxyhost
NOTE: the value specified for the "-hostkey" parameter may change over (a longer) time. It must correspond to the current MD5 hash (for the ssh-rsa key format) of the login.ee.ethz.ch (proxy) host key, as listed on https://ssh-fingerprints.ee.ethz.ch/ . If you try to connect using no or the wrong hostkey, typical symptoms are that the putty will hang during the connect attempt or it will show some error messages like "authentication faiure". Finally, choose Yes for the option "Print proxy diagnostics in the terminal window".
In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, make sure "SSH protocol version" 2 is chosen.
- In the configuration tree, navigate to "Connection", then "SSH", then "Auth". Make sure the following settings are selected (and all others unselected): [x] Display pre-authentication banner. [x] Attempt authentication using Pageant. [x] Attempt "keyboard-interactive" auth (SSH-2). [x] Allow agent forwarding.
Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click tardis-a01.ee.ethz.ch (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. Close the PuTTY window.
Establishing an SSH session
- Log in to your ETH-external computer
Make sure pageant is running. If the icon is not in your system tray (because pageant does not run), start pageant first manually (i.e. run pageant.exe with your private key file path as the first argument, e.g. use Windows-R, then enter
pageant C:\keys\putty_privkey.ppk
Next, enter the passphrase when asked. Both the private key file and the passphrase were defined in "step 1" of the "Configuration steps" section (see above).When the pageant icon appears in the system tray (caution, sometimes it is hidden in a folded system tray because to too many icons there), right-click the icon, then choose the "Saved sessions" submenu and finally the click the host name you intend to connect to; in our example it would be tardis-a01.ee.ethz.ch. A PuTTY terminal window should open and the connection to the target host should be established without further user interactions (i.e. no username or password must be entered).
NOTE: Each time you log in to a new windows session/ each time you startup your computer, the pageant service must be started first before PuTTY can be used in the way as described above. You could create a desktop shortcut (icon) the the pageant.exe binary and specify the path to the private key file as a command line option to the pageant binary path in the shortcut's property tab. You could even move that shortcut in your autostart folder, so pageant would be started automatically every time you login to your Windows desktop (however this would also mean to have an additional passphrase popup window when the system comes up, even when you don't need it).