#rev 2020-09-04 davidsch <> = Windows "direct" SSH access with PuTTY = This article explains how to access the SSH service on a D-ITET computer behind the ETH firewall from a Windows client outside of the ETH network (e.g. from home, abroad, ...) using the PuTTY SSH client software, ''without'' the [[Workstations/Network/VPN|VPN]] client. There are two solutions presented here, but the simple solution should work fine in most cases. = Simple solution = == What you need == You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html: * putty.exe == Configuration steps == 1. Log in to you ETH-external computer 1. In this example scenario, we want to connect to the student exercise room (targethost) computer {{{tardis-a01}}} which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ. 1. In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter {{{login.ee.ethz.ch}}}. Under "Connection type:" choose "SSH". Under "Saved sessions", enter {{{tardis-a01.ee.ethz.ch}}} or another comprehensive name describing the target host. 1. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, fill in the "Remote Command:" field as follows (or with the appropriate target server you want to reach): {{{ ssh tardis-a01 }}} 1. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click {{{tardis-a01.ee.ethz.ch}}} (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. 1. Now use the "Open" button to connect to the chosen target server. = Advanced solution = Use this solution, if the simple solution doesn't work for you or if you intend to use public-key based authentication with a key manager. == What you need == You will need the following programs on your ETH-external computer that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html: * putty.exe * puttygen.exe * plink.exe * pageant.exe Make sure these programs are installed in a path referenced by the '''PATH''' environment variable, or all files must be in the same directory with putty.exe. On Windows the default value of the PATH variable is "C:\Windows\system32;C:\Windows". This is needed for {{{putty}}} to find and execute its helper programs {{{plink}}} and {{{pageant}}}. == Configuration steps == === Step 1: Generating a public/ private key pair === 1. Log in to your ETH-external computer 1. Create a new folder called "keys" on that computer, e.g. {{{C:\keys}}}. 1. Run {{{ puttygen }}} Make sure, that the type of key to generate is set to "RSA", then click then "Generate" button in the main window. Move your mouse pointer over the puttygen window during the key generation, to generate some random data for the key generation. 1. When the keys are generated, copy-paste the the ssh-public key (from the textfield described with "Public key for pasting into OpenSSH authorized_keys file") into a text file called {{{ C:\keys\putty_ssh_pubkey.txt}}} There should be only one long line in that text file with no additional line breaks. 1. In the fields "Key passphrase:" / "Confirm passphrase:" of the puttygen window, enter a passphrase to protect the generated private key. Make sure you don't forget that password, as you will need it later... (please do not set an empty password; if your keys are stolen, one might be able to login with your keys without additional credentials!) 1. Then save the generated public and private keys using the buttons "Save public key" / "Save private key" into two separate files, e.g. {{{ C:\keys\putty_pubkey }}} and {{{ C:\keys\putty_privkey.ppk }}} 1. Close the puttygen application === Step 2: Installing the public key in the ssh authorized_keys file === 1. Log in to your ETHZ workplace computer. 1. Copy the SSH public key generated on your ETH-external computer {{{C:\keys\putty_ssh_pubkey.txt}}} to your ETHZ workplace computer, e.g. to {{{H:\keys\putty_ssh_pubkey.txt}}} 1. Open the command prompt on your ETHZ workplace computer (hit Windows-R on the keyboard to open the run window). Enter {{{ cmd }}} (the command prompt window should open) 1. Enter in the command prompt window {{{ type H:\keys\putty_ssh_pubkey.txt >> H:\.ssh\authorized_keys }}} 1. Note: if the {{{.ssh}}} directory does not yet exist, it must be created first using {{{ md H:\.ssh }}} Make sure the permissions are correct. Under ''Linux'', they should be {{{"drwx------"}}}. Verify this on a ''managed Linux computer'' from which you can access your ITET home by entering the following command in a terminal {{{ ls -lsad $HOME/.ssh}}} If the permissions are not correct, adjust them using the command {{{ chmod 700 $HOME/.ssh }}} === Step 3: Configuring pageant (a key agent for PuTTY) === 1. Log in to your ETH-external computer 1. Open the command prompt (hit Windows-R on the keyboard to open the run window). Enter {{{ cmd }}} (the command prompt window should open) 1. Enter in the command prompt window {{{ pageant C:\keys\putty_privkey.ppk }}} 1. Enter the passphrase (the one entered in "step 1") when prompted in a small popup window 1. A small computer icon with a blue screen should now appear in the system tray. 1. Right-click that icon, choose "New session" from the context menu. The PuTTY window should now pop up; Configure it as described in "step 4". === Step 4: Configuring a remote ssh server for PuTTY with proxy === 1. Log in to you ETH-external computer 1. In this example scenario, we want to connect to the student exercise room (targethost) computer {{{tardis-a01}}} which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ. 1. In the configuration tree of the PuTTY application preferences page, navigate to "Session". In the "Host Name (or IP address)" field, enter {{{tardis-a01.ee.ethz.ch}}} (or whatever targetserver you intend to reach). Note the hostname should be a fully qualified DNS name (i.e. with ".ee.ethz.ch" appended). Under "Connection type:" choose "SSH". Under "Saved sessions", enter {{{tardis-a01.ee.ethz.ch}}} or another comprehensive name describing the host. Then click the "Save" button. 1. In the configuration tree, navigate to "Connection", then "Data". On the panel shown, enter your ETH username (loginname) in the field "Auto-login username". 1. In the configuration tree, navigate to "Connection", then "Proxy". On the panel shown, choose {{{Local}}} for the "Proxy type". As "Proxy hostname", enter {{{login.ee.ethz.ch}}} and set the "Port" field to {{{22}}}. Choose {{{Yes}}} for the option "Do DNS name lookup at proxy end:". In the "username" field, enter your ETH username (but leave the password field right next to it empty!). In the textfield "Telnet command or local proxy command" enter the following line:{{{ plink -v -ssh -agent -hostkey fc:a8:00:5b:64:90:86:a1:fb:49:75:ef:55:58:90:b3 -nc %host:%port %user@%proxyhost }}} NOTE: the value specified for the "-hostkey" parameter may change over (a longer) time. It must correspond to the current MD5 hash (for the ''ssh-rsa'' key format) of the {{{login.ee.ethz.ch}}} (proxy) host key, as listed on https://ssh-fingerprints.ee.ethz.ch/ . If you try to connect using no or the wrong hostkey, typical symptoms are that the putty will hang during the connect attempt or it will show some error messages like "authentication faiure". Finally, choose {{{Yes}}} for the option "Print proxy diagnostics in the terminal window". 1. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, make sure "SSH protocol version" '''2''' is chosen. 1. In the configuration tree, navigate to "Connection", then "SSH", then "Auth". Make sure the following settings are selected (and all others unselected): [x] Display pre-authentication banner. [x] Attempt authentication using Pageant. [x] Attempt "keyboard-interactive" auth (SSH-2). [x] Allow agent forwarding. 1. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click {{{tardis-a01.ee.ethz.ch}}} (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. Close the PuTTY window. == Establishing an SSH session == 1. Log in to your ETH-external computer 1. Make sure {{{pageant}}} is running. If the icon is not in your system tray (because pageant does not run), start pageant first manually (i.e. run pageant.exe with your private key file path as the first argument, e.g. use Windows-R, then enter {{{ pageant C:\keys\putty_privkey.ppk }}} Next, enter the passphrase when asked. Both the private key file and the passphrase were defined in "step 1" of the "Configuration steps" section (see above). 1. When the pageant icon appears in the system tray (caution, sometimes it is hidden in a folded system tray because to too many icons there), right-click the icon, then choose the "Saved sessions" submenu and finally the click the host name you intend to connect to; in our example it would be {{{tardis-a01.ee.ethz.ch}}}. A PuTTY terminal window should open and the connection to the target host should be established without further user interactions (i.e. no username or password must be entered). 1. NOTE: Each time you log in to a new windows session/ each time you startup your computer, the {{{pageant}}} service ''must be started first before PuTTY can be used'' in the way as described above. You could create a desktop shortcut (icon) the the pageant.exe binary and specify the path to the private key file as a command line option to the pageant binary path in the shortcut's property tab. You could even move that shortcut in your autostart folder, so pageant would be started automatically every time you login to your Windows desktop (however this would also mean to have an additional passphrase popup window when the system comes up, even when you don't need it).