Revision 29 as of 2019-06-19 06:52:27

Clear message

Windows "direct" SSH access with PuTTY

This article explains how to access the SSH service on a D-ITET computer behind the ETH firewall from a Windows client outside of the ETH network (e.g. from home, abroad, ...) using the PuTTY SSH client software, without the VPN client.

What you need

You will need the following programs that can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html:

Make sure these programs are installed in a system path (referenced by the PATH environment variable, or all files must be in the same directory with putty.exe), so the helper programs puttygen, plink, pageant needed will be found by PuTTY.

Configuration steps

Step 1: Generating a public/ private key pair

  1. Make a new folder called "keys" in your home directory, e.g. H:\keys.

  2. Run puttygen. Make sure, that the type of key to generate is set to "RSA", then click then "Generate" button in the main window. Move your mouse pointer over the puttygen window during the key generation, to generate some random data for the key generation.

  3. When the keys are generated, copy-paste the the ssh-public key (from the textfield described with "Public key for pasting into OpenSSH authorized_keys file") into a text file (called H:\keys\putty_ssh_pubkey.txt). There should be only one long line in that text file with no additional line breaks.

  4. In the fields "Key passphrase:" / "Confirm passphrase:" of the puttygen window, enter a passphrase to protect the generated private key. Make sure you don't forget that password, as you will need it later...

  5. Then save the generated public and private keys using the buttons "Save public key" / "Save private key" into two separate files, e.g. "H:\keys\putty_pubkey" and "H:\keys\putty_privkey.ppk".

  6. Close the puttygen application

Step 2: Installing the public key in the ssh authorized_keys2 file

  1. Open the command prompt (Windows-R, enter "cmd", the command prompt window should open)

  2. Enter H:

  3. Enter cd keys

  4. Enter 

    type putty_ssh_pubkey.txt >> H:\.ssh\authorized_keys_2

  5. Note: if the .ssh directory does not yet exist, it must be created first (using mkdir H:\.ssh). Make sure the permissions are correct (under Linux, they should be "drwx------"; if not correct use chmod 700 .ssh)

Step 3: Configuring pageant (a key agent for PuTTY)

  1. Open the command prompt (Windows-R, enter "cmd", the command prompt window should open)

  2. Enter 

    pageant H:\keys\putty_privkey.ppk
  3. Enter the passphrase (the one entered in "step 1") when prompted
  4. A small computer icon with a blue screen should now appear in the system tray.
  5. Right-click that icon, choose "New session" from the context menu. The PuTTY window should now pop up; Configure it as described in "step 4".

Step 4: Configuring a remote ssh server for PuTTY with proxy

  1. In this example scenario, we want to connect to the student exercise room (targethost) computer tardis-c01 which is now behind the ETH firewall and which is not directly reachable via the SSH port (tcp/22) from outside ETHZ.

  2. In the configuration tree, navigate to "Session". In the "Host Name (or IP address)" field, enter tardis-c01.ee.ethz.ch (or whatever targetserver you intend to reach). Note the hostname should be a fully qualified DNS name (i.e. with ".ee.ethz.ch" appended). Under "Connection type:" choose "SSH". Under "Saved sessions", enter tardis-c01.ee.ethz.ch or another comprehensive name describing the host. Then click the "Save" button.

  3. In the configuration tree, navigate to "Connection", then "Data". On the panel shown, enter your ETH username (loginname) in the field "Auto-login username".

  4. In the configuration tree, navigate to "Connection", then "Proxy". On the panel shown, choose Local for the "Proxy type". As "Proxy hostname", enter login.ee.ethz.ch and set the "Port" field to 22. Choose Yes for the option "Do DNS name lookup at proxy end:". In the "username" field, enter your ETH username (but leave the password field right next to it empty!). In the textfield "Telnet command or local proxy command" enter the following line:

    plink -v -ssh -agent -hostkey 3b:b0:1a:8a:ea:0a:e5:ea:bb:9e:bb:5c:ef:24:c3:92 -nc %host:%port %user@%proxyhost

    NOTE: the value specified for the "-hostkey" parameter may change over (a longer) time. It must correspond to the current MD5 hash of the login.ee.ethz.ch (proxy) host key, as listed on https://ssh-fingerprints.ee.ethz.ch/ . Finally, choose Yes for the option "Print proxy diagnostics in the terminal window".

  5. In the configuration tree, navigate to "Connection", then "SSH". On the panel shown, make sure "SSH protocol version" 2 is chosen.

  6. In the configuration tree, navigate to "Connection", then "SSH", then "Auth". Make sure the following settings are selected (and all others unselected): [x] Display pre-authentication banner. [x] Attempt authentication using Pageant. [x] Attempt "keyboard-interactive" auth (SSH-2). [x] Allow agent forwarding.

  7. Finally, save all settings in the profile. To accomplish this, navigate to "Session" in the configuration tree. In the "Saved Sessions" listfield, single-click tardis-c01.ee.ethz.ch (or whatever targetserver you intended to reach). Then click the "Save" button. You are done with the configuration. Close the PuTTY window.

Establishing an SSH session

  1. Make sure pageant is running. If the icon is not in your system tray (because pageant does not run), start pageant first manually (i.e. run pageant.exe with your private key file path as the first argument, e.g. use Windows-R, then enter 

    pageant H:\keys\putty_privkey.ppk
    Next, enter the passphrase when asked. Both the private key file and the passphrase were defined in "step 1" of the "Configuration steps" section (see above).

  2. When the pageant icon appears in the system tray (caution, sometimes it is hidden in a folded system tray because to too many icons there), right-click the icon, then choose the "Saved sessions" submenu and finally the click the host name you intend to connect to; in our example it would be tardis-c01.ee.ethz.ch. A PuTTY terminal window should open and the connection to the target host should be established without further user interactions (i.e. no username or password must be entered).

  3. NOTE: Each time you log in to a new windows session/ each time you startup your computer, the pageant service must be started first before PuTTY can be used in the way as described above. You could create a desktop shortcut (icon) the the pageant.exe binary and specify the path to the private key file as a command line option to the pageant binary path in the shortcut's property tab. You could even move that shortcut in your autostart folder, so pageant would be started automatically every time you login to your Windows desktop (however this would also mean to have an additional passphrase popup window when the system comes up, even when you don't need it).