FAQ: More Secure Password-less SSH -- Windows to Linux

"There’s No Such Thing As A Silly Question" -- does the cliche sound familiar? In this part of pimp-my-rig reloaded, technical questions are answered. Mail them to me and I will post the answers here. If you have a better answer, by all means share it with us.

The password-less SSH procedure previously posted outlined the establishment of trusted logins from a Windows machine to a _nix machine. The set-up works and is very convinient to implement. However, it comes at the expense of security.

FAQ: Many would agree that an unprotected private key -- a private key with empty passphrase -- is less secure and thus exposes the account to a security threat. Not that this set-up is totally unsecure but once the private key is compromised, the account is completely vulnerable as access to it is open. Can we make the set-up a more secure then?

Protecting the private key with a passphrase is a very logical thing to do. Not only that, it is highly recommended especially on platforms or systems where security is a major concern. The private key then becomes useless without the passphrase to unlock it.

In order to accomplish this stunt, a similar set of software for the previous Windows to _nix password-less setup is required: putty.exe, puttygen.exe and pscp.exe, with the addition of pageant.exe. The tools mentioned can be downloaded off the author's website. Download the binaries enumerated.

Start off by launching puttygen.exe. This tool will generate the public and private key pairs needed for the password-less setup. This was done previously but this time, protect the private key with a passphrase. Press "Generate" and put a passphrase in the fields where it is required. Then, save the private and public keys.


Open putty.exe. Scroll down to Connection --> Data.. fill in the field "Auto-login username". For this example, the username used is "user" (fill this field with your username).


Scroll up to Session, fill up the necessary fields and save.

Open a command tool and using pscp.exe, copy the public key over to the home directory of user. The public key has to be translated to OpenSSH format, then has to be added to authorized_keys file.
user@host:~ > ssh-keygen -i -f PUBLIC_KEY >> $HOME/.ssh/authorized_keys


Now launch pageant.exe (or PuTTY authentication agent). No window will be opened but instead another icon will appear in the system tray. Right-click on this icon and select "Add Key" (see below).


Browse over to the path where the private key was saved. Key in the passphrase when prompted to do so.


(Skipping the above step will prompt the user for the password. When this happens, use the the password to the unix account not the passphrase to the private key.)

Right-click, again, on the pageant icon in the system tray and choose the session saved earlier in this guide. An ssh login will be initiated with the host without asking for a password.


There you go, a more secure password-less ssh from Windows to your _nix workstation. Access to the saved private key does not compromise security as it requires the passphrase to unlock the key. However, this introduces the dependence to pageant, where the passphrase is asked only once but password-less still.

Pageant will be void of keys each time it is launched. And, consequently, each time the private key is "added" to pageant, the passphrase will be asked to unlock the key.

Compare the password-less implementations and select which is easier, applicable and better suited for your use. Each has its own set of advantages and disadvantages.

You might also be interested in:

Feedback

We at pimp-my-rig strive to keep on improving, help us reach that goal by leaving comments or constructive criticisms. Don't miss out on our next feature -- subscribe via RSS (What is RSS?).

Share This

0 comments: