Computer Laboratory

Information for Windows users

Secure Unix login from Windows with PuTTY

In the interest of security, remote login into our Unix/Linux machines is only allowed over cryptographically protected connections using the secure shell (SSH) protocol, even where the connection remains within the department.

Our commonly used Windows SSH client software is PuTTY. When installing, always use the latest version. Especially if you use a version older than PuTTY 0.61, we strongly recommend that you upgrade now to benefit from Kerberos support.

Installation

If you are on a Lab-managed Windows machine and the latest version of PuTTY is not yet available, then you can install it yourself (even without an Administrator account) via the Systems Management “Advertised Programs” installer, or via \\didcot\swdist\putty.

The installer may manifest itself as a small white rectangle in your task bar; otherwise, get to it via: Start Menu | Settings | Control Panel | Advertised Programs.

Basic configuration

The PuTTY installer places an icon on your desktop ("Shortcut to PuTTY", an image of two computers suffering a mutual lightning strike). When you start it up, you will see a small “PuTTY Configuration” window.

In there, for convenience, you should save all the PuTTY settings needed to talk to a particular server as a “Session”. The following example shows this for one of the Lab's main Linux SSH servers: “ssh-remote-0.cl.cam.ac.uk”.

  • Under “Category” select “Session” (you probably are already there).
    • In the “Host Name (or IP Address)” box, type: “ssh-remote-0.cl.cam.ac.uk”
    • Also check that you have “Port 22” and “Protocol: SSH”
    • Type a name for your session configuration into the “Saved Sessions” box, (e.g., “cl” or “ssh-remote-0”).
    • Click “Save”
  • Under “Category”, select “Windows | Translation” and choose the “UTF-8” character encoding.
  • Under “Category”, select “Connection | Data”. Enter your Unix login name (CRSID) into the “Auto-login username” field, or alternatively make sure that “When username is not specified: Use system username (your-crsid)” is selected. [This will avoid that you have to type in you user name each time.]

    set auto-login username

  • Under “Category” select “Connection | SSH | Tunnels”:

  • In the box “X11 forwarding” tick “Enable X11 forwarding”. (This option, together with running an X11 server such as that provided by MobaXterm, XMing (both avaiable as free versions or eXceed, will allow your Unix applications to open windows on your Windows PC.
  • Under “Category” select “Connection | SSH | Auth | GSSAPI”:

    Kerberos session

  • Make sure that both “Attempt GSSAPI authentication” and “Allow GSSAPI credential delegation” are selected. [This means that if your Windows machine has already a valid Kerberos ticket from our Active Domain controller, both authentication and forwarding of the Kerberos ticket such that the Linux server can access your home directory will all just work automatically.]
  • Under “Category” go back to “Session” and click “Save” once more.

Public/private key authentication

If you can use Kerberos/GSSAPI authentication (as configured above), then there is usually no need to configure ssh public keys. Your login will work fine without.

Kerberos authentication will not work in two situations:

In both cases, you will have to generate an SSH public/private key pair, which PuTTY can then use to authenticate your identity during login. The generated private key must be made available to PuTTY, usually via starting the Pageant tool. The generated corresponding public key must be appended in your Linux home directory to the file “.ssh/authorized_keys”.

The following description explains two options for duing this in more detail.

On Linux

On a lab Linux machine, run the command: “ssh-keygen -t rsa”

This will create a public/private key pair and leave them in your filespace under Linux. Please ensure you use a secure pass phrase to protect this.

This has the side effect of creating a .ssh subdirectory structure in your home directory, where the key pair will be stored. You will find the newly generated public key in “~/.ssh/id_rsa.pub”; copy it.

Then “cd ~/.ssh” and edit “authorized_keys”, pasting the public key into a new line on its own. Just as detailed below you will need to add a section saying where the key can be used from, which should be as specific as possible. The end result should look like:

from="*.cl.cam.ac.uk" ssh-rsa AAAAB3NzaC1yc2EAAAADA […] onHiVNh0IkKift27RZL1 spqr1@example.cl.cam.ac.uk

On Windows

  • On a Windows machine, run “Puttygen” from the “Putty” Start Menu programs group.
  • Click on the “Generate” button.
  • Move the cursor continually over the blank space, as instructed, to generate a random key.
  • In the Key_comment box, replace any text with your own identifier, i.e. <crsid>@cl.cam.ac.uk (see the image example below).
  • Set a passphrase. (This can be a password or a phrase.)

The key is the text that appears in the box below Public key for pasting into OpenSSH authorized_keys file:; copy that. Do not click Save public key and use the contents of the resulting file; that will not work.

Saving the public key

If this file does not exist then navigate to “\\filer\userfiles\<crsid>\unix_home\.ssh” and create a new file called “authorized_keys” (taking care not to leave it with a .txt suffix).
Click here if directory does not exist.

Note: If you are setting up keys for use with Subversion and Tortoise, email this public key to pagemaster.
Please ensure you give the Key comment field a meaningful name
i.e your CRSID, as shown in the example above.

Paste the public key into an empty line at the bottom of the file. Then, in front of the public key on that line, you need to state where the key can be used from, i.e on which domain. This needs to be as specific as possible. So for a lab managed machine, type:

“from="*.cl.cam.ac.uk"”

or for a laptop using Eduroam within Cambridge

“from="*.cam.ac.uk"”

followed by a space as shown in the example below:

Save the file

If the directory does not exist:

  • Map a drive to “\\filer\userfiles\<crsid>\unix_home\”
  • Run a command Window (Type “CMD” in Start, Run).
  • Change to the new drive letter you have just mapped.
  • Type “mkdir .ssh” to create the .ssh directory.
  • You can now create the “authorized_keys” file.

Back to Saving Public key

from="*.cl.cam.ac.uk"

Save the file

Saving the private key

You now need to save the private key to your local disc:

  • Click on the “Save private key” button.
  • Save the file locally on your PC. A logical place is in the Start->All Programs->Startup area of YOUR login under Documents and Settings. When it is saved here, “Pageant” (the program that activates your encryption keys) is set to run at start up everytime you (and only you) login to that PC.

(Note: For laptop use, you should have a different key on each machine, which is easily identifiable in case of loss.

Troubleshooting and refinements

The above represents the basic necessities for getting the setup working.

If you have suggestions to improve the arrangements, please contact the Windows administrators.

Other areas of the “PuTTY” configuration window allows you to alter the colour scheme, and so on. Remember to “Load” your session before making your changes, and “Save” your session afterwards.

If you are experiencing trouble logging into PuTTY, you may want to change the PuTTY settings so the Unix shell window doesn't close automatically, but logs the results of what happens, so you can send to a Windows Administrator:

Changing window settings:

  • Load your session (i.e “Computer lab”, which was our earlier example).
  • Under “Category”, select “Session”
  • Under “Close window on exit”, select the appropriate radio button, i.e. “Never”
  • Save your session.

Setting up Logging:

  • Load your Session.
  • Under “Category”, select “Session, Logging”.
  • Under “Session logging:”, select the appropriate radio button, i.e. “Log all session output”.
  • Under “Log file name:”, browse to a suitable location to save the logfile and give the logfile a name.
  • Under “What to do if the log file already exists:”, select the appropriate radio button, i.e. “Always append to the end of it”.
  • Save your session.

"No Supported authentication methods" error

When setting up PuTTY you may experience the above error message.

One possible cause is that the domain you have specified in the “authorized_keys” file and the domain your computer believes it resides in are not the same.

To resolve this issue, try whether you can login after removing the “from="*.cl.cam.ac.uk"” prefix from your authorized_keys file temporarily.

If so, then lookup your computer’s domain name:

  • Right click “My Computer” and select “Properties”
  • Click on the “Computer Name” tab. Here you will see your domain, i.e. “cl.cam.ac.uk”.
  • The domain written as part of the “from=” command in the “authorized_keys” file should match the domain listed here under the “Computer Name” tab.
  • Edit “authorized_keys” accordingly, save it, and try another PuTTY session.

If this still does not resolve your issue, it could be an absence of a reverse mapping of your IP address. You will need to contact a Windows administrator for further help.