Department of Computer Science and Technology

SSH on Windows (PuTTY)

Our commonly used Windows SSH client software is PuTTY. When installing, always use the latest version. If you are on a Lab-managed Windows machine and the latest version of PuTTY is not yet available, you can install it yourself by selecting the newest version in \\filer\install\LocalInstall\putty or by downloading it from the official webpage.

Basic configuration

The PuTTY installer places an icon on your desktop ('PuTTY', an image of two computers suffering a mutual lightning strike). When you start it up, you will see a small 'PuTTY Configuration' window.

In there, for convenience, you should save all the PuTTY settings needed to talk to a particular server as a 'Session'.

  • In the 'Host Name (or IP Address)' box, type: slogin-serv.cl.cam.ac.uk
  • Also check that 'Port' is set as 22 and SSH is selected under 'Protocol'.
  • Type a name for your session configuration into the 'Saved Sessions' box, (e.g. cl or sandy).
  • Click 'Save'.
  • Under 'Category', select 'Windows > Translation' and choose the UTF-8 character encoding.
  • Under 'Category', select 'Connection > Data'. Enter your CRSID into the 'Auto-login username' field, or alternatively make sure that 'When username is not specified: Use system username (your-crsid)' is selected. This way, you won't have to type in your username each time you want to establish a connection.

    set auto-login username

  • Under 'Category', select 'Connection > SSH > Tunnels':

  • In the box 'X11 forwarding', tick 'Enable X11 forwarding'. This option, together with running an X11 server such as XMing, will allow you to open Unix applications on your Windows PC.
  • Under 'Category' select 'Connection > SSH > Auth > GSSAPI':

    Kerberos session

  • Make sure that both “Attempt GSSAPI authentication” and “Allow GSSAPI credential delegation” are selected. This means that if your Windows machine already has a valid Kerberos ticket, both authentication and forwarding of the Kerberos ticket will work automatically.
  • Under 'Category', go back to 'Session' and click 'Save' once more.

Getting a Kerberos ticket

Access to the departmental filer is authenticated via the Kerberos protocol. A user cannot access their home directory and other parts of the file space stored on the filer unless they have first obtained a kerberos ticket-granting ticket (tgt).These are temporary cryptographic keys that are only valid for a limited period.

If you work on a lab-managed Windows machine, you automatically receive your Kerberos/GSSAPI ticket at login, which PuTTY can use to authenticate you.

If you work on your self-managed Windows machine, where you do not log in with your CRSID and Kerberos password, you can still use Kerberos authentication and delegation, but a few more steps are necessary:

  • If your computer is not connected directly to the departmental network, then you need to set up and activate a Computer Laboratory VPN connection. Your computer cannot reach the departmental Kerberos server kdc.cl.cam.ac.uk otherwise.
  • You have to install the MIT Kerberos for Windows package. This includes the MIT Kerberos Ticket Manager tool, which allows you to manually fetch a ticket.
  • Start the MIT Kerberos Ticket Manager, press 'Get ticket' and login with [Javascript required] and your departmental Kerberos password.
  • Finally, start PuTTY, which will now automatically use the MIT Kerberos library.

If MIT Kerberos Ticket Manager is running, it will prompt you automatically for your Kerberos password if PuTTY needs one. It is therefore a good idea to add a shortcut to it to your Startup folder.

Never type your departmental Kerberos password, your VPN token, or your Raven password on a public computer, where keylogger malware may collect your password. If you can't avoid using public computers, use the one-time password facility instead to authenticate yourself without using the VPN.

Public/private key authentication

If you can use Kerberos/GSSAPI authentication (as configured above), then there is usually no need to configure ssh public keys.

Kerberos authentication will not work in two situations:

In both cases, you will have to generate an SSH public/private key pair, which PuTTY can then use to authenticate your identity during login. The generated private key must be made available to PuTTY, usually via starting the Pageant tool. The generated corresponding public key must be appended in your Linux home directory to the file .ssh/authorized_keys.

The following description explains two options for duing this in more detail.

  • Navigate to Start Menu > 'All apps' > 'Putty' and run PuTTYgen.
  • Click on the 'Generate' button.
  • Move the cursor continually over the blank space, as instructed, to generate a random key.
  • In the 'Key comment' box, replace any text with your own identifier, i.e. <crsid>@cl.cam.ac.uk (see the image example above).
  • Set a passphrase: this can be a password or a phrase.

The key is the text that appears in the box below 'Public key for pasting into OpenSSH authorized_keys file:'; copy that. Do not click 'Save public key' and use the contents of the resulting file, as that will not work.

Saving the public key

Navigate to \\filer\userfiles\<crsid>\unix_home\.ssh and, if needed, create a new file called authorized_keys (taking care not to leave it with a .txt suffix).

If the directory .ssh does not exist, do the following:

  • Map a drive to “\\filer\userfiles\<crsid>\unix_home\”
  • Run a command window (Type 'CMD' into Search bar and select Command Prompt app).
  • Change to the new drive letter you have just mapped.
  • Type mkdir .ssh to create the .ssh directory.
  • You can now create the authorized_keys file.

Note: If you are setting up keys for use with Subversion and Tortoise, email this public key to pagemaster. Please ensure you give the Key comment field a meaningful name i.e your CRSID, as shown in the example above.

In the authorized_keys file, paste the public key into an empty line at the bottom of the file. Then, in front of the public key on that line, you need to state where the key can be used from, i.e on which domain. This needs to be as specific as possible. For a lab-managed machine, type:

“from="*.cl.cam.ac.uk"” 

for any other device, type:

“from="*.cam.ac.uk"” 

followed by a space as shown in the example below:

Save the file.

Saving the private key

You now need to save the private key to your local disc:

  • Click on the “Save private key” button.
  • Save the file locally on your PC. A good place to save it in is the Startup area for your login (open the Run app and write shell:startup in the 'Open' window). This way, “Pageant” (the program that activates your encryption keys) is set to run at start up everytime you (and only you) login to that PC.

(Note: For laptop use, you should have a different key on each machine, which is easily identifiable in case of loss.