Information for Windows users
Secure Unix login from Windows with PuTTY
In the interest of security, remote login into our Unix/Linux machines is only allowed over cryptographically protected connections using the secure shell (SSH) protocol, even where the connection remains within the department.
Our commonly used Windows SSH client software is PuTTY. When installing, always use the latest version. Especially if you use a version older than PuTTY 0.61, we strongly recommend that you upgrade now to benefit from Kerberos support.
If you are on a Lab-managed Windows machine and the latest version of PuTTY is not yet available, then you can install it yourself (even without an Administrator account) via the Systems Management “Advertised Programs” installer, or via \\didcot\swdist\putty.
The installer may manifest itself as a small white rectangle in your task bar; otherwise, get to it via: Start Menu | Settings | Control Panel | Advertised Programs.
The PuTTY installer places an icon on your desktop ("Shortcut to PuTTY", an image of two computers suffering a mutual lightning strike). When you start it up, you will see a small “PuTTY Configuration” window.
In there, for convenience, you should save all the PuTTY settings needed to talk to a particular server as a “Session”. The following example shows this for one of the Lab's main Linux SSH servers: “sandy.cl.cam.ac.uk”.
- Under “Category” select “Session” (you probably are already there).
- In the “Host Name (or IP Address)” box, type: “sandy.cl.cam.ac.uk”
- Also check that you have “Port 22” and “Protocol: SSH”
- Type a name for your session configuration into the “Saved Sessions” box, (e.g., “cl” or “sandy”).
- Click “Save”
- Under “Category”, select “Windows | Translation” and choose the “UTF-8” character encoding.
- Under “Category”, select “Connection | Data”. Enter your Unix
login name (CRSID) into the “Auto-login username” field, or
alternatively make sure that “When username is not specified: Use
system username (your-crsid)” is selected. [This will avoid
that you have to type in you user name each time.]
- Under “Category” select “Connection | SSH | Tunnels”:
- In the box “X11 forwarding” tick “Enable X11 forwarding”. (This option, together with running an X11 server such as that provided by MobaXterm, XMing (both avaiable as free versions or eXceed, will allow your Unix applications to open windows on your Windows PC.
- Under “Category” select “Connection | SSH | Auth |
- Make sure that both “Attempt GSSAPI authentication” and “Allow GSSAPI credential delegation” are selected. [This means that if your Windows machine has already a valid Kerberos ticket from our Active Domain controller, both authentication and forwarding of the Kerberos ticket such that the Linux server can access your home directory will all just work automatically.]
- Under “Category” go back to “Session” and click “Save” once more.
Getting a Kerberos ticket
If you work on a lab-managed Windows machine, which is set up to be part of the Active Directory domain AD.CL.CAM.AC.UK, then you automatically receive your Kerberos/GSSAPI ticket at login time, which PuTTY can use to authenticate you if configured as described above.
If you work on your own, self-managed and trusted Windows machine, where you do not log in using the departmental Kerberos server, you can still use Kerberos authentication and delegation, but a few more steps are necessary:
- If your computer is not connected directly to the departmental network, then you need to setup and activate a Computer Laboratory VPN connection. Otherwise you computer cannot reach the departmental Kerberos server kdc.cl.cam.ac.uk.
- You have to install the MIT Kerberos for Windows package. This includes the "MIT Kerberos Ticket Manager" tool, which allows you to manually fetch a ticket.
- Start the "MIT Kerberos Ticket Manager" application, press "Get ticket" and login with "crsid@AD.CL.CAM.AC.UK" and your departmental Kerberos password.
- Finally, start Putty, which will now automatically use the MIT Kerberos library.
If "MIT Kerberos Ticket Manager" is running, it will prompt you automatically for your Kerberos password if PuTTY needs one. It is therefore a good idea to add a shortcut to it to your Startup folder.
Never type your departmental Kerberos password, your VPN token, or your Raven password on an untrusted computer (e.g., in an Internet Cafe), where keylogger malware may collect your password. If you can't avoid using untrusted computers, use the one-time password facility instead to authenticate yourself without using the VPN.
Public/private key authentication
If you can use Kerberos/GSSAPI authentication (as configured above), then there is usually no need to configure ssh public keys. Your login will work fine without.
Kerberos authentication will not work in two situations:
- You use a Windows computer outside the department on which you cannot use the CL VPN or MIT Kerberos for Windows as described above.
- You are setting up TortoiseSVN with PuTTY to access a Subversion repository for editing the Lab’s website.
In both cases, you will have to generate an SSH public/private key pair, which PuTTY can then use to authenticate your identity during login. The generated private key must be made available to PuTTY, usually via starting the Pageant tool. The generated corresponding public key must be appended in your Linux home directory to the file “.ssh/authorized_keys”.
The following description explains two options for duing this in more detail.
On a lab Linux machine, run the command: “ssh-keygen -t rsa”
This will create a public/private key pair and leave them in your filespace under Linux. Please ensure you use a secure pass phrase to protect this.
This has the side effect of creating a .ssh subdirectory structure in your home directory, where the key pair will be stored. You will find the newly generated public key in “~/.ssh/id_rsa.pub”; copy it.
Then “cd ~/.ssh” and edit “authorized_keys”, pasting the public key into a new line on its own. Just as detailed below you will need to add a section saying where the key can be used from, which should be as specific as possible. The end result should look like:
from="*.cl.cam.ac.uk" ssh-rsa AAAAB3NzaC1yc2EAAAADA […]
- On a Windows machine, run “Puttygen” from the “Putty” Start Menu programs group.
- Click on the “Generate” button.
- Move the cursor continually over the blank space, as instructed, to generate a random key.
- In the Key_comment box, replace any text with your own identifier, i.e. <crsid>@cl.cam.ac.uk (see the image example below).
- Set a passphrase. (This can be a password or a phrase.)
The key is the text that appears in the box below Public key for pasting into OpenSSH authorized_keys file:; copy that. Do not click Save public key and use the contents of the resulting file; that will not work.
Saving the public key
If this file does not exist then navigate to “\\filer\userfiles\<crsid>\unix_home\.ssh”
and create a new file called “authorized_keys”
(taking care not to leave it with a .txt suffix).
Click here if directory does not exist.
If you are setting up keys for use with Subversion and Tortoise, email this
public key to pagemaster.
Please ensure you give the Key comment field a meaningful name
i.e your CRSID, as shown in the example above.
Paste the public key into an empty line at the bottom of the file. Then, in front of the public key on that line, you need to state where the key can be used from, i.e on which domain. This needs to be as specific as possible. So for a lab managed machine, type:
or for a laptop using Eduroam within Cambridge
followed by a space as shown in the example below:
Save the file
If the directory does not exist:
- Map a drive to “\\filer\userfiles\<crsid>\unix_home\”
- Run a command Window (Type “CMD” in Start, Run).
- Change to the new drive letter you have just mapped.
- Type “mkdir .ssh” to create the .ssh directory.
- You can now create the “authorized_keys” file.
Save the file
Saving the private key
You now need to save the private key to your local disc:
- Click on the “Save private key” button.
- Save the file locally on your PC. A logical place is in the Start->All Programs->Startup area of YOUR login under Documents and Settings. When it is saved here, “Pageant” (the program that activates your encryption keys) is set to run at start up everytime you (and only you) login to that PC.
(Note: For laptop use, you should have a different key on each machine, which is easily identifiable in case of loss.
Troubleshooting and refinements
The above represents the basic necessities for getting the setup working.
If you have suggestions to improve the arrangements, please contact the Windows administrators.
Other areas of the “PuTTY” configuration window allows you to alter the colour scheme, and so on. Remember to “Load” your session before making your changes, and “Save” your session afterwards.
If you are experiencing trouble logging into PuTTY, you may want to change the PuTTY settings so the Unix shell window doesn't close automatically, but logs the results of what happens, so you can send to a Windows Administrator:
Changing window settings:
- Load your session (i.e “Computer lab”, which was our earlier example).
- Under “Category”, select “Session”
- Under “Close window on exit”, select the appropriate radio button, i.e. “Never”
- Save your session.
Setting up Logging:
- Load your Session.
- Under “Category”, select “Session, Logging”.
- Under “Session logging:”, select the appropriate radio button, i.e. “Log all session output”.
- Under “Log file name:”, browse to a suitable location to save the logfile and give the logfile a name.
- Under “What to do if the log file already exists:”, select the appropriate radio button, i.e. “Always append to the end of it”.
- Save your session.
"No Supported authentication methods" error
When setting up PuTTY you may experience the above error message.
One possible cause is that the domain you have specified in the “authorized_keys” file and the domain your computer believes it resides in are not the same.
To resolve this issue, try whether you can login after removing the “from="*.cl.cam.ac.uk"” prefix from your authorized_keys file temporarily.
If so, then lookup your computer’s domain name:
- Right click “My Computer” and select “Properties”
- Click on the “Computer Name” tab. Here you will see your domain, i.e. “cl.cam.ac.uk”.
- The domain written as part of the “from=” command in the “authorized_keys” file should match the domain listed here under the “Computer Name” tab.
- Edit “authorized_keys” accordingly, save it, and try another PuTTY session.
If this still does not resolve your issue, it could be an absence of a reverse mapping of your IP address. You will need to contact a Windows administrator for further help.