Background

FTP (File Transfer Protocol) was designed at a time when the number of servers on the Internet could be counted on one hand so it was never designed with security in mind. In those early days of the Internet, system administrators knew each other personally and trusted each other. Today, with dozens of millions of hosts on the Internet and with the number of people who have bad intent, it is no longer sufficient to rely on such antiquated protocols. One of the biggest problems of FTP, and what makes it particularly unsuitable for security-conscious system administrators and webmasters, is that authentication is done via login and password information sent as plain-text, i.e. not encrypted.

Today, no responsible webmaster would have users authenticating on a web site without using SSL (https) but many of them seem to be blissfully ignorant of the risks posed by sending FTP passwords in the clear. Fortunately, there is a good alternative, scp (secure copy), which is based on the ssh (secure shell) protocol. In our case, we will be using RSA PKI (Public Key Infrastructure) to secure the connection between your computer and the server. This is often referred to as "two-factor authentication". It relies on two things, something you know, a passphrase, and something you have, a private key. Even if an attacker was able to guess your passphrase, it would not do any good without having physical possession of your private key.

In this HOW-TO, we will generate an RSA public/private key pair, put the public key on the web server, use a key manager to manage your private key, and configure the client to take advantage of the RSA key based authentication. This eliminates the need for Dinamis personnel to send a password to you by insecure means, such as by e-mail, and for anyone but you to know the passphrase for your private key. Once you have your private key unlocked and being managed by the key manager, which runs on your computer, you can initiate as many sessions as you like without having to authenticate for each session.

The following HOW-TO outlines how to set up public key ssh authentication using PuTTY on Windows in order to connect to transfer to and from your Linux web server in a secure fashion and also to get a secure shell to Linux. If you do no know what a secure shell is, you can ignore that capability.

What You Will Need

• A computer running Windows. Those running OS X or Linux already have ssh and scp clients built-in so there is no need to install additional software.
• A server running OpenSSH. (Supplied by Dinamis.)
• A network connection between the Windows computer and the server.
• PuTTY, which is a free implementation of the ssh (secure shell) and scp (secure copy) protocols for Windows.
• WinSCP, which is a GUI (Graphical User Interface) front-end to the scp application provided by PuTTY.

Generating Your Public/Private Key Pair

1. Download and install the PuTTY and WinSCP applications for Windows. You should select the Windows installer rather than just the zip file.
2. Start PuTTYgen from the PuTTY application group. You should see something like this:
   
3. Click on the "Generate" button and move the mouse around randomly in the grey area.
4. Once the RSA key has been generated, you should see something like this:
   
5. Enter something meaningful for the key comment, e.g. subtitute your initial and last name with no spaces for "my" in "my-key". Assign a passphrase for the private key. The usage of the word "phrase" is deliberate. It should be something longer than what you would normally use for a password because you will only have to enter it once per session, not once per connection. Protect this passphrase! If someone steals your private key, without knowing your passphrase, your private key would be useless to them.
6. Save both the private and public keys. The private key will be automatically assigned a .ppk extension. You should use the same initial and name scheme as above. E.g. John Smith's private key would be jsmith.ppk and his public key would be jsmith.pubkey.
7. Copy the text in the area titled "Public key for pasting into OpenSSH authorized_keys file:" and paste into a plain-text document.
   
8. Note: the text must be all on one line with no line breaks as below.
   
9. Save the text file with a meaningful name, e.g. jsmith.public.key, and send it as an email attachment to the person at Dinamis who requested the key from you. If you know how to digitally sign your email, all the better.

Gaining Access to a Dinamis.com Server

Once you have received confirmation from Dinamis that your key has been received and added to the authorized_keys file on the server, continue with the following steps.

1. Launch PuTTY from the PuTTY group. In the Sessions section, do the following:
   1. Enter either a host name or IP address in the Host Name (or IP Address) field - host name is preferred.
   2. Select SSH for Protocol.
   3. Enter a short but meaningful name in the Saved Sessions field. If you ever use the command line pscp (secure copy) tool provided in the PuTTY suite, you will appreciate having a short saved session name. The saved session name is simply your way of referring to this session, nothing else.

   

2. In the Connection section, enter the username in the Auto-login username field. This is the Linux shell account name that you will have been assigned.
   
3. In the Connection>>SSH section, select 2 only for the Preferred SSH protocol version.
   
4. In the Connection>>SSH>>Auth section, click on the Browse button and select the previously created private key.
   
5. In the Session section, click on the Save button to save the session settings that you have just created. You are now ready to start an ssh or scp session to the remote Linux server from Windows.
6. Double click on the private key that you had previously saved from PuTTYgen. It should have a .ppk extension. Enter your passphrase. You should see the PuTTY key manager, Pageant, running in the System Tray. You could create a shortcut to your private key in the Windows Startup group if you wish to always unlock your private key when you login to Windows.N.B. There are security implications to keeping one's private RSA key loaded in memory at all times. For further information, refer to Chapter 8 in the PuTTY help file.
   
7. Right mouse click on the Pageant icon in the System Tray and select Saved Sessions>>Your Session Name to start an ssh session to the SME Server. The first time you start a session to a host that you have never connected to before, PuTTY will put up a warning dialog you should accept unless you have reason to suspect that the host that you think you are connecting to is not really the host you are connecting to. Once you have accepted PuTTY's warning, you should be at shell prompt for someuser with no further passwords or authentication necessary. As long as you have your private key unlocked and managed by Pageant, you will not need to enter any passwords to open additional ssh sessions to the server. At this point, unless you know what to do with a Linux shell, you should close the PuTTY window that has the remote Linux shell.
8. Launch WinSCP from the WinSCP group. You should see a window like this:
   
9. Click on the "Tools" button and select "Import" from the pop up menu. You should see the PuTTY saved session that you had configured above. Select that saved session and the "Import cached host keys for checked sessions" checkbox and click on the "OK" button.
10. Select the saved session name in the WinSCP Login window and click on the "Login" button. You should see a window like below. You can copy to and from the server in the usual manner, by dragging and dropping.