At SDSC, we allow key-based authentication to access our supercomputers in addition to the usual password-based and Globus-based authentication mechanisms. Setting up ssh keys on Linux and Mac desktops is quite simple, but the process is a lot more involved on Windows. Because the steps required to use key-based authentication to log into Gordon and Trestles is a common request from our Windows users, below is an illustrated guide on exactly how to do this.

Before you begin, you will need to download two pieces of software:

  1. PuTTY, my preferred SSH client for Windows (you may already have this)
  2. puttygen.exe, part of the PuTTY suite, which can generate SSH keys

Both can be downloaded from the PuTTY website as standalone executables that don't need to be "installed", so it's convenient to download both .exe files on to your desktop and just run them from there.

Generating an SSH Key

As its name suggests, puttygen.exe is the program you'll have to launch to generate an SSH key for you to use to log into a remote system using key-based authentication. Start it up, and you should see a screen similar to the one below:

Step 1

The first thing you need to do is change the "Number of bits in a generated key" to at least 2048 (red arrow). The default value of 1024 bits is no longer considered secure, so please don't forget to do this step!

Then press the Generate button (green arrow) and you will see this:

Step 2

You will need to wiggle your mouse over the blank area below the progress bar to feed puttygen enough randomness to generate an unpredictable ssh key for you. Once the progress bar is full, you will be presented with your ssh key, which takes the form of a bunch of letters and numbers.

First, copy the public key that puttygen created into your clipboard:

Step 4

Then you will need to paste this into your account on Gordon or Trestles. SSH to one of those machines (logging in with your password, since we haven't set up key-based authentication yet) and edit .ssh/authorized_keys:

$ nano -w .ssh/authorized_keys

Note the nano -w; if you forget to specify -w, word wrap will be enabled and bungle up the format of your authorized_keys file! You don't want this, because each line of authorized_keys must be an entire ssh publickey. You should already have one publickey in there that was set up the very first time you logged into your account:

  GNU nano 1.3.12             File: g09job.qsub                                 

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5RnzGKXvfcIcJOnyo3gz22qz763WP7jgnD9pndZyaT4$

^G Get Help  ^O WriteOut  ^R Read File ^Y Prev Page ^K Cut Text  ^C Cur Pos
^X Exit      ^J Justify   ^W Where Is  ^V Next Page ^U UnCut Text^T To Spell

So move the cursor down to an empty line (or create a new line by pressing return), then paste in the line that you copied from puttygen:

  GNU nano 1.3.12             File: g09job.qsub                                 

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5RnzGKXvfcIcJOnyo3gz22qz763WP7jgnD9pndZyaT4$

^G Get Help  ^O WriteOut  ^R Read File ^Y Prev Page ^K Cut Text  ^C Cur Pos
^X Exit      ^J Justify   ^W Where Is  ^V Next Page ^U UnCut Text^T To Spell

Again, be sure that word wrap didn't break the line you pasted from puttygen into multiple lines. Once you've done this, ctrl+x to exit, and be sure to save your changes.

Once you've pasted your publickey from puttygen into your remote account's authorized_keys file on Gordon/Trestles, go back to your puttygen window. We still have to save the privatekey corresponding to the publickey you just pasted.

Before saving your private key though, note that you can add a Key passphrase (red arrow below) to your ssh key to encrypt it. This is essentially password-protecting your password and I strongly recommend doing this even though it's optional--without encrypting your ssh key with a passphrase, anyone who can access your ssh key file will be able to log into your Gordon/Trestles account without needing to know your login password. On Windows, this is a very real hazard.

Step 3

Now you have to save the private part of your ssh key by clicking the Save private key button (red arrow below):

Step 5

If you disregarded my advice and are leaving your privatekey unencrypted, you will get a warning. Again, don't leave your ssh key unencrypted on Windows unless you are sure you know what you are doing--this typically means editing the file access permissions for the keyfile you will be generating to make sure nobody on your network can access this file and use it to break into your account on Gordon/Trestles.

Step 6

Save your private key somewhere safe--definitely don't put it in a shared folder or anywhere someone can easily steal it from you. This key file is all you (or whoever else gets ahold of it) needs to get into your account if you did not encrypt it with a passphrase.

Step 7

Using the Key with PuTTY

Now that you've generated your .ppk private key file, you can configure PuTTY to use that key before presenting you with a password prompt whenever you try to log in. If you don't have a profile already created for Gordon or Trestles in PuTTY, you can make one by doing something like

  1. Enter under Host Name (or IP address)
  2. Enter Gordon under Saved Sessions
  3. Pressing the Save button

If you already have a saved profile, be sure to Load it red arrow below) before proceeding--this will allow us to modify it instead of having to create a new profile for the ssh key we just generated.

Step 8

On the list of options on the left side of the PuTTY window, scroll down to Connection, then expand it, expand the SSH tree, then click the Auth category. You will be presented with something like this:

Step 9

Click the Browse button under the Private key for authentication input box, then find the PPK file we just saved in puttygen and load it:

Step 10

Navigate back to the Session option on the left side of the PuTTY window and click Save to save the location of your PPK file with your profile for Gordon (or Trestles):

Step 11

Following this, you should be able to now Open the profile and have your private key used whenever you try to connect. As a bonus, this PPK file can be used with programs like WinSCP in much the same way. Using key-based authentication is arguably better than simply saving your login password in WinSCP, and if your key is ever stolen, you can de-activate it by removing it from the authorized_keys file in your account on Gordon or Trestles and repeat this process to generate a new key.