UNIX - Setting up ``Passwordless'' UNIX Login

Introduction

The Texas A&M Computer Science Department offers UNIX for Computer Science students via Secure-Shell (SSH) logins. An SSH client such as PuTTY (found at http://www.chiark.greenend.org.uk/~sgtatham/putty/) is directed to one of the CS departmental webservers, and access is gained after the student's UNIX password has been entered at the subsequent prompt.

Although this procedure is relatively painless, the process of entering in one's username and password can become tedious if done often enough. This is especially true in the case of students who use UNIX utilities such as cvs and scp, which involve brief logins which last only as long as one command takes to execute. Fortunately, SSH public-key cryptology offers a simple way to avoid entering your password altogether.

SSH public-key logins involve the use of a public key and a private key, which are generated via an SSH utility. Both of these keys are small text files which contain a long series of gibberish-looking text. The public key is stored in the home directory for your CS UNIX account. The private key is stored on any computer with which you login to your CS UNIX account. Using these keys, a UNIX login can take place in the following manner:

• You start your SSH client and start a connection to a UNIX server.
• The server comes up with a random number, encrypts it with the public key you made, and sends the encrypted random number to your SSH client as a kind of ``challenge.''
• Your SSH client knows how to respond to that challenge: It takes the matching private key that you made along with the server's public key, uses the private key to decrypt the server's challenge, and sends the decrypted challenge back to the server.
• Because your SSH client was able to decrypt the random number challenge correctly, the server knows you have a copy of the right private key, and lets you in without needing to ask you for a password.

Note! The private key will be ``taking the place of your password.'' In other words, after you take the following steps, anybody who has a copy of your key could login to your CS UNIX account just as if they had your password, so guard your key as you would your password.

Another Note! This tutorial involves setting up the PuTTY client on Windows. Notes for setting up Linux or UNIX servers for passwordless UNIX logins are briefly given at the end of this document.

Downloading the Neccessary Programs

You will need to download putty and puttygen from the following website: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Creating Keys with Puttygen

Start the puttygen program. You will need to select the radio button on the program screen that selects ``SSH1 (RSA)'' type key generation. Then click the Generate key to generate your public and private keys. Finally, click the Save public key button to save your public key, and the Save private key button to save your private key.

Putting the Keys in the Right Places

You will need to copy the private key to each computer which you will be using to login to the CS UNIX servers with putty; it can be put in any directory that you wish. Next, you will need to create a directory in your CS UNIX homedirectory called ``.ssh''. Copy the public key you created into that directory. Copy (or rename) the public keyfile into a new file in the .ssh directory named ``authorized_keys'' (this will tell the CS server that it can use that key).

(To create the .ssh directory and to copy the public key file into it, you can use any SSH-capable file transfer client. Several are listed in the CS Helpdesk webpage File Transfer Clients.)

Configure PuTTY to Use Key

Start putty. On the main beginning screen, type in the address of the CS UNIX server you wish to connect to, and select the radio button for ``SSH'' connection. Then click on the left-hand tree item ConnectionSSHAuth, and then click the Browse... button to select the private key you generated earlier.

After doing this, it is good to go back to the main beginning PuTTY screen and save the session properties by naming the session in the Saved Sessions box and then clicking Save.

If you have followed the steps up to this point correctly, you should be able to click Open and have the client connect properly to the server. PuTTY will ask you for your username, but then will log you in via your private key and will not prompt you for a password.

Optional: Creating a PuTTY Shortcut

But maybe we don't want to have to take the trouble of entering in our username! You can make a PuTTY shortcut in Windows which automatically logs you into a specified saved session with a specified username. Then, when you click this special shortcut, it will bring up a PuTTY connection to the CS server, and you won't have to enter in any username or password.

To do this, first create an additional regular shortcut to the PuTTY application (you might want to put it on your desktop or Start Menu). Then right-click the shortcut and click on Properties. After the "C:...putty.exe" in the Target: box, type a space and then -l johndoe -load interactiveSSH (assuming that your CS UNIX username is johndoe and your saved PuTTY session is called interactiveSSH). Then push OK.

After that, you should be able to click your newly created shortcut and go straight to the CS server.

For UNIX Clients

The general ideas given above apply also to those who wish to login via UNIX or Linux SSH clients as well, with the following differences:

• The puttygen utility generates its private keys in some kind of special PuTTY format. You will want to create your keys on your UNIX machine using a command like ssh-keygen1 or ssh-keygen -t rsa1.
• Typically, if you are running a UNIX SSH client, it will look for its private keys in a .ssh directory on your machine. You should probably follow the conventional naming conventions for keys, so that the SSH client knows how to find them (the conventional names for SSH1 rsa keys are identity and identity.pub, for private and public keys, respectively.

PDF version of helpfile