Table of contents
- Introduction
- Open a CMD prompt
- Creating a key
- Copying your key to a server
- Using ssh-agent (optional)
- Additional information
These notes are for Windows 10 only. If you find that you don't have the "ssh" command, please ensure that you have all of the latest updates applied to your system. You can do so by selecting the Start button, then going to Settings > Update & Security > Windows Update, then selecting Check for updates.
For instructions on adding SSH keys for other platforms, visit this FAQ.
Introduction
As of April 12, 2019, SSH keys are required when SSHing to CS/CSRES networks when outside of our networks, campus wireless, or the VPN. The University ISO will quarantine any host allowing SSH access that has not disabled password authentication.
An SSH key pair consists of two keys: One public key and one private key. The public key, as the name suggests, is public and can be safely shared with the world. The private key should never be shared with anyone and should be kept safe.
In order to use SSH keys to connect to a remote computer, one must first create an SSH key pair on one's computer, then copy the public SSH key to the remote computer. You will create an SSH key pair on each computer that you want to SSH from. You can use the same public SSH key from one computer to connect to many others.
E.g., if you have two computers at home, home1 and home2, and want to use them to connect to remote1, remote2, and remote3, you would create an SSH key pair on both home1 and home2, and then send the public key from home1 to all three remote computers, and lastly you would send the public key from home2 to all three remote computers.
Below are the necessary instructions to create an SSH key pair and add your public key to your CSRES machine. For the purposes of these instructions, we will assume that you want to SSH into a CSRES machine from a computer at home. To avoid confusion, we will use the following terminology:
HOME = Your home computer
CSRES_USER = Your CSRES machine's username
SERVER.csres.utexas.edu = The machine that you need to SSH into and add SSH key to.
NOTE: All commands will be run on HOME, unless otherwise specified.
Open a CMD prompt
Firstly, you will want to open a CMD prompt in which you will type all of the commands in the next steps. To do so, simply:
- Hold the Windows key and press
r
. This will open the "Run" window. - Type
cmd
and press Enter (or click "OK"
).
You will now have a black CMD prompt waiting for your input.
Creating a key
To create a 4096-bit RSA key, run the following:
ssh-keygen -t rsa -b 4096
- Press Enter to use the default location. (Recommended) 1
- Enter a passphrase (ALWAYS use a passphrase!!) 2 3
- Enter your passphrase a second time.
It should look something like this:
Your public SSH key is located by default at C:\Users\<username>\.ssh\id_rsa.pub
and is perfectly safe to be shared with anyone.
Your private SSH key will be located by default at C:\Users\<username>\.ssh\id_rsa
. You should NOT touch this file or share it with anyone.
Copying your key to a server
From UT VPN, UT wireless, or the CS network
If you are connected to UT VPN, or have brought your machine to campus and have connected it to UT wireless or the CS network, then you should use this method.
You can find more information on how to connect to UT VPN by visiting this page.
To copy your SSH public key from HOME to SERVER.csres.utexas.edu, simply copy and paste the below command into a CMD prompt:
type .ssh\id_rsa.pub | ssh CSRES_USER@SERVER.csres.utexas.edu "umask 0077 && mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
- If you see the text "Are you sure you want to continue connecting (yes/no)?" type
yes
and press Enter. - Enter CSRES_USER's password to send your public key to the server.
- If successful, you will not see any special output. It will go back to the normal CMD prompt with a blinking cursor.
Congratulations! You can now use your SSH key to log into your CSRES machine!
From off campus
Copy to a USB drive
If you are unable to connect to UT VPN or cannot bring your machine to campus, then copying your public SSH key to a USB drive is another solution.
On your home computer:
- Plug in a USB drive.
- If it does not auto-mount, open a file manager and open the USB device to view its contents.
- Open another File Explorer window and navigate to
C:\Users\yourusername\.ssh
. - Copy the
id_rsa.pub
file to your USB's folder. - Safely unmount/eject your USB drive and bring it to campus.
From here, you will want to log into a CS lab machine and do:
- Plug in the USB drive
- If it does not auto-mount, open a file manager and open the USB device to view its contents.
- In a terminal, run
df -hT
to find the full path to your mounted USB drive. cat /media/yourusername/directory/id_rsa.pub >> ~/.ssh/authorized_keys
(Replace the second path with your real USB drive's mount point path)chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
- If step #5's command gives any errors, please submit a helpreq.
- Safely unmount/eject your USB drive.
Using ssh-agent (optional)
ssh-agent is a program included in OpenSSH that will remember your SSH key and not require you to type its passphrase each time you use SSH. Your desktop environment on HOME should start up ssh-agent when you log in.
- Hold the Windows key and press
r
. This will open the "Run" window. - Type
services.msc
and press Enter (or clickOK
). - Scroll through the list of services until you find "OpenSSH Authentication Agent".
- Right-click on "OpenSSH Authentication Agent" and select "Properties".
- Under "Startup type", choose "Automatic".
- Click "Apply".
- Click the "Start" button underneath "Service status".
- Click "OK" to complete this process and close the Services window.
From here the SSH Authentication agent is running and you can now use the ssh-agent
command to have Windows securely remember your SSH private key's passphrase.
-
To add your SSH key to the agent, simply type:
ssh-add
-
Type in your SSH key's passphrase and you're good to go!
You won't need to type in your passphrase or even ssh-agent
any longer, even after a reboot. You can simply use your normal ssh
commands.
Additional information
-
If you choose to not use the recommended location for your private key, you will need to specify its location in either your
ssh
command (with -i) or after yourssh-add
command if using ssh-agent.↩ -
This is not your CSRES_USER's password. The passphrase that you choose for your SSH key should be different from your CSRES_USER's password. See Selecting a strong password to learn how to choose a secure passphrase instead of a password.↩
-
When typing your passphrase, you won't see any output on your screen. This is normal and is for your security.↩