SSH Public Key
Configuration Windows NT/2000/XP 		 
Contents
1.0 Server
2.0 Client
3.0 CLI Configuration
  Using SCP from the command line
  Using SSH2 for command line
Additional Resources
Revision History

Scope

This document outlines how to configure the SSH cleient & daemon for NT/W2K/XP to accept public key authentication. This was done on server version SSHServerSetup312.exe
 

This document uses version 3.2 of the client and server software from SSH.COM.
 
1.0 Server
  1. To begin the configuration of the server, go to the Start menu and select Programs > SSH Secure Shell Server > Configuration .


     
  2. Click on User Authentication and select Allow for Public Key Authentication.

NOTE:

You can also edit the configuration file directly
 

Using a text editor, open
C:\Program Files\SSH Communications Security\SSH Secure Shell Server\sshd2_config

Under ## Authentication methods add in public key as an AllowedAuthentication mode.
It should look like the line below:

AllowedAuthentications    "publickey,password,"

Restart server
 

 

 

 

 

 

 
 
2.0 Client
To configure SSH for NT/W2K/XP for public key authentication
This was done on client version 3.2.0
  1. Connect to the server you would like to set up public key authentication with.
  2. Click Edit > Settings > Global Settings > User Keys.
  3. Click Generate New Keypair.

     
  4. Click Next.


     
  5. Choose RSA and a key length of at least 2048, then click Next.

     

  6. After the key generation has indicated that it is complete, click Next.

     

  7. Fill in the Name, Comments and a strong Passphrase   then click Next.


     
    NOTE:
    For machine automation leave passphrase blank.
     


     

  8. Click Upload Private Key. Click Finish.

     
 
Example: Upload Private Key
 

NOTE:
If get the below message you can safely ignore it.

 


 

9. To configure the connection to use the key ensure that Public Key is first (or only mode of authentication.

10. On connection you will be prompted for passphrase. Enter the passphrase and click OK.

 
3.0 CLI Configuration
1. Generate user public keys with the following command:

    Type ssh-keygen2 at command prompt

2. You will be asked to enter a passphrase in compliance with InfoSec's password policy. This will create a public and private key.
 

NOTE: For machine automation leave passphrase blank


C:\>ssh-keygen2
Generating 2048-bit dsa key pair
6 OOo.oOo.oOo.
Key generated.
2048-bit dsa, username@machinename, Thu Jul 18 2002 21:10:08
Passphrase :
Again :
Private key saved to C:/Documents and Settings/username/Application Data/SSH/UserKeys/id_dsa_2048_a
Public key saved to C:/Documents and Settings/username/Application Data/SSH/UserKeys/id_dsa_2048_a.pub


 

 

3. If you want to manually upload the public key (id_dsa_2048_a.pub) it goes into the Documents and Settings\username\.ssh2 directory of the SSH server
 



 

4. Add a line to the file 'authorization': in the same directory key
" id_dsa_2048_a.pub "


Using SCP from the command line

C:\>scp2 testfile.txt username@10.0.0.1:/
Passphrase for key " id_dsa_2048_a " with comment "[2048-bit dsa, username@hostname, Fri Jul 19 2002
14:00:32]":
testfile.txt | 601B | 0.6 kB/s | TOC: 00:00:01 | 100%


Using SSH2 from the command line


C:\>ssh2 username@10.0.0.1
Passphrase for key "C:/Documents and Settings/username/Application Data/SSH/id_dsa_2048_a" with comment "[
2048-bit dsa, username@hostname, Fri Jul 19 2002 14:00:32]":
Authentication successful.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

 

 

 

 

 

UNIX NOTE:

To use Public Keys from a windows client to an open SSH server you have to copy the public key from windows host to Unix host. CD to ~/.ssh

UNIX clients that are using SSH to connect to a NT/W2K/XP server
will need a local account setup on the NT/W2K/XP box. Windows Domain
authentication is not supported. Once the local account is created the
user will need to login to the NT/W2K/XP server either locally or via
terminal services to create a profile.

SSH-KEYGEN -i -f publickeyfilename.pub >> authorized_keys2

 

To use Public Keys from a OpenSSH client to an windows server you have to convert the keys from OpenSSH's format.

SSH-KEYGEN -e -f publickeyfilename.pub > publickeyfilename.SECSH.pub


 

Examples:
To setup a trust from a Windows host to a unix host:

1. Generate the keypair on the windows host:

  • cd %D\.ssh2
  • ssh-keygen2 -P -t rsa id_win_rsa

2. Copy the public key to the unix server, ~/.ssh/id_win_rsa.pub.

3. On the unix server:

  • cd to ~/.ssh
  • ssh-keygen -i -f id_win_rsa.pub >> authorized_keys2
  • rm id_win_rsa.pub

To setup a trust from a unix host to a windows host:

1. Generate the keypair on the unix host:

  • cd ~/.ssh
  • ssh-keygen -t rsa -N ""


2. Convert the pub key:

  • ssh-keygen -e -f id_rsa.pub > id_rsa_SECSH.pub
  • Securly copy the public key (id_rsa_SECSH.pub) to the windows host,
    %D\.ssh2\id_rsa_SECSH.pub
  • rm id_rsa_SECSH.pub

3. On the windows host:

  • cd %D\.ssh2
  • add a line to the file 'authorization': "key id_rsa_SECSH.pub"

NOTE: Domain accounts are not supported from UNIX clients. You will need to login locally to the NT/W2K/XP box running the SSH2 daemon to establish a profile
 

Additional Resources

MAJOR Revision History
Date of Change
Responsible
Summary of Change
August 2002 Gavin Reid Developed
     

Note: For information/questions, please contact:
Gavin Reid, gavreid@cisco.com,
2AE4 4564 2239 F93F E52A AE25 D635 8397 03AA E562