Automated SSH authentication on Windows

I use a few remote UNIX servers. Some host web content, some are Source Control repositories. All of them I access using SSH either for an interactive shell, or as a tunnel for applications like Subversion, CVS or rsync.

A few months ago when I started committing to projects on Codehaus I had to setup a SSH key-pair since they don’t allow plain password authentication for their SSH server. This was actually good since I’d been meaning to switch to key-based authentication for a while but hadn’t quite got around to it. The main reason for using key-pairs is the extra security – you have to ‘bring something’ (your private key) as well as just ‘know something’ (either a password, or the passphrase of your private key). However there is an added benefit in using key-pairs in that once you have set them up once in any one ‘session’ you don’t have to keep re-entering a password. (A session here is usually a Windows, or X-Windows, login session.)

It took me a while to get all of that setup though. I wanted to use Putty since it was before I’d started using the command line in anger. Putty actually makes this kind of thing pretty easy through using its Plink (RSH implementation), PuTTYgen (Key generator) and Pageant (key authentication agent) programs, but the problem was around key formats. Putty by default saves you a public key that won’t work on an OpenSSH remote server. After some head banging and half an hour with a friendly CodeHaus Despot or two on an IRC channel and we managed to get it working. The key (haha!) was to do the following in PuTTYgen:

  • Use SSH2 DSA keys
  • Don’t use the public key file that is saved, but instead use the contents of the box at the top of the window. Yes, the one that says ‘Public key for pasting into OpenSSH authorized_keys file’ that I should have used straight away 🙂

Then it was just a matter of setting up a saved Putty session (including my user name) and adding my key to Pageant. You do have to remember to try to use Putty for an interactive login the first time you connect to a server so that it can save a copy of the server’s key locally.

Using Plink works fine for command line Subversion (see my earlier post for my [tunnels] setup), but today I hit a problem using it with rsync. Cygwin’s rsync seems to want to use Cygwin’s ssh, and Plink just doesn’t seem to play ball. ‘No problem’, I thought, ‘UNIX must have an equivalent of Pageant’. Indeed it does – its called ssh-agent. Using this helpful page I found the required incantation, but hit a problem in that it wouldn’t accept the passphrase on my private key. After a couple of minutes I realised that it was another formatting problem which PuTTYgen could solve for me. All up then, being able to use my Putty-generated private key on Cygwin required the following steps:

  • Load private key in PuTTYgen
  • From the Conversions menu, select Export OpenSSH key
  • Save it as a file called id_dsa in the ~/.ssh directory. On my machine that is equivalent to c:\Documents and Settings\mroberts\.ssh\id_dsa
  • Add the following to my ~/.profile file : alias startssh="eval \`ssh-agent\` ; ssh-add"
  • Add the following to my ~/.profile file : alias stopssh="ssh-agent -k"

Now I just run startssh and stopssh around any times I want to do some rsync work. Its not perfect since right now I need to startup ssh-agent for every Cygwin prompt, and I also need to stop it before I exit the prompt otherwise the window will hang. There’s probably some hackery that can be done using a Windows Service, but I’ll save that investigation for another day.