There are often times when you cannot SSH directly to a system, perhaps its behind a firewall or a NAT. SSH has an ability to proxy commands through other SSH systems. We’ll call this the jump box. For systems using OpenSSH, you could feasibly hop through several systems, but we’ll focus on just a single hop.
First things first, you’re going to need some crypto keys.
If you do not already have RSA (or EC) keys, you can generate the default key path using the following command in a terminal.
ssh-keygen -t rsa
This will store the key in ${HOME}/.ssh/id_rsa
by default and prompt you for a passphrase. On both a Mac and Linux graphical desktops, this passphrase can be managed by the desktop keyring, so go ahead and make it a strong one. Either way, you only have to enter it once per user session.
Your public key is stored in ${HOME}/.ssh/id_rsa.pub
. This is the file that you will need to copy to remote systems, and as the name implies, is safe to freely share to authenticate yourself.
Finally, you want to load it into your SSH key agent. First, test that you have an SSH agent loaded by trying to list your current keys.
ssh-add -l
If this states that you cannot connect to an agent, we’ll need to start one.
eval $(ssh-agent)
Now add your key (it will prompt you for your key passphrase)
ssh-add ${HOME}/.ssh/id_rsa
You should now be able to view your identity
ssh-add -l
2048 14:7b:4f:f9:0d:19:26:bb:b5:6f:bf:10:0f:df:90:5b /home/luser/.ssh/id_rsa (RSA)
Sourced from link::https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps[Digital Ocean]
While PuTTY is a client program for SSH (in addition to Telnet and Rlogin), it is not a port of or otherwise based on OpenSSH. Consequently, PuTTY does not have native support for reading OpenSSH’s SSH-2 private key files. However, PuTTY does have a companion named PuTTYgen (an RSA and DSA key generation utility), that can convert OpenSSH private key files into PuTTY’s format; allowing you to connect to your cloud server from a Windows machine, with the added security that SSH keys provide.
PuTTYgen is a (free) open-source utility and can be downloaded from the maintainer’s website. PuTTYgen is what you will use to generate your SSH keys for use in PuTTY. To start, all you need to do is download the exectuable files (.exe) and save them on the computer that you’ll use to connect to your VPS, e.g. on the desktop. You will not need to "install" PuTTYgen, because it is a standalone application.
To generate a set of RSA keys with PuTTYgen:
-
Start the PuTTYgen utility, by double-clicking on its .exe file;
-
For Type of key to generate, select SSH-2 RSA;
-
In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods);
-
Click the Generate button;
-
Move your mouse pointer around in the blank area of the Key section, below the progress bar (to generate some randomness) until the progress bar is full;
-
A private/public key pair has now been generated;
-
In the Key comment field, enter any comment you’d like, to help you identify this key pair, later (e.g. your e-mail address; home; office; etc.) — the key comment is particularly useful in the event you end up creating more than one key pair;
-
You should type a passphrase in the Key passphrase field & re-type the same passphrase in the Confirm passphrase field. Since we’ll be using an agent to load the keys, you’ll only have to type this once per session. Make it a strong passphrase.
-
Click the Save public key button & choose whatever filename you’d like (some users create a folder in their computer named my_keys);
-
Click the Save private key button & choose whatever filename you’d like (you can save it in the same location as the public key, but it should be a location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/password logins, you will no longer be able log in!);
-
Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All;
-
Right-click again in the same text field and choose Copy. Use this to setup the Public Key on the Remote Server(s) after we setup your ssh agent using Pageant.
Sourced from link::https://www.digitalocean.com/community/tutorials/how-to-use-pageant-to-streamline-ssh-key-authentication-with-putty[Digital Ocean]
If you installed the full distribution of PuTTY, you will have a number of utilities in the same directory as putty.exe
. Namely, pageant.exe
, plink.exe
, and others. Launch Pageant
. It will start minimized to the system tray by default. Right-click on the icon and select View Keys.
Click the Add Key button. This will open the file explorer, wher eyou can choose one or more keys at a time to load. You should select files with .ppk
extension, which is the PuTTY key format.
If the key is passphrase-protected, Pageant will ask for your passphrase for that key. Once your key is loaded, you will no longer be prompted for the passphrase.
Once successfully loaded, you will see it listed in the Pageant Key List window.
Now it’s time to setup the remote server. You will want to do this on the jump box and the final endpoint.
-
SSH to the system and ensure your
.ssh
is set up. SSH requires read and write privileges to only your user account. Without this, it will fail.
mkdir -p ${HOME}/.ssh
chmod 0700 ${HOME}/.ssh
Now add your public key to the file ${HOME}/.ssh/authorized_keys
. This is from id_rsa.pub
on your local system (or the key we copied from PuTTY).
cat <<eof | tee -a ${HOME}/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR3vzk//b72jiwReXjK/AKycn2UQMNm3H3GR2OS0nsudHA5hfyl9PsoyZWpQFdrt0Q5Caz7LszBjBm1qS1EEnE4fQa2qXLnNj3LI0r+hRhvonKJnDuTgaTkmVYfD2fcLWA718u5y2/TTStAC1xdcb+4T3vmVHvysWL08wEHa8TQT5woLgHufnFmRQs6Z+L0En2uaTeEFFVQMpo4z0eF2fXuy3XJXk71cghHsUJk7H/3jbo19NtORR23dNQMwwJLBodEoX95M2ruVyCWFnP356T02T9WkKpoTUdZY5UKQq+I3Ad0GTFoG2hKRuDbqrYVTw8dQUPUfh4Lfc/O+iHp8lR luser
eof
After you’ve done this on the jump box, try logging in again. If everything is setup correctly, you shouldn’t be prompted for a password.
From the jumpbox, ssh to your next hop and repeat the process. To test your keys on the next hop, connect to the jumpbox with the option to Forward SSH Agent. This is ssh -A user@jumpbox
using OpenSSH. It is in the SSH options in PuTTY.
On your local workstation, edit the file (or create if needed) ${HOME}/.ssh/config
. This file lets us set per-host preferences for SSH.
Host jumpbox
Hostname 10.5.3.4
Host endpoint (1)
User my-username (2)
Hostname 192.168.3.2 (3)
ForwardAgent yes (4)
ProxyCommand ssh -q -x jumpbox -W %h:%p (5)
-
This is the hostname, IP address, or alias that SSH will match on
-
The
User
option is only needed if it differs from your local username -
This is the hostname that SSH will actually try to connect to. It can be a DNS resolvable name or an IP address
-
This tells SSH to forward your agent socket to the remote systems so you can authenticate to other systems
-
This is what tells SSH how to connect to this system through another system. In this case, we use the alias
jumpbox
which is also defined in this file.
You should now be able to SSH directly to your endpoint! Try it out!
Sourced from link::https://monkeyswithbuttons.wordpress.com/2010/10/01/ssh-proxycommand-and-putty/[Monkeys With Buttons] blog
The concepts of the PuTTY configuration are similar. Create a connection entry as normal (specifying username in Data if needed), and select Connection → Proxy.
Specify the proxy type as local
and put the jumpbox hostname as the Proxy Hostname. The equivalent to the ProxyCommand in OpenSSH is the lower box labelled Telnet command, or local proxy command. Enter the following:
plink %user@%proxyhost -nc %host:%port
Your configuration should look something like this:
Thats it! Get back to work!