Creating an SSH key with PuTTYgen for use on webOS TVs

puttygen-webos.md

How to Create an SSH Key for webOS with PuTTYgen

Introduction

This is a guide aimed at Windows users who want to set up public key SSH authentication for their webOS TVs. It is assumed that your TV is rooted.

This guide does not cover the Developer Mode SSH server on port 9922, although much of it still applies to that.

The SSH key that will be created can be used in applications such as PuTTY, WinSCP, and Filezilla. You'll be able to connect to your TV without having to type a password. You can even set the username in advance for one-click connections.

On other platforms (e.g., Linux), you're probably going to want to use ssh-keygen.

Requirements

Obviously you need PuTTYgen. It can be downloaded here. There are many other sketchy sites offering downloads of PuTTY and associated tools. I'd avoid them and stick with the official site. PuTTYgen is part of the installable PuTTY package. It can also be downloaded by itself. You'll want Pageant as well. (Although it is possible to use PuTTY keys manually without Pageant, it is far less convenient.)

Creating the Key

Open PuTTYgen. If you're interested in changing any of the options, see the Key Generation Options section below. Otherwise, click the "Generate" button, and move the mouse around in the designated area until the progress bar fills up. At this point, you can add a passphrase to your key if you want. It's not necessary, but it's generally a good idea. Now you should click "Save private key" and choose somewhere to save it. Remember: this file is your login credential, so it should be kept secure. Try not to lose it.

Don't close the PuTTYgen window yet.

Installing the Key on webOS

The goal is to take the public key displayed in the top part of the PuTTYgen window and put it in the authorized_keys file on your TV. You'll need to connect to your TV using either SSH or telnet (or possibly SFTP, but you're mostly on your own with that).

Hint: You can paste text into PuTTY by right clicking or pressing Shift+Insert.

Once you're connected, you'll first need to create the .ssh directory by running these commands:

mkdir -p /home/root/.ssh
chmod 700 /home/root/.ssh

Dropbear will not accept the keys if the permissions on .ssh or authorized_keys are too open (i.e., writable by anyone other than the owner).

Note: The following commands will overwrite any existing keys in the file. If you want to append keys instead, change > to >>.

Now we need to get the public key onto the TV. There are a few different ways to go about this. You can construct an echo command that will do the job, like this:

echo 'key goes here' > /home/root/.ssh/authorized_keys

You might want to build this command in a Notepad window, for example, so that you can paste it straight into PuTTY.

You can also use the cat command, which will wait for you to paste the key and then press Control+D:

cat > /home/root/.ssh/authorized_keys

Control+D sends the "end of file" character. Make sure when you press it, you're at the start of a new line. Press enter to get to a blank line if necessary. Make sure you don't type any extraneous characters.

If you're stuck, you can press Control+C, which will interrupt most programs. (Don't try to use Control+C to copy in PuTTY. Anything you select is automatically copied.) Since these commands overwrite the file each time they're run, if you mess up, just try again.

It is theoretically also possible to create the file on your own computer and transfer it using SFTP. This is not recommended due to potential line ending issues. (Windows uses CRLF, and Linux uses LF. This means Linux will interpret the CR as just another character at the end of the line, and it doesn't belong there.) Incorrect line endings may or may not be a problem in this case; I haven't tested it.

After creating the authorized_keys file, run this command to make sure dropbear will use it:

chmod 600 /home/root/.ssh/authorized_keys

You can check that you've set the permissions correctly with the ls command:

ls -ld /home/root/.ssh
ls -l /home/root/.ssh/authorized_keys

The output of these commands should look something like this:

drwx------    2 root     root          4096 Mar 21 12:34 /home/root/.ssh

-rw-------    1 root     root           398 Mar 21 12:34 /home/root/.ssh/authorized_keys

To check the contents of the authorized_keys file, use the cat command:

cat /home/root/.ssh/authorized_keys

It should show exactly what was displayed in the box in Pageant.

Loading the Key in Pageant

When you run Pageant, it will automatically minimize itself to an icon in the notification area (system tray). If it's not visible, you may have to click the arrow to find it.

The Pageant icon is a computer with a hat to one side.

You can either open Pageant by double-clicking or just right click and bring up the menu. Either way, you're going to choose "Add Key". Select your private key (PPK) file. If you added a passphrase to your key file, you'll need to enter it now. The key should then show up in the list. Close the Pageant window, and it will minimize back to the notification area. Pageant will remain running until you explicitly choose to exit (in the context menu) or turn off/reboot your computer.

Connecting to the TV

Now that the key is loaded in Pageant, it can be used automatically in compatibile applications. For example, if you open an SSH connection to your TV in PuTTY and type in the username root, you should instantly be logged in without having to enter a password.

You can stop here if this works well enough for you. Remember that you'll need to start Pageant and add the key before connecting to your TV, but only once each time you start your computer.

The file transfer programs (and in particular, SFTP clients) WinSCP and Filezilla will also use keys loaded in Pageant, so you can try those as well.

Further Setup

If you want to make logging in to your TV even easier, you can set up a saved session in PuTTY. Generally, you'll enter the TV's IP address and leave the port as the default 22. Then in the Category tree on the left of the PuTTY window, choose "Data" (under "Connection"). Enter root in the "Auto-login username" box. Go back to the main panel ("Session" at the top of the tree), enter a name in the box under "Saved Sessions", and click "Save".

Once you have the session saved, you can just double-click it to connect immediately or select it and click "Load" if you want to modify any settings before connecting. If you want to save any modifications, you can click "Save" again. Make sure the name in the "Saved Sessions" text box is correct: it should be the name of your existing session if you want to overwrite it, or something else if not.

You can configure WinSCP similarly, and probably Filezilla as well (although I've never used it).

Even More Settings

In "Behaviour" (under "Window") you can set a title for the PuTTY window. This can be useful for keeping track of PuTTY sessions when you have several open at the same time.

In the same "Data" pane where you entered your username, you can change the terminal type from the default xterm. PuTTY supports color, so you can change it to xterm-256color. I'm not sure if anything in a stock webOS installation will actually behave differently due to this, but there is a terminfo entry for it on at least webOS 4+.

You can pin PuTTY to the taskbar by right-clicking the icon when it's running and selecting "Pin to taskbar". Right-clicking on the icon will then bring up a menu with your recently used sessions. (It also has shortcuts for Pageant and PuTTYgen.) If you have any sessions that you want to always appear, you can pin them in this menu. If everything is configured properly, you should be able to drop directly into a shell just by right-clicking the PuTTY icon and choosing a session.

Using Your Key in webOS Dev Manager

Dev Manager (and some other tools) use the OpenSSH key format rather than PPK. They look for keys in %USERPROFILE%\.ssh, which means the .ssh directory in your user profile folder (C:\Users\<username>). To convert your key file to this format, first open it in PuTTYgen. Choose "Export as OpenSSH key" in the "Conversions" menu and save it to C:\Users\<your username>\.ssh, creating the directory if necessary.

To use the key in Dev Manager, enter its filename in the "Private Key Name" field when adding a device. The authentication method should be "Local Private Key". For a normal Homebrew Channel setup, use port 22 and username root.

Both new and old OpenSSH key formats have been confirmed as working in Dev Manager 1.10.1. This probably applies to the rest of the Rust-based versions (1.9.0+). The older JavaScript-based Dev Manager (up to 1.8.x) has not been tested.

FAQ

Why doesn't the default password (alpine) work anymore?

When the startup script finds that /home/root/.ssh/authorized_keys exists, it won't enable the default password.

What if I lose my key or mess up authorized_keys?

You can always enable telnet in Homebrew Channel and use that to change the public key(s) in /home/root/.ssh/authorized_keys. If you want to go back to using the default password, just delete authorized_keys with this command:

rm /home/root/.ssh/authorized_keys

Removing it will cause the default password to be enabled on the next reboot.

Notes

Key Generation Options

Key Type

Using the default key type of RSA is the safest option in terms of compatibility (but not necessarily security). Other key types may not be supported by various applications. Dropbear (the SSH server used by Homebrew Channel), the LG webOS CLI tools (TV and OSE), and webOS Dev Manager all have certain key types that they don't support. It can be hard to find a type supported by all of them, but RSA is sort of the default and is supported by almost all SSH implementations. The ssh-rsa scheme that PuTTYgen uses for RSA is, however, deprecated in some software because it uses SHA-1.

Elliptic curve cryptography (ECC) is more popular these days than algorithms such as RSA and DSA. ECDSA and EdDSA are the two ECC options in PuTTYgen. You may find that these key type are not as widely supported as RSA. ECC public keys tend to be shorter than RSA/DSA, for whatever that's worth.

Note that recent versions webOS Dev Manager only seem to support RSA and Ed25519 because the russh library is used for SSH support.

Don't use SSH-1 RSA.

Key Size/Curves

You can make the key larger than the default 2048 bits if desired. Increasing the size will make authentication slightly slower. Generating the key will also take longer. Some software may not support larger key sizes. However, 4096-bit RSA should be usable by everything you're likely to use with webOS.

If you choose an ECC algorithm, be aware that the curve you choose will affect compatibility. For example, Ed25519 keys are supported by OpenSSH on Windows (OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3), but Ed448 keys aren't. As far as compatibility goes, different curves are basically entirely different key types.

Key Formats and Other Platforms

The private key created here is in PPK format. PPK stands for "PuTTY Private Key". It's primarily useful on Windows, where there are many applications that support either Pageant or PPK files directly. There are tools such as ssh-pageant that allow you to use keys stored in Pageant within Cygwin and MSYS environments.

Platforms like Linux, FreeBSD, and macOS generally use the OpenSSH format for private keys. Recent versions of Windows have OpenSSH as an optional installable feature. Their ssh-agent (analogous to Pageant) is integrated with Windows DPAPI.

The OmniSSHAgent project aims to create a single SSH "keychain" that can be used under WSL, by programs compatible with Pageant, and more.

There is also another "standard" key format that is mostly used by proprietary software such as SSH.COM.

Hey,
Having WSL with Ubuntu installed on Windows 10+ is a pretty common thing now within technical circles, so I thought I'd add a comment here for anyone who has them installed. There's nowhere near as much faff as using PuTTy, which has kind of been superseded by WSL these days.

Most of this applies to anyone using Ubuntu too, and possibly other Linux distros (I haven't checked if ssh-keygen & ssh-copy-id are an Ubuntu thing or just part of OpenSSH these days)

Setup

Windows

Make sure Ubuntu is set as your default distro by opening Powershell and running the command wsl -s Ubuntu-20.04 or wsl -s Ubuntu-22.04 depending on which version you have installed. You can check which version you have installed by running wsl -l.
Then, start Ubuntu by typing wsl. Hit enter and wait for bash to start. You should be greeted with:

username@hostname:/mnt/c/Users/username$

Or something along those lines.

Ubuntu

Just open a terminal :)

Generate a key

Next, run the following command:
ssh-keygen -b 4096

You'll be prompted a few times -- you don't need to type anything in, just hit enter. You should see something like this when you're finished:

$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:KEY_FINGERPRINT_HERE username@hostname
The key's randomart image is:
+---[RSA 4096]----+
|     =========   |
|      =+*===+    |
|       ==o*o = = |
|       ==X= o + =|
|        S += o =E|
|       o == = = =|
|      = = =o   =o|
|         =  =   =|
|             ====|
+----[SHA256]-----+

Copy the key to your TV

Once that's done, type ssh-copy-id root@ip.address.of.tv, replacing ip.address.of.tv with the IP address of your TV. If you're prompted to confirm whether you want to continue connecting, type 'yes', then enter the default root password. You should see something like this:

$ ssh-copy-id root@ip.address.of.tv
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
The authenticity of host 'ip.address.of.tv (ip.address.of.tv)' can't be established.
ECDSA key fingerprint is SHA256:TV_KEY_FINGERPRINT.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@ip.address.of.tv's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@ip.address.of.tv'"
and check to make sure that only the key(s) you wanted were added.

Job done

You should now be able to log in securely using SSH.
If you're on Windows, you can do so by typing the following in Powershell:
wsl -- ssh root@ip.address.of.tv

If you're on Ubuntu, you probably know this already, but it's just: ssh root@ip.address.of.tv

Hope this helps someone.

ssh-keygen is part of OpenSSH. ssh-copy-id is in the contrib dir of the OpenSSH source tarball and not installed by default, but it seems to be pretty widely available. (The original author seems to be Philip Hands, and development seems to occur in his git repo.)

On WSL (Debian) I use keychain to keep keys synced across terminals. I would really like to have an SSH agent that stores keys with DPAPI and works on both Windows and WSL. Last time I looked at OmniSSHAgent I had some reservations, but I can't even remember what they were at this point, so maybe it's worth a try.