Connecting from a Windows machine to LON4 ----------------------------------------- Many people have a requirement to connect to various services within the LON4 network from their Windows workstation or from a clients office where Windows is prevelant. We realise that the UNIX-centric nature of LON4 has traditionally made this difficult simply due to the lack of modern standards compliant client. This HOWTO hopes to alleviate this problem. The principles outlined in this document may well work for other SSH clients as well, feel free to experiment and let us know how you get on. First, you'll need some software, we use putty because it's free and works. http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.53b-installer.exe Be sure to keep the "Associate .PPK files with Putty's agent" option ticked, this will save you time and effort later on. To make things easier, you should add the putty installation directory to your path. To do this right click on the "My Computer" icon on your desktop and select "Properties". Go to the "Advanced" tab and then select "Environment Variables". In the "System Variables" pane, click on "Path" and then "Edit". Append ";c:\Program Files\Putty" to this line. Click Okay until the dialogs disappear. Generating a key pair --------------------- The first thing to do is to run the Putty key generator, puttygen. Start -> Programs -> Putty -> PuTTYgen In the parameter pane at the bottom set the key type to be "SSH2 DSA", a key length of 1024 bits is fine. Then click on "Generate". You will need to wiggle the mouse over the blank pane in the middle to generate random bits. On the next screen you should then enter and confirm passphrase for your key. We do not accept keys without passphrases. Once you have set the passphrase, you should them save the public and private keys. You should save this somewhere easy to find such as your "My Documents" directory. Name the file according to your usual username, "rupertb.ppk" for example. The private key will be given the extension ".ppk", the public key is a plain text file. Once you've done that, highlight the text in the text box at the top of the dialog and paste this into a text file. Save this text file as "username.pub" - this is your public key. Again, save this somewhere easy to locate such as your "My Documents" directory. You need to mail both your private key file and this text file _as attachements_ to opslodc@fast.no so your key can be added to the jump server. Starting pageant ---------------- To SSH into LON4 you must use Putty's authentication agent. Locate the .ppk file you created in the step above and double-click on it, you will be prompted for passphrase. If you need to add other identities you can do so as follows: Double click on the screen-like icon in the taskbar and then click on "Add Key". Locate the .PPK file you want to add and you will then be prompted for your passphrase for that key. Once the key is added, click on the "Close" button to minimise the window. Shell access to LON4 -------------------- Once the agent is running and you've successfully registered your key, accessing LON4 is trivial. Start -> Programs -> Putty -> Putty In the hostname box type "jump.lon4.fastsearch.net" Set the protocol to "SSH" (the port number will be automatically set to 22) If the left hand pain, click on the "Connection:SSH" tree item Set the "protocol version" to "2 only" If the left hand pane click on the "Connection:SSH:Auth" tree item Check "Allow agent forwarding" Finally click on "Open" You will be asked for your username, enter it and you should be dropped into a shell. From here type: ssh admin1 You are now on the LON4 network. Establishing a tunnel --------------------- (Please note: In the examples in this section, the "\" is used to denote where I have added a line break to keep the text readable, you should ignore these.) In all the examples below, I am assuming that you are NOT running putty's authentication agent. If you are running the agent, you may well not be prompted for passphrases. The general form of the link command is: plink -v -2 -T -i \ -L :: \ @jump.lon4.fastsearch.net The options used here mean: -v Be verbose -2 Use protocol 2 -T Do not allocate a pseudo tty -i Specify private keys file -L Redirect local port to remote host So to redirect my local port 16000 to port 80 on the host 10.4.64.25 in the datacentre, I would type: plink -v -2 -T -i martathome.ppk \ -L 16000:10.4.64.25:80 martin@jump.lon4.fastsearch.net After pressing return, we would expect progress information like the following to be displayed: Looking up host "jump.lon4.fastsearch.net" Connecting to 146.101.142.10 port 22 Server version: SSH-1.99-OpenSSH_3.4p1 We claim version: SSH-2.0-PuTTY-Release-0.53b Using SSH protocol version 2 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange Host key fingerprint is: ssh-dss 1024 26:ac:90:44:3b:76:ed:d9:6e:69:ff:05:94:44:65:af Using username "martin". Reading private key file "martathome.ppk" Offered public key Offer of public key accepted Authenticating with public key "dsa-key-20021120" Passphrase for key "dsa-key-20021120": Access granted Opened channel for session Local port 16000 forwarding to 10.4.64.25:80 Started a shell/command You will have to enter the passphase you set on your key. Once the tunnel is established, you can test that it is working by pointing a browser at http://localhost:16000 and as verbose mode was specified, there is further output from plink. Opening forwarded connection to 10.4.64.25:80 Opening forwarded connection to 10.4.64.25:80 Forwarded port closed Forwarded port closed As this tunnel was connecting to a web server, no further authentication was required. A more useful thing to do would be to log in to a machine via SSH. This is a very similar process at the start, rather than directing the tunnel to port 80, we go to port 22 instead. plink -v -2 -T -i martathome.ppk \ -L 16000:10.4.64.24:22 martin@jump.lon4.fastsearch.net As SSH and SCP use the same port, this example is equally valid for both commands. Once the tunnel is up, I can copy this HOWTO to my local machine like so: C:\MARTIN>pscp -P 16000 martin@localhost:/home/martin/lon4docs/stuff/Windows-to- LON4.txt . martin@localhost's password: Windows-to-LON4.txt | 4 kB | 4.7 kB/s | ETA: 00:00:00 | 100% In this case, I was authenticated by my own password, but it is common practice to have machine in the datacentre than can only be accessed using a specified key pair. Typically these are "service" accounts that have one common key for multiple machines. To access these machines, you need a copy of the private key from the service account home directory on admin1. Once you have this key, you must then convert it to a format acceptable to putty. As an example, I've copied the fooserve private key to my local machine, we now need to convert the key to putty's format. To do this, run puttygen once more, and click on the "Load" button and point it at the private key file. You will get a dialog informing you that the key has been imported and that you should save it out as a .ppk file. For this key, I have called the file "fooserve.ppk". If the machine you are working on it not in a secure location, you should set a passphrase on it, too. Now you should be able to connect as follows: Firstly, we set up the tunnel: plink -v -2 -T -i fooserve.ppk \ -L 16000:frssr1:22 martin@jump.lon4.fastsearch.net And then we can copy the file we want: C:\MARTIN>pscp -P 16000 -i fooserve.ppk root@localhost:/etc/issue . Authenticating with public key "imported-openssh-key" issue | 0 kB | 0.1 kB/s | ETA: 00:00:00 | 100% As you can see, as I'm using a trusted key, I was not prompted for a password. Troubleshooting --------------- At the moment there's only one known reason for a connection failure. I'm sure they'll be others. When using the plink command, you rely on jump being able to resolve the hostname you give it to an IP. If jump cannot resolve this hostname, plink will give an unhelpful error message about the remote host refusing the connection. If you get an such error, you should try to connect by IP instead of hostname as in the example where I copy this HOWTO to my local machine.