How do I set up a SSH key to connect to ACCC managed servers?
This article summarizes how to set up a convenient and secure access to ACCC managed servers.
For convenient and secure access to ACCC managed servers, we support using SSH key pairs to access these services. An SSH public/private key pair acts like a lock and key both customized for your access. When you register an SSH public key it will be uploaded to all ACCC managed servers on which you have an account on within an hour. You will then be able to use your private key to access the server. The same public/private key pair is used for all systems, though you can upload multiple public keys if you like.
We encourage the use of SSH keys for a few reasons: First, it prevents password guessing attacks on servers that are configured to not accept any passwords. Second, it prevents a potential attacker from stealing a password that may also be used for other university resources. Having no password means there is no password to steal. Finally, SSH keys are convenient, especially if you wish to set up programs that interact with your virtual machines such as to run commands as well as uploading and downloading files.
Whatever SSH program you use, it should provide a way to generate an SSH public/private key pair. Below we provide instructions on how to do it with a few popular SSH programs. Once you've generated you keys, upload your public key, do NOT upload your private key. You must keep your private key secure, you may also wish to encrypt it for added security.
SecureCRT and SecureFX for Windows
SecureCRT and SecureFX are commercial Windows SSH and SFTP programs provided free of charge to UIC users through the Webstore.
- To configure your SSH keys in either SecureCRT or SecureFX, open the Quick Connect window.
- Under Authentication select PublicKey, then click the Properties button.
- In the Public Key Properties window, click Create Identify File.
- This will open the Key Generation Wizard. Select Key type of DSA and click Next.
- You may then add a passphrase to protect your key, then click Next.
- Select a Key length of 2048 then click Next again. Wait for key generation to complete.
- Save your new key using OpenSSH Key format. Take note of the filename of your new key as well as the public key filename.
Use the SSH Keys form to upload your new public key. This is the file of type "PUB" and with the file extension ".pub". It may take up to an hour for your new public key to be active on your virtual servers. After an hour, you should be able to connect with your new private key.
PuTTy SSH Client for Windows
PuTTY is a popular free SSH client for Microsoft Windows. To download PuTTY, visit The PuTTY Download Page. To use PuTTY with public/private key authentication, you'll need both putty.exe and puttygen.exe. These are simple programs and do not use an installer. Install the executables wherever you find convenient.
- To generate your key pair, launch puttygen.exe by double clicking on it. This will open a PuTTY Key Generator window.
- Near the bottom of the window is a Parameters section. We recommend setting the key type to SSH-2 DSA and number of bits in a key to 2048.
- Click Generate then move your mouse randomly about in the blank area of the window until the key generator indicates it has enough randomness to generate your key.
- Use the Save public key and Save private key buttons to save your new public and private SSH keys. Save these in a convenient location, such as in a folder on your Desktop, then close the PuTTY Key Generator.
- Use the SSH Keys form to upload your new public key.
- Finally open putty.exe. In the left-hand menu, open Connection->SSH->Auth.
- Use the file selector Browse button to select your new private key file. Then under Session enter the host name of the virtual server you wish to connect to.
- You will also want to save your session so you don't have to go through this setup every time. You can do this by typing in a session name in the Save Sessions box then clicking the Save button. To reuse these settings later, just open putty.exe and double-click the session name.
Using Terminal for Mac OS X
OpenSSH is the most popular SSH command line tool set. If you have Mac OS X, Linux or any UNIX variant, then you already have the OpenSSH command line tools installed.
To generate a key pair, at a command prompt run:
ssh-keygen -t dsa
It will prompt you as to where to store the key, this is your private key. By default it will select to save the key in your home directory under a sub directory called .ssh in a file calledid_dsa. This is a good default, as this will also make your SSH key the default used when using ssh to connect to your virtual server. If you already have a key pair and wish to generate a separate one, then pick a different file name.
ssh-keygen will also prompt you for a passphrase. This is a string of characters used to encrypt your private key. If you simply hit enter, without typing a passphrase, then your private key will not be encrypted.
Your public key will be named the same as your private key with .pub appended to the end of the file name. So the default is id_dsa.pub.
To upload your public key, use the SSH Keys form above to select your pubilc key file. It will be in a directory named .ssh in your home directory. On OSX this is found at/Users/YourUserName/.ssh and on Linux and UNIX type systems this is typically /home/YourUserName/.ssh. Note that ".ssh" is considered a "hidden" folder and may not be shown by your web browser when you upload your key. If it is not shown, you may type out the ".ssh" location and it should then show the directory contents. Anternatively you may wish to copy your private key out of the ".ssh" directory before uploading. When you upload your private Make certain your select the ".pub" file and do not upload your private key!
Once your public key is uploaded, it should be listed above. It can take up to an hour for your key to be deployed to all of your virtual servers. To use your public key, simply use the ssh command at the command line. If you specified a different key file location from the id_dsa default, then you'll need to specify the "-i" option and a path to tell ssh where to find your private key. If you specified a passphrase to encrypt your key, you'll be prompted for that as well. The virtual server will not prompt you for a password. If you do get prompted for a password from the server then something has gone wrong, do not provide a password! Finally, the first time you connect to a server you'll be asked to accept the server's identity. Subsequent contact with your server will check the fingerprint against the fingerprint you get this first time.
Using Fetch for Mac OS X
Fetch is a popular SFTP client for Mac OS X.
- Select File then New Connection.
- Enter the server's hostname and your username for that server.
- Be sure to select SFTP from the Connection Type drop down menu.
- In the password field, enter a dummy password, just type anything (but don’t leave it blank) and then Connect.