Using SSH Keys with Powershell


Introduction

 

The IT Security Office recommends SSH servers be configured to accept SSH keys only (not passwords).

Contents

Instructions

Client Setup (Use a Unique Key for Each Client)

SSH Key creation / generation algorithm choices:

  • DSA:  Not Recommended 
  • RSA with key size of at least 4096 bits: ssh-keygen -t rsa -b 4096 
  • ECDSA:  Not Recommended
  • ED25519:  ssh-keygen -t ed25519   

 

PS C:\Users\hokie> ssh-keygen -t ed25519
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\hokie\.ssh\id_ed25529): C:\Users\hokie\.ssh\id_ed25519                           
Created directory '/home/hokie/.ssh'.
Enter passphrase (empty for no passphrase): [should meet or exceed the VT password complexity rules]
Enter same passphrase again: 
Your identification has been saved in C:\Users\hokie\.ssh\id_ed25519.
Your public key has been saved in C:\Users\hokie\.ssh\id_25519.pub.
The key fingerprint is:
SHA256:HlbsdjZRTCRgdnIiXHcekCEtAuT3ggeee49apO3ueYg hokie@Client
The key's randomart image is:
+--[ED25519 256]--+
|     .oo..OoBB*  |
|     .  o=.Bo=.. |
|      o ..o.. .  |
|     . = +   .   |
|      + S + +    |
|       O + o .   |
|      o.=.       |
|      E+.+.      |
|      .+*..      |
+----[SHA256]-----+

Top of page

Install the Public Key on the Server and Test

Copy id_25519.pub to the remote server as /home/hokie/.ssh/authorized_keys
Change the file permissions on authorized_keys to 400 (only the user can read) $ chmod 400 authorized_keys

PS C:\Users\hokie> ssh hokie@bird.feathers.vt.edu
Enter passphrase for key 'c:\Users\hokie\.ssh\id_25519':
hokie@bird:~$

Top of page

Jump Host Setup

Create a config file.

Use Notepad or WordPad to create C:\Users\hokie\.ssh\config:

# Public or accessible from off-campus

Host jump
User hokie
HostName jump.feathers.vt.edu
PubkeyAuthentication yes
IdentityFile C:\Users\hokie\.ssh\id_25519

# Internal host or campus-only access

Host internal
User hokie
HostName internal.co.feathers.vt.edu
ProxyJump jump

# Configure DynamicForward or SOCKS host to use with a web browser to proxy connections through the jump host.
# Manually configure the browser on the client to point to SOCKS host 172.0.0.1 port 8080.


Host jumpproxy
   User hokie
   HostName jump.feathers.vt.edu
   PubkeyAuthentication yes
 IdentityFile C:\Users\hokie\.ssh\id_25519
DynamicForward 8080

Connect to the internal host from the client.

ssh internal

Connect to the jump host to enable DynamicForward.

ssh jumpproxy

Top of page