# ssh help for login with putty.



## clawhammer (Mar 26, 2018)

I generated the public and private keys in the users home directory with ssh_keygen -t ed25519. Putty says I need to copy the id_rsa to the windows desktop. I checked the .ssh folder and it has id_25519 and id_ed25519.pub. are these the keys I need to send to my account holder so they can set up putty? If they are is it safe to email them? I do not have access to the computer.


----------



## Oko (Mar 26, 2018)

Yes. SSH key is an example of asymmetric cryptography. The person who eavesdrop and gets a copy of your public key can't do anything with it. As long as you private key is safe (preferably secured by password) nobody will be able to log into your remote account except you with your private key.


----------



## clawhammer (Mar 26, 2018)

Oko said:


> Yes. SSH key is an example of asymmetric cryptography. The person who eavesdrop and gets a copy of your public key can't do anything with it. As long as you private key is safe (preferably secured by password) nobody will be able to log into your remote account except you with your private key.


thanks.

so i only send the .pub key right? I keep the private key in their home directory? or do they need to be send both?


----------



## ShelLuser (Mar 26, 2018)

clawhammer said:


> Putty says I need to copy the id_rsa to the windows desktop. I checked the .ssh folder and it has id_25519 and id_ed25519.pub. are these the keys I need to send to my account holder so they can set up putty?


First: what are you trying to accomplish here? I assume that you're trying to set up keybased authentication for your server, and that you want Putty to authenticate with those keys, right? Because then you're not using the most optimal approach.

Start by downloading puttygen.exe from the same site as you downloaded PuTTY. When in doubt try this link. Use that program to generate your keys.

When it is done copy the public key (it'll be selected by default), edit the file ~/.ssh/authorized_keys and paste the key in. Be sure that it all ends up on 1 line.

_I suggest that you stay logged into your server._

Then supply a password for your private key and save it to a secure location on your Windows desktop. I dunno...  c:\users\<your name>\documents\server.ppk for example. Now edit your PuTTY session, go to SSH -> Auth in specific. Point PuTTY to your private key, and be sure to save your session data again.

Back to your server...  Edit /etc/ssh/sshd_config accordingly to allow for key based authentication:


```
RSAAuthentication yes
PubkeyAuthentication yes 
# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
```

Now restart the SSH daemon but do not log off!  So: `# service sshd restart`. Fire up a new PuTTY session and try to log on. You should be able to log on using only the password for your private key, and nothing else. When it doesn't work: no problem. You're still logged on so you can make the necessary changes if need be.

As soon as everything works you should be done. Log out entirely, log back in, all done.

So there's no need to e-mail anything, just copy/paste is more than enough (and it'll be more secure too!).


----------



## clawhammer (Mar 26, 2018)

ShelLuser said:


> First: what are you trying to accomplish here? I assume that you're trying to set up keybased authentication for your server, and that you want Putty to authenticate with those keys, right? Because then you're not using the most optimal approach.
> 
> Start by downloading puttygen.exe from the same site as you downloaded PuTTY. When in doubt try this link. Use that program to generate your keys.
> 
> ...


thanks.
The reason I want to set this  up is because me and my friend want to learn unix and they only have a windows machine and I have a freebsd box on my lan. So I wanted to set this up so they could log in and use it. Ill have them try it out.

is having 
	
	



```
id_ed25519 and id_ed25519.pub
```
 in the .ssh directiory going to conflict with the authorizex_keys/file?

I changed the sshd_config file according to a article to this

Some guides recommend changing the port that sshd (the SSH daemon, or server) listens on. You can certainly do this but it has almost no effect on security. Even the most casual intruder will find out you’re running an SSH server no matter what port it’s using. We call something like this ‘security through obscurity’ and it should not be relied upon to improve your system’s security.


```
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256
```

the article also said to use


```
MaxAuthTries 5
AllowAgentForwarding no
AllowX11Forwarding no
```

should I keep that setting in my file?

also when I restarted sshd it said


```
Starting sshd.
/etc/ssh/sshd_config line 7: Deprecated option RSAAuthentication
```


----------



## ShelLuser (Mar 26, 2018)

clawhammer said:


> The reason I want to set this  up is because me and my friend want to learn unix and they only have a windows machine and I have a freebsd box on my lan. So I wanted to set this up so they could log in and use it. Ill have them try it out.


If you're going to generate the keys for them then your first approach could also work. The only caveat is that you'd have to sent them the private key which could become an issue if you don't properly secure that.



clawhammer said:


> is having
> 
> 
> 
> ...


The only thing you need on the server is an entry in authorized_keys, which is the public key. So having those files around won't hurt, but they also won't be used so you might just as well remove them (after you added the public key of course).



clawhammer said:


> Some guides recommend changing the port that sshd (the SSH daemon, or server) listens on. You can certainly do this but it has almost no effect on security.


That's always a good idea. The article isn't completely right when it comes to security. Sure, by itself it wouldn't change too much if you'd change the port. Even so: you'd still block most poking attempts which check if you have SSH available. Another thing to consider is that most firewalls are capable of blocking port scans. Which makes it even harder for a third party to find out what the SSH port is supposed to be.

There's definitely something to be said for changing the port. You shouldn't rely on it to keep you safe, but in combination with key based authentication it's definitely a good idea.

Also: sshd_config(5) is a good source of info.

And yeah: remove the RSAAuthentication option, that was a wrong paste. The option only applies to Protocol 1 which isn't even in effect anymore.


----------



## chrbr (Mar 26, 2018)

Dear clawhammer,
please have a look at ssh-copy-id(1). It is a useful tool to copy keys.


----------

