In the following procedure a 4096-bit RSA private/public key pair will be generated on the SSH clients PC. The public key will be transferred to the copSSH server PC for installation by the copSSH server administrator in the users .ssh folder.
Make sure the user is activated on the copSSH server prior to performing this procedure.
Make sure the user can login to the copSSH server PC using Tunnelier with a password.
Start the Tunnelier Keypair Manager then click on Generate New.
Select ssh-rsa and 4096 bit encryption. Enter a strong passphrase. Note a key will not be generated if you use a null or blank password. Enter a descriptive comment. Click on the Generate key.
Good pass phrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad pass phrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters.
Do NOT forget the pass phrase. Lost pass phrases can NOT BE RECOVERED.
Select Export. Name the file with a descriptive file name and save on the client PC in a temporary folder. For example the user Al might save his public key file as Al-authorized_keys in a temporary folder.
Select the OpenSSH format then click on Export and save the new public key. Create the folder if needed.
In order to use a private/public key pair the newly created public key must be moved to the copSSH server PC. Use whatever means required to accomplish this, ie. floppy, flash drive, etc. The copSSH server administrator will then copy the new public key to the users C:\Program Files\copssh\home\<UserID>\.ssh\authorized_keys file. For example the copSSH server administrator will copy the Al-authorized_keys file to the C:\Program Files\copssh\home\Al\.ssh\authorized_keys file on the server PC.
Open Tunnelier and load a previously saved session, or create a new session. Enter the Username and Initial method in the Authentication window. Select Save Profile or Save Profile As.
Users can mitigate the possibility of a Man-in-the-Middle attack by verifying/importing the copSSH server host key into the client. This must be done prior to connecting to the copSSH server the first time.
On the copSSH server start a UNIX BASH shell command. Login as an administrator on the copSSH server and go to Start | All Programs | CopSSH | Start a Unix BASH Shell.
From the BASH shell command line run the following command:
ssh-keygen -l -f /etc/ssh_host_rsa_key
...and make note of the key value. You can compare this to the key value Tunnelier will display when you first connect to the copSSH server PC from a remote location.
SECURITY WARNING: Never connect to a SSH server without first verify the host key.
You can also import the host_key to the Tunnelier client computer using the following procedure.
In order to import the server host key file you must copy the server C:\Program Files\copssh\etc\ssh_host_rsa_key.pub file to the Tunnelier client PC. Use whatever secure means required to accomplish this, ie. floppy, flash drive, etc.
Start the Tunnelier Host key manager then click on Import.
Configure the server address, ie. a fully qualified domain name or static public IP address, and port number, enter a descriptive comment as desired then click on Import.
SECURITY WARNING: After importing your server host key if you connect to your host and Tunnelier warns about the host key then don't connect. Its possible your connecting to a different server than intended or your server has been compromised.
| Last reviewed: 9 August 2008...awj Copyright © 2008 - Alan W. Jarvi - All rights reserved The Microsoft MVP Program |
 |