Humus:Key-pair authentication from Windows using MobaXterm

From ACENET
Jump to: navigation, search

SSH key-pair authentication is a more secure means of logging to computers than plain password authentication. When properly set up, it's also more convenient.

Key-pair authentication is based on public-key cryptography. You will create a pair of keys, one public and one private. The public key you can distribute freely; the private key you must keep safe and secure. Once you have emplaced a copy of your *public* key on a remote computer, you can use your private key instead of a password to log in to that computer.

You should keep your private key only on a device (or devices) you control--- so, not on cloud storage like OneDrive--- and the private key should itself be created with a "passphrase" so that even if your device is stolen, a bad actor cannot use your private key without knowing your passphrase.

Here are step-by-step instructions for creating a key-pair on a Windows computer with MobaXterm and using it to log to Humus:

(1) Install MobaXterm ("Moba" hereafter) on your computer.  Start Moba.  
    - Verify that you can log in to nefelibata.ace-net.ca using your password.
         ssh <username>@nefelibata.ace-net.ca
    - Then log out again.
    - If you can't log in, write to support@ace-net.ca for help.

(2) Set Moba's "persistent home directory" to something on your computer's hard drive.
    - Menu item Settings -> Configuration -> General
    - Beside "Persistent home directory" click either the yellow folder icon or the bicolor blue icon to browser for a directory
    - Choose a directory on your device, i.e. descended from "This Computer -> Local Disk (C:)".  Please do not use One Drive for this.  I suggest "C:\Users\<your Windows user name>"
    - "OK" to save your changes.  Restart MobaXterm as it suggests.

(3) Generate a key pair
    - "Start local terminal" in Moba
    - Your prompt should end in "/home/mobaxterm"
    - Enter this command to create a key pair:
         ssh-keygen -t ed25519
    - Accept the default file name and location
    - Enter a passphrase when prompted
    - Run the command "ls .ssh" and verify that there are two files there, id_ed25519 and id_ed25519.pub.

(4) Copy the public key to Nefelibata (where Humus can also find it)
    - Continuing in the Moba local terminal, enter this command:
         ssh-copy-id -i .ssh/id_ed25519 <username>@nefelibata.ace-net.ca
    - If you see a message about "remote host not recognized" or "first time connecting to  this computer" and are asked if you want to continue, answer "yes"
    - Supply your password when prompted.  

(5) Create a saved session for nefe
    - In the Moba menu, click "Sessions -> New session"
    - Click "SSH" to choose a session type
    - For Remote host fill in "nefelibata.ace-net.ca"
    - Check "Specify username" and fill in your username beside it
    - On the Advanced SSH settings tab, click "Use private key" and browse to the location you set in step (2).  Look for a subdirectory ".ssh" there and enter that. 
      There should be two files "id_ed25519" and "id_ed25519.pub" there, select the plain "id_ed25519" file.  (This is your private key.)
    - Still on the Advanced SSH settings tab, set SSH-browser type to "SCP (enhanced speed)"
    - Save your changes by clicking "OK"

(6) Test that it works.
    - On the left-hand pane in Moba, go to the "Sessions" tab, the one with the gold star.
    - Double-click the icon there labelled "nefelibata.ace-net.ca"
    - Enter your SSH key passphrase when prompted.
    - You should be connected to Nefe.

(7) Create a saved session for humus216
    - Follow the steps in (5) above, with these changes:
    - Substitute "humus216" for "nefelibata.ace-net.ca" for the Remote host
    - After completing the "Advanced SSH settings", go to the "Network settings" tab
    - Click "SSH gateway (jump host)"
    - For "Gateway host" enter "nefelibata.ace-net.ca"
    - For "Username" supply your username
    - Click "Use SSH key" and browse to the same private key file again
    - Save your changes by clicking "OK"

(8) Test that it works.
    - Double-click on the "humus216" icon in the "Session" pane on the left.
    - You should not be prompted for your passphrase this time.  Moba has loaded your private key and will not need the passphrase again until you stop and restart Moba.

(9) Repeat steps (7) and (8) for humus217


That may seem like a lot of work. But the advantages that accrue to you are:

  • Once your private key is loaded, you can log to either Humus machine with just a double-click.
  • You can drag-and-drop files using Moba to either Humus machine now, without having to transfer files first to Nefe and then to Humus.
  • You only need to type your private-key passphrase once each time you start MobaXterm. (As long as my computer is in a secure location, I generally just leave Moba running and put the computer to sleep or lock the screen with Control-L when I walk away from it. Consequently I only need to supply the passphrase whenever I reboot Windows or restart MobaXterm on account of updates.)
  • Your account is more secure. You're protected from password "sniffing" since your password is no longer being sent over the internet. Your passphrase is useless without your private key file. You can further improve your security by changing your password now to something stronger since you won't have to type it so often.

Back to Humus main page.