Dealing with key-based authentication on Windows with Putty

I’m writing this entry because I’m going to be writing another entry soon, and I want to point to this rather than explain it in situ. 

Here lately, I’ve been using Windows on my desktop. At work, this is mostly because of the extensive administration I do with VMware, and there’s STILL no native way on Linux or Mac to do things like Update Manager, and at home, because I play lots of video games. Lots. Of. Games.

The end result is that I spend a lot of time using Putty. There are a lot of Windows-specific SSH clients, but I like Putty’s great combination of being tiny, running without any actual installation, and reasonably dense feature-set. If you’re on Windows and you need to deal with Linux hosts, you’re probably already using Putty, but maybe not as completely as you could be.

There is a small  ecosystem of applications that work with Putty, including sftp clients and an SSH client that runs in the Windows command prompt (plink). They’re all available on the same Putty download page. The biggest win, in my opinion, is to combine it with Pageant. Much like ssh-agent on Linux, Pageant manages your SSH keys, allowing you to log into remote hosts without typing passwords, and only typing your key’s passphrase once.

The first step with key-based authentication is to actually generate some keys. For Pageant, the easiest way is probably to use PuttyGen, which looks like this:

Click “Generate” and move the mouse around as the directions say:

This produces your actual key:

 

You want to type in a “Key passphrase” that is a long-ish phrase that you can remember well enough to re-type occasionally. Once you’ve done that, click “Save public key”, make a keys directory, and save it in there, then do the same with “Save private key”. You should care that people don’t get the private key, but your passphrase should be long enough that it’s unlikely that anyone could brute-force your key before you change it or lose it or maybe if you like typing, until the heat death of the universe.

Copy the text at the top and save that into notepad so we can have it after this closes. We can get it again by re-running the key generator, but if you’re like me, you didn’t install it, you just kind of ran it from your downloads, and you’d probably have to download it again to run it again, so just keep the text in Notepad for now.

Alright, so now you want to download Pageant and this time, you want to save it somewhere useful. I have a “Programs” directory that I made under C:\Users\msimmons\ that holds stuff like this, so I saved it there. Once it was there, I right clicked and said “Create Shortcut”, which I then dragged into C:\Users\msimmons\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – this makes sure that Pageant will start when I log in. By default, that won’t actually load my key, though, so we have to edit the properties on the shortcut and add the key as an argument to the executable:

 

Now, when you log in, you’ll be prompted to type the passphrase to your private key, which will allow you to put that public key into the authorized_keys of a target host and authenticate as that user without typing a password every time! Excellent!

Big Changes at USENIX LISA in the last 5-10 Years

We received an interesting email recently:

> Did the submissions process for LISA change
> in recent years? I recall going to submit a talk a couple years ago
> and being really put off by the requirements for talks to be
> accompanied by a long paper, and be completely original and not
> previously presented elsewhere. Now it seems more in line with other
> industry conferences.

Yes, LISA is very different than it was years ago. If you haven’t attended LISA in a while, you may not realize how different it is!

The conference used to be focused on papers with a few select “invited talks”. A few years ago, the conference changed its focus to be great talks. LISA still accepts “original research” papers, but they’re just one track in a much larger conference and have a separate review process. In fact, the conference now publishes both a Call for Participation and a separate Call for Research Papers and Posters.

If LISA is now “talk-centric”, what kind of talks does it look for? Quoting from the Call for Participation, “We invite industry leaders to propose topics that demonstrate the present and future state of IT operations. [Talks should] inspire and motivate attendees to take actions that will positively impact their business operations.” LISA looks for a diverse mix of speakers, not just gender diversity, but newcomers and experienced speakers alike. We have special help for first time speakers, including assistant with rehearsals and other forms of mentoring.

What about the papers that LISA does publish? The papers have different criteria than talks. They should “describe new techniques, tools, theories, and inventions, and present case histories that extend our understanding of system and network administration.” Starting in 2014, the papers have been evaluated by a separate sub-committee of people with academic and research backgrounds. This has had an interesting side-effect: the overall quality of the papers has improved and become more research/forward-looking.

Because LISA mixes industry talks and research papers, attendees get to hear about new ideas along before they become mainstream. Researchers benefit by having the opportunity to network and get feedback from actual practitioners of system administration. This gives LISA a special something you don’t find anywhere else.

Another thing that makes LISA better is the “open access” policy. Posters, papers, and presentations are available online at no charge. This gives your work wider visibility, opening up the potential to have greater impact on our industry. Not all conferences do this, not even all non-profit conferences do this.

Does that make you more interested in submitting a proposal?

We hope it does!

All proposal submissions are due by April 17, 2015.

Tom Limoncelli and Matt Simmons
(volunteer content-recruiters for LISA ‘15)

P.S. LISA has a new mission statement:
LISA is the premier conference for IT operations, where systems engineers, operations professionals, and academic researchers share real-world knowledge about designing, building, and maintaining the critical systems of our interconnected world.

Connecting Apache Directory Studio to Active Directory

This is more of a reminder for me than anything, but you might find it useful as well. You may be aware that querying LDAP using the command line tools in Linux are a PITA. Fortunately, the Apache Directory Project has released the Apache Directory Studio (this isn’t new software, I’ve just never written about it) to help deal with LDAP.

I’ve had our production LDAP cluster in ADS for a while and used it to take a look around when necessary (usually because I always forget how exactly to set up a DRAC to bind to LDAP), but I realized today that I’d never configured it to look at our AD schema. I’m not “technically” the Windows guy, but I figured, hey, what’s the worst that could happen? Ahem. Anyway, nothing bad happened.

Because a couple of parts weren’t exactly straightforward, I figured I’d write it down and you and I could both get something out of it.

Step 1: Create a new LDAP Connection by clicking the yellow LDAP icon to the right of “LDAP Servers”

Step 2: Fill out the information in the box specific to your domain. These are the settings that worked for me

Note that I enabled “Read-Only” because I’m really not into making schema changes from outside of AD, even if I knew what I was doing. Which I don’t.

Step 3: Fill out the authentication credentials

Note here that although there are several authentication methods (including GSSAPI (Kerberos)), I couldn’t get any to work except this. I don’t know why. If you can figure out how to get the connection to work with your existing Kerberos ticket, I’d be interested in knowing how to set that up.

You’ll be prompted to trust the certificate (or not), and at that point you should be able to browse the AD schema to your heart’s content.

Let me know if this worked for you.

A blog for IT Admins who do everything by an IT Admin who does everything