Tag Archives: security

Dealing with key-based authentication on Windows with Putty

I’m writing this entry because I’m going to be writing another entry soon, and I want to point to this rather than explain it in situ. 

Here lately, I’ve been using Windows on my desktop. At work, this is mostly because of the extensive administration I do with VMware, and there’s STILL no native way on Linux or Mac to do things like Update Manager, and at home, because I play lots of video games. Lots. Of. Games.

The end result is that I spend a lot of time using Putty. There are a lot of Windows-specific SSH clients, but I like Putty’s great combination of being tiny, running without any actual installation, and reasonably dense feature-set. If you’re on Windows and you need to deal with Linux hosts, you’re probably already using Putty, but maybe not as completely as you could be.

There is a small  ecosystem of applications that work with Putty, including sftp clients and an SSH client that runs in the Windows command prompt (plink). They’re all available on the same Putty download page. The biggest win, in my opinion, is to combine it with Pageant. Much like ssh-agent on Linux, Pageant manages your SSH keys, allowing you to log into remote hosts without typing passwords, and only typing your key’s passphrase once.

The first step with key-based authentication is to actually generate some keys. For Pageant, the easiest way is probably to use PuttyGen, which looks like this:

Click “Generate” and move the mouse around as the directions say:

This produces your actual key:

 

You want to type in a “Key passphrase” that is a long-ish phrase that you can remember well enough to re-type occasionally. Once you’ve done that, click “Save public key”, make a keys directory, and save it in there, then do the same with “Save private key”. You should care that people don’t get the private key, but your passphrase should be long enough that it’s unlikely that anyone could brute-force your key before you change it or lose it or maybe if you like typing, until the heat death of the universe.

Copy the text at the top and save that into notepad so we can have it after this closes. We can get it again by re-running the key generator, but if you’re like me, you didn’t install it, you just kind of ran it from your downloads, and you’d probably have to download it again to run it again, so just keep the text in Notepad for now.

Alright, so now you want to download Pageant and this time, you want to save it somewhere useful. I have a “Programs” directory that I made under C:\Users\msimmons\ that holds stuff like this, so I saved it there. Once it was there, I right clicked and said “Create Shortcut”, which I then dragged into C:\Users\msimmons\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – this makes sure that Pageant will start when I log in. By default, that won’t actually load my key, though, so we have to edit the properties on the shortcut and add the key as an argument to the executable:

 

Now, when you log in, you’ll be prompted to type the passphrase to your private key, which will allow you to put that public key into the authorized_keys of a target host and authenticate as that user without typing a password every time! Excellent!

Monitoring Entropy? But…but…but…

So, I’m going through some of the current Big Brother / Hobbit / Xymon checks that we have throughout the infrastructure, I found something interesting. There exists the /var/lib/hobbit/client/ext/entropy check, which has this in its core:

     my $loop = 10
     my $delay = 2
     for (1 .. $loop) {
        sleep $delay;
        open F, '/proc/sys/kernel/random/entropy_avail' or exit;
        $entropy += ;
        chomp $entropy;
        close F;
     }

So essentially, it pulls entropy out of the pool, waits 2 seconds, then does it again, and performs the loop 10 times.

I had my suspicions, so I ran a simple “cat /proc/sys/kernel/random/entropy_avail” a couple of times to see what happened:

  msimmons@host ~/code/hobbit $ cat /proc/sys/kernel/random/entropy_avail 
  2845
  msimmons@host ~/code/hobbit $ cat /proc/sys/kernel/random/entropy_avail 
  2756
  msimmons@host ~/code/hobbit $ cat /proc/sys/kernel/random/entropy_avail 
  2647

This seems counter productive to me. Just saying. If you’re running this check, maybe you want to edit this a little bit to be less aggressive, if you *really* need to alert on entropy.

Related, but do you alert on entropy? Why?