Technical Notes

Configuring Public Key Authentication for F-Secure SSH Client for Windows and OpenSSH Server
Technical Note 1919
Last Reviewed 09-Dec-2004
Applies To
F-Secure SSH Client for Windows version 5.4
Summary

This technical note describes the steps you must follow to use public key authentication when connecting from an F-Secure SSH Client for Windows to an OpenSSH server. You will use the Key Generation utility to generate a keypair and upload the public key to the server. Then you will use the command line to convert the public key to OpenSSH format. Troubleshooting tips are also included.

Public Key Authentication Overview

Public key authentication is one way a server can authenticate a user. It requires a private and public keypair; the private key is located on the client, and the public key must be uploaded to the SSH server.

Key Formats

When a keypair is created on an SSH client, each key of the keypair—public and private—is written to a separate file in a particular format. The format for the public key is SecSH. The format for the F-Secure Windows Client private key is PKCS #7 for versions 5.4 or higher, or proprietary for versions 5.3 and earlier.

Using the Key Generation Utility

Use the F-Secure Key Generation utility to generate a keypair and upload the public key to the OpenSSH server.

Note: If you prefer not to use the Key Generation utility, you can use ssh-keygen2 from the command line to generate a keypair. To obtain a list of options, type ssh-keygen2 –h on the command line.

1. Start the F-Secure SSH Client.
2. Connect to the host using password authentication and the user account that needs public key authentication.
3. Click Edit > Settings.
4. In the left pane, under Global Settings, click User Keys. If you already have a keypair that you wish to use, select the key, click the Upload Public Key button, and proceed to step 8.
5. To create a keypair, click the Generate New Keypair button to open the Key Generation wizard.
6. Follow the prompts to create a new keypair.
7. On the Finish panel, click the Upload Public Key button.
8. In the Upload Public Key dialog box, change the Destination Folder to .ssh and click Upload.
9. Click OK to close the Settings dialog box.

Converting the Public Key

The public key format supported by OpenSSH servers is OpenSSH. Now that you have uploaded the public key to the OpenSSH server, you must convert the public key format from SecSH (the format generated by the F-Secure SSH client) to OpenSSH (the format supported by OpenSSH servers). To do this, follow these steps:

1. On the command line, change to the .ssh directory in your user account.
2. Use the following command to convert the key to OpenSSH format and append the key to the authorized_keys file. Replace publickeyname.pub with the name of your public key:

-i	Convert IETF SecSH to OpenSSH key file
-f filename	Filename of the key file

3. To clean up your .ssh directory, remove the authorization file, which was created when you uploaded the public key, from your .ssh folder using the following command:

Troubleshooting

If you are having trouble connecting, check the issues listed below.

Server Permissions

Verify that the file permissions on the server are configured properly. Setting the $HOME/.ssh directory to 744 and the authorized_keys file to 600 will allow key authentication to work. For more information on permissions, see technical note 1178 about "Understanding UNIX and NFS Permissions".

Verify that public key authentication is enabled

On the F-Secure SSH Client for Windows:

On the OpenSSH server:

Verify that the public key was uploaded and converted properly

The public key should be uploaded to the authorized_keys file in the .ssh directory on the OpenSSH server.

If you use the Key Generation utility to upload the public key, the utility allows only the public key to be uploaded. If, however, you manually transfer the key to the server, verify that you transferred the public key.

Related Technical Notes

1900	F-Secure SSH Technical Notes