How to Generate SSH Keys for Every Possible Platform

What you find below is especially useful for those of you that work on several machines and platforms in and out of BNL and need to use ssh key pairs to get into RCF. If you just use Linux everywhere all you need is follow the instructions on the RCF web site and you are all set. Otherwise this page is for you. The findings on this web page are a combined effort of Jim Thomas, Jerome Lauret and myself. All typos and mistakes on this page are my doing. I am also not going to discuss the wisdom of having to move private keys around - all I want to do is get things done.

The whole problem arises from the fact that there are 3 different formats to store ssh key-pairs and all are not compatible:

ssh.com: Secure Shell is the company that invented the (now public) ssh protocol. They provide the (so far) best ssh version for Windows which is far nicer than PuTTY. Especially the File Browser provided is so much nicer than the scp command interface. It is free for academic/university sides.
PuTTY: a free ssh tool for Windows.
OpenSSH: runs on all Linux boxes and via cygwin on Windows.

Despite all claims, OpenSSH cannot export private keys into ssh.com format, nor can it import ssh.com private keys. Public keys seem to work but this is not what we want. So here is how it goes:

On your laptop running Windows
1. Download puttygen.exe: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You only need it once, but it might be good to keep it in case you need to regenerate your keys.
2. Launch it. Under parameters pick SSH-2 (RSA) and 1024 for the size of the key in bits. Then press the Generate button. Enter a passphrase in the referring fields and then press Save Public Key. To not confuse all the keys you are going to generate I strongly recommend to call it rsa_putty.pub. Next press Save Private Key. Type rsa_putty as a name when prompted. PuTTY will automatically name it rsa_putty.ppk. That's your private key. Don't quit puttygen yet. Now comes the important stuff.
3. In the menu bar pick Conversions->Export OpenSSH key. When prompted give a name that indicated that this is the private key for OpenSSH (Linux). I used rsa_openssh. There is no public key stored only the private. We will generate the public one from the private one later.
4. In the menu bar pick Conversions->Export ssh.com key. When prompted give a name that indicated that this is the private key for ssh.com. I used rsa_sshcom. Again, there is no public key stored only the private. We will generate the public one from the private one later.
5. I recommend to save the "key fingerprint" too since you will need it at the RCF web site when uploading your public key. Just save it in a plain text file. You can always generate it later with ssh-keygen -l -f <key_file> but why bother.
6. All done. Now you have essentially 4 files: public and private keys for putty and private keys for ssh.com and OpenSSH.
Getting ssh.com to work (Windows):
1. Here I assume that you have SSHSecureShell (client) installed, that is the ssh.com version. Open a DOS (or cygwin) shell. We now need to generate a public key from the private key we got from puttygen. Best is to change into the directory where your private key is stored and type: ssh-keygen2 -D rsa_sshcom . Note that the command has a '2' at the end. This will generate a file called rsa_sshcom.pub containing the puclic key. Now you have your key pair.
2. Launch SSH and pick from the menu bar Edit->Settings. Klick on GlobalSettings/UserAuthentication/Keys and press the Import button. Point to your public key rsa_sshcom.pub. The private key will be automattically loaded too. That's it. Press OK and quit SSH. We are not quite ready yet. We still have to generate and upload the OpenSSH key to RCF.
Getting keys to work with OpenSSH/Linux:
1. Copy the private key rsa_openssh to a Linux box (cygwin on Windows works of course too).
2. Generate the public key with: ssh-keygen -y -f rsa_openssh > rsa_openssh.pub
3. Now you have the key pair. All done.
4. To install the key pair on a Linux box copy rsa_openssh and rsa_openssh.pub to your ~/.ssh directory. Important: the keys have to be named id_rsa and id_rsa.pub otherwise it won't work: mv rsa_openssh ~/.ssh/id_rsa and mv rsa_openssh.pub ~/.ssh/id_rsa.pub. All done.
Uploading the public key to RCF:
1. https://www.rcf.bnl.gov/Auth/External/SshKeys/UploadSshKey.php
2. Make sure you upload the OpenSSH public key. Everything else won't work. You need to provide the key fingerprint which you hopefull stored (see 1.5). Otherwise generate it with ssh-keygen -l -f <key_file>.
Getting keys to work with PuTTY:
1. Should be simple. I do not have PuTTY installed but I assume there's an "Import" feature. You use directly the keys generated by puttygen.

All done. If you followed all instructions you now have 3 key pairs ( files). This covers essentially all SSH implementations there are. Where ever you go, whatever machine and system you deal with, one key pair will work. Keep them all in a very save place.

Last updated: Tuesday, October 03, 2006 by TU