Create SSH Keys in MSYS

Post date: Oct 09, 2010 12:7:9 PM

Secure SHell keys are useful for authenticating remote users. First, create a public/private pair of keys. Then, you share the public key with the site that wants to authenticate you.

GitHub uses this authentication to validate users accessing their repositories. I followed their guide to start this tutorial.

Generate SSH keys

    • Start the MinGW Shell.

    • Check that you don't already have SSH keys:

    • cd $HOME/.ssh

    • ls

        • Existing private key will be named id_rsa or similar.

        • If you already have one, you can stop here.

  • ssh-keygen -t rsa -b 1024 -C "your_id@local_system"

    • Press [Enter] to save the private key to the default location:

    • /c/dev/your_id/.ssh/id_rsa

    • Enter a pass-phrase. This is a good idea, because if your system is compromised (stolen, targeted virus infection, etc.) your private key will remain private.

Two files are generate: id_rsa and id_rsa.pub. id_rsa is your private key, and id_rsa.pub is your public key. The default key size is 2048 bits, but you might wish to use -b 1024 argument for compatibility.

Copy your private key to a dedicated USB key, memory card, or CDROM. Lock the copy somewhere safe.

Copy the public key to a more recognizable name:

  • cp $HOME/.ssh/id_rsa.pub $HOME/id_rsa_your_id_hostname.pub

This way, it's clear what system and username combination the keys were generated on.

Protect your MSYS home directory in Windows

You can set your $HOME directory to be unreadable by other users on your system.

    • Open C:\dev\Your_id\ in Windows Explorer.

    • Right-click and select "Properties".

    • Click "Security" tab.

    • Click "Advanced...".

    • Click "Change Permissions...".

    • Uncheck "Include inheritable permissions from this object's parent", then click "Add".

      • This stops forcing us to use the permissions of C:\dev in our HOME directory

    • Click "Add...".

    • Enter your Windows user name and click "Check Names".

    • Click "OK".

    • Select "Full Control", and click "OK".

    • For every other user and group besides your Windows user, select it and click "Remove".

    • Click "Apply". The changes will be applied to all sub-folders as well.

    • Click "OK", then "OK".

Use ssh-agent to remember pass-phrase until you reboot

GitHub has instructions for running ssh-agent on start-up. Save their script as sshagent.sh in your $HOME/bin directory:

# sshagent.sh: Start SSH agent (if needed) and set agent environment variables

# Be sure to "source" this script, to recieve the necessary variables:

# SSH_AUTH_SOCK: socket for the running SSH agent

# SSH_AGENT_PID: Process ID for the running SSH agent

# As always, make sure your .ssh directory is only readble by you!

SSH_ENV="$HOME/.ssh/environment"

function start_agent {

echo "Initializing new SSH agent..."

/usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"

echo succeeded

chmod 600 "${SSH_ENV}"

. "${SSH_ENV}" > /dev/null

/usr/bin/ssh-add;

}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then

. "${SSH_ENV}" > /dev/null

ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {

start_agent;

}

else

start_agent;

fi

This script checks if ssh-agent is already running, and starts it if not. ssh-agent will ask for your pass-phrase.

Add a line to your .profile to source sshagent.sh:

#Start ssh-agent and ask for passphrase

. $HOME/bin/sshagent.sh

Convert RSA SSH keys in MSYS to PEM format

Some systems, such as Amazon Web Services, require a public key in OpenSSL format (PEM).

  • Start MSYS

  • cd .ssh/

  • openssl rsa -in id_rsa -out id_rsa_pem

  • openssl rsa -in id_rsa_pem -pubout -out id_rsa_pem.pub

What now?

SSH keys are only useful when used by someone else to authenticate you. Use your public key to create a Git repository, or allow password-free access to a remote Unix account.