Create SSH Keys in MSYS
Post date: Oct 09, 2010 12:7:9 PM
Secure SHell keys are useful for authenticating remote users. First, create a public/private pair of keys. Then, you share the public key with the site that wants to authenticate you.
GitHub uses this authentication to validate users accessing their repositories. I followed their guide to start this tutorial.
Generate SSH keys
Start the MinGW Shell.
Check that you don't already have SSH keys:
cd $HOME/.ssh
ls
Existing private key will be named id_rsa or similar.
If you already have one, you can stop here.
ssh-keygen -t rsa -b 1024 -C "your_id@local_system"
Press [Enter] to save the private key to the default location:
/c/dev/your_id/.ssh/id_rsa
Enter a pass-phrase. This is a good idea, because if your system is compromised (stolen, targeted virus infection, etc.) your private key will remain private.
Two files are generate: id_rsa and id_rsa.pub. id_rsa is your private key, and id_rsa.pub is your public key. The default key size is 2048 bits, but you might wish to use -b 1024 argument for compatibility.
Copy your private key to a dedicated USB key, memory card, or CDROM. Lock the copy somewhere safe.
Copy the public key to a more recognizable name:
cp $HOME/.ssh/id_rsa.pub $HOME/id_rsa_your_id_hostname.pub
This way, it's clear what system and username combination the keys were generated on.
Protect your MSYS home directory in Windows
You can set your $HOME directory to be unreadable by other users on your system.
Open C:\dev\Your_id\ in Windows Explorer.
Right-click and select "Properties".
Click "Security" tab.
Click "Advanced...".
Click "Change Permissions...".
Uncheck "Include inheritable permissions from this object's parent", then click "Add".
This stops forcing us to use the permissions of C:\dev in our HOME directory
Click "Add...".
Enter your Windows user name and click "Check Names".
Click "OK".
Select "Full Control", and click "OK".
For every other user and group besides your Windows user, select it and click "Remove".
Click "Apply". The changes will be applied to all sub-folders as well.
Click "OK", then "OK".
Use ssh-agent to remember pass-phrase until you reboot
GitHub has instructions for running ssh-agent on start-up. Save their script as sshagent.sh in your $HOME/bin directory:
# sshagent.sh: Start SSH agent (if needed) and set agent environment variables
# Be sure to "source" this script, to recieve the necessary variables:
# SSH_AUTH_SOCK: socket for the running SSH agent
# SSH_AGENT_PID: Process ID for the running SSH agent
# As always, make sure your .ssh directory is only readble by you!
SSH_ENV="$HOME/.ssh/environment"
function start_agent {
echo "Initializing new SSH agent..."
/usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
echo succeeded
chmod 600 "${SSH_ENV}"
. "${SSH_ENV}" > /dev/null
/usr/bin/ssh-add;
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. "${SSH_ENV}" > /dev/null
ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
start_agent;
}
else
start_agent;
fi
This script checks if ssh-agent is already running, and starts it if not. ssh-agent will ask for your pass-phrase.
Add a line to your .profile to source sshagent.sh:
#Start ssh-agent and ask for passphrase
. $HOME/bin/sshagent.sh
Convert RSA SSH keys in MSYS to PEM format
Some systems, such as Amazon Web Services, require a public key in OpenSSL format (PEM).
Start MSYS
cd .ssh/
openssl rsa -in id_rsa -out id_rsa_pem
openssl rsa -in id_rsa_pem -pubout -out id_rsa_pem.pub
What now?
SSH keys are only useful when used by someone else to authenticate you. Use your public key to create a Git repository, or allow password-free access to a remote Unix account.