Using Secure Shell (SSH) in Windows (Tera Term and PuTTY)

Panix - Public Access
Networks Corporation

(Tera Term and PuTTY)

Introduction:: Secure Shell (SSH) is an Internet protocol that lets you establish an encrypted data stream (including encrypted login) for a number of program types that are normally unencrypted ("cleartext").
The most popular (and easiest) use for SSH is as a replacement for telnet. This document covers setting up SSH in Microsoft Windows as a telnet-replacement only; if you're looking for help with SFTP or SSH-wrapping of other protocols, you're on your own.

Why do I need encryption?
Username/password, or public/private-key?
Where can I get a client that will do encryption?
Using Tera Term SSH (TTSSH):
Using PuTTY:
Making authentication keys with puttygen

A plain telnet session sends everything "in the clear", which means a packet-sniffer (properly applied) can not only see all your email and all the commands you type, but it can see your username and password too.

You might say, "I have no secrets; I don't care who can see my email or my password." But keeping out "peeping toms" and prying spooks isn't the only reason to use encryption. Identity thieves and other nefarious characters would enjoy breaking into and using an innocent bystander's account as a base of operations. When their activities are noticed, it means the authorities waste valuable time investigating the victim (you!) and gives the villain a chance to escape.

Using encrypted login technology (like SSH) makes it harder for someone to get your password and use you as an unwitting accomplice. And nowadays, it's almost as easy to use as plain telnet!

2. Username/password, or public/private-key?

SSH offers two login methods (well, more actually, but we're only going to concentrate on our two favorites).

"Username/password" is the easiest to use; as the name implies, you just log in normally, with your regular username and password. But since the link is encrypted, your password stays a secret.
"Public/private-key" authentication is more secure, because your password is never sent over the link at all. (What's sent is an encrypted token using your private key, instead.) To use this method, you have to create two files:
1. a public key to save on Panix, and
2. a private key to keep on your computer.
You should only use public/private-key authentication on a private computer (one that only you have access to), and avoid file-sharing. Remember that your private key is a file, and can be stolen from your computer if you aren't careful.

Creating the keys requires a key-generator program, but not all SSH programs include one. Fortunately, PuTTYGen (the one we recommend) will work with almost any client.

3. Where can I get a client that will do encryption?

The folks at openssh.com have a number of suggestions. We have instructions below for a couple of our favorites.

4. Using Tera Term SSH (TTSSH):

Tera Term SSH (TTSSH) is an SSH plug-in for Tera Term Pro, our favorite Windows telnet client here at Panix. Even though it's a plug-in, it attaches itself to Tera Term seamlessly and the SSH implementation hasn't ever given us trouble. It's really solid.

a. Setting it up

Download Tera Term Pro:
A more recent version is 3.1.3, and is available at http://www.ayera.com/teraterm/.
The most recent version is 4.5.9, an open-source successor to v.2.3. It is available at http://ttssh2.sourceforge.jp/.
Should you need an earlier version (see below for one reason why this might be the case), v.2.3 is available at http://hp.vector.co.jp/authors/VA002416/teraterm.html. Be aware that TeraTerm 2.3 does not support SSH-2.
Create a directory for the installer, put the ZIP file there, and unzip it. Then run "ttermpro.exe" from that directory to run it. You will most certainly want to place a shortcut on your desktop or in your Start menu.
If you are using v.2.3, you will need to download the TTSSH 1.5.4 plugin:
http://public.planetmirror.com/pub/ttssh/ttssh154.zip
Create a directory, put the ZIP file there, and unzip it. Then move or copy the files made by the "unzip" into your Tera Term program folder. (This is usually in Program Files somewhere.)
Lastly, download the TTSSH-compatible host keys file for Panix:
https://setup.panix.com/sshdata/ssh.rsa
(if you have trouble with this download, you can go here, right-click the link for "RSA keys", and choose "Save Target As..." or the equivalent.)
Put this file in your Tera Term program folder too, and rename it to "ssh_known_hosts".

Now you can run TTSSH by double-clicking on the "ttssh" icon in your Tera Term folder. We suggest making a shortcut somewhere convenient for it, so you don't have to keep opening up "Program Files" every time.

You'll notice that the "New connection" dialog now contains choices for "SSH" and "Other", besides the usual "Telnet". If you choose "SSH", the port number will automatically change from 23 to 22.

Type "shell.panix.com" in the "Host" field, and click "OK" to connect. You should see an "SSH Authentication" dialog right away. NOTE: If you see a dialog warning you that TTSSH doesn't see its key in the "ssh_known_hosts" file, then you need to hit "Cancel" and confirm the location of your ssh_known_hosts file in your "Setup:SSH" menu before proceeding. In general, you should always get a canonical copy of the key, or at least verify its fingerprint, before connecting to the server. Otherwise, you proceed at your own risk.

Your "SSH Authentication" dialog contains several login options. We'll stick to plain passwords and/or RSA keys here.

b. Plain password login

This should be sufficient for most uses. If you choose plain password login, you can type your regular username and password where it says "User name" and "Passphrase", and it'll connect you just like a telnet session. (The only difference is that your whole session is encrypted, which means your password is encrypted too.) No extra setup is needed.

c. RSA key (public/private-key) login

Important Note: Although TeraTerm 3.1.3 supports SSH connections without the TTSSH plugin, it does not support the user of RSA keys. If it is necessary for you to use RSA, you will need v.2.3. TeraTerm 4.59 claims to support RSA and DSA, but we have not yet been able to confirm this.

To use an RSA key login, you have to set up a key pair. TTSSH doesn't come with its own key generator; Panix recommends using "puttygen", which is available for free from the PuTTY website. Instructions for using puttygen are below, in Section 5.

After you create they keys, put your private key file in your Tera Term directory.

Then open Tera Term, go to the "Setup" menu, and choose "SSH Authentication". Enter your user name where it asks, and select "Use RSA key to log in". Now click the "Private key file" button, and tell it where to find your private key.

Now you can choose "Use RSA key to log in", and go ahead. If you want to make key-authentication the default, simply choose "Save setup" from the "Setup" menu after you've logged in, and save the new setup as "teraterm.ini".

5. Using PuTTY:

PuTTY is a free SSH client for Windows written by Simon Tatham in England, and is going through constant development and improvement. It offers some features (like SSH2 and xterm emulation) that TTSSH doesn't, although it's missing a few (like keyboard customization) that TTSSH has. It comes down to personal preference, really.

a. Setting up PuTTY

Download the latest version of PuTTY from their main site:
ftp://ftp.chiark.greenend.org.uk/users/sgtatham/putty-latest/x86/putty.exe
Make sure you have version 0.53b or later, as earlier versions have some known vulnerabilities.
PuTTY doesn't need an install routine; just put the "putty.exe" file in a folder where it's easy to find, and create a shortcut to it in a friendly place.
Now, download the Panix host keys file for PuTTY, unzip it, and double-click the ".reg" file to insert the keys into your registry.
Now we're ready to run PuTTY.

A "PuTTY Configuration" window will appear, with categories on the left side. You can customize the terminal all you want, but you should be able to connect using the defaults. (Our PuTTY help page has some good tips and screenshots, if you need more than we cover here.)
In "Session", type your intended host name and select "SSH".
NOTE: PuTTY doesn't deal well with hostnames that refer to multiple servers, so you'll need to use panix1.panix.com (or panix2, panix3, etc.) as your host name instead of shell.panix.com.
Go to the "SSH" category, and set "Preferred SSH protocol version" to 2 (or "2 only" if you like).
Now go back to "Session", type a name for your session under "Saved Sessions", and click "Save".
If you want to customize the screen size or colors, etc., feel free. But make sure you keep at least one saved session with the program defaults, in case you make a change that stops it working.

b. Username/password login

If you're doing a simple username/password login, then just click "Open" after completing the setup steps above. PuTTY will prompt you for your username and password, and then you'll be logged in.

c. Public/private-key login

If you want to use a public/private-key authentication scheme, first you'll need to create the keys with "puttygen" (see Section 6). Put your saved private key in your PuTTY directory.

Now, load your session and go to the "SSH:Auth" category. Click the "Browse" button next to "Private key file for authentication", and tell it where your private key is. Also, in the "SSH" category itself, verify that "Preferred SSH protocol version" is set to 2.

When you've made these changes, go back and save your session again.

6. Making RSA or DSA keys with puttygen

PuTTYGen is a free program (by the people at PuTTY, of course) which generates public/private key pairs for use in authentication. You can use PuTTYGen-created keys in either PuTTY or TTSSH.

Download PuTTYGen here:
http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
Double-click the file to run it. The program is very simple; just select "SSH1 (RSA)" if you're using Tera Term and TTSSH, or select "SSH2 DSA" if you're using PuTTY. Then click "Generate" to start making a new key.
The program will ask you to move your mouse around in the box to generate randomness for a while. Then it will calculate your keys.
Select and copy (ctrl-c) the public key as shown, then log into a Panix shell session and go to your home directory. Create a ".ssh" directory with the following command:
mkdir .ssh
(Don't forget the dot!) Then "cd" to that directory and create a file (with your text editor) called "authorized_keys". Paste your new public key into this file; MAKE SURE it's all one very long line with no line breaks.
Now return to the PuTTYGen program, and enter a passphrase (twice) in the blanks provided. This will become the password you use to log in, but you should NOT use your regular Panix password. Now click "Save", and tell it to save in the same directory as your SSH program.
NOTE: PuTTYGen will save your private key with a ".PPK" extension. This is required for easy compatibility with PuTTY, but is unnecessary if you're using TTSSH. Harmless, but unnecessary.

Now just go back into your SSH program, tell it where to find the private key, and save your setup again. That's all!

webmaster@panix.com

[ Panix Home ] [ Panix Help System Index ] [ Top of This Page ]