For access to linux servers, we require that you use a signed SSH key. A signed key may also be used with the ssh gateway, sftp and the RunDMC module.
Initial setup and configuration
Assuming you have SSH on your target client. This comes provided on Linux/Mac and is available on Windows via OpenSSH from https://github.com/PowerShell/Win32-OpenSSH/releases/latest (note this is pre-installed on University SWAE laptops)
Initial setup and configuration
Windows
We recommend that you install OpenSSH from https://github.com/PowerShell/Win32-OpenSSH/releases/latest and also that you use Windows Terminal from Microsoft.
Mac/Linux
These already have everything you need.
Downloading and running the installer
1. Download the faythe installer
Note, you only need do this once per-machine.
To install on windows using the standard Microsoft OpenSSH from powershell:
invoke-webrequest -uri https://www1.essex.ac.uk/it/dev/finstall.ps1 -outfile finstall.ps1 ./finstall.ps1
To install on Linux/Mac/Mobaxterm
wget -O finstall.sh https://www1.essex.ac.uk/it/dev/finstall.sh sh finstall.sh
2. Run the faythe installer
Note, you need to do this on each machine you use, but see below about copying your keys to the second or subsequent machine before running the installer on those.
The prompts are similar in both cases - an example windows powershell setup is shown below.
You are first prompted for a passphrase for a new SSH key - choose a secure passphrase and make a note of it - you may need it again. In the example below, you are prompted for this passphrase at lines 8, 9 and 11.
After creating the SSH key, the installer then enrols this key with our SSH Certificate Authority. Here you are prompted for your University password at line 19 and the associated MFA code from Windows Authenticator (or similar).
PS C:\Users\mylogin> .\finstall.ps1 Updating C:\Users\mylogin\Documents\PowerShell\Microsoft.PowerShell_profile.ps1... cmdlet faythe_install at command pipeline position 1 Supply values for the following parameters: Login: mylogin + Running ssh-keygen - use a memorable passphrase and make a note of it. Enter passphrase (empty for no passphrase): Enter same passphrase again: + Adding your key to your agent ... use the same passphrase as above. Enter passphrase for C:\Users\mylogin/.ssh/id_ed25519_essex.ac.uk: Identity added: C:\Users\mylogin/.ssh/id_ed25519_essex.ac.uk (mylogin@essex.ac.uk faythe key) + Creating/updating C:\Users\mylogin\AppData\Local\Temp/faythe.ps1. + Checking SSH config ... + Creating C:\Users\mylogin/.ssh/config. + Creating include file C:\Users\mylogin/.ssh/faythe_essex.ac.uk.config. + Added domain trusted host CA to C:\Users\mylogin/.ssh/known_hosts. + Enrolling your SSH public key. (mylogin@sshenrol.essex.ac.uk) Password: (mylogin@sshenrol.essex.ac.uk) Enter Your Microsoft verification code: 157479 + Open a new powershell window to start using ssh. Finished. Hit any key to continue.:
Notes:
If you are prompted about enabling ssh-agent on windows, follow what is said and then try again.
When finished, close the window and open a new one. Check that this has worked by running
alias ssh
If no matching alias is found, seek assistance.
Checking it is working
To check it worked, the simplest thing is to try the following in a new terminal window
PS C:\Users\mylogin> sftp mdrive.essex.ac.uk +faythe: Requesting signed certificate ... (mylogin@sshca.essex.ac.uk) Password: (mylogin@sshca.essex.ac.uk) Enter Your Microsoft verification code: +faythe: Wrote new key to C:\Users\mylogin/.ssh/id_ed25519_essex.ac.uk-cert.pub file - valid until 024-02-14T00:00:00 Connected to mdrive.essex.ac.uk. sftp>
This shows that you successfully got your key signed and it was used to login to mdrive.essex.ac.uk. Note that if you don’t see line 5, seek advice. Second and subsequent connections during the signed key lifetime won’t prompt for your password or Microsoft verification code.
Other information…
Moving your enrolled key to a new client device
If you get another client device, you need to copy three files from ${HOME}/.ssh to the new the same location on the new device - these are
id_ed25519_essex.ac.uk
your private key - you’ll need to know the associated passphrase - see below for lost passphrase…id_ed25519_essex.ac.uk.pub
your public keyconfig
any locally changes you might have made to your ssh configuration
Once you have these on the new device, download the appropriate script (step 1 above) and run it. You should be prompted just for your login name and key passphrase. Once complete, open a new window to use a faythe enhanced ssh configuration.
Lost ssh key passphrase when moving to a new client device
If you have lost your ssh key passphrase, ask us to delete your current enrolled key, then run the following
rm ${HOME}/.ssh/id_ed25519_essex.ac.uk*
Then download the appropriate script (step 1 above) and run it. Once complete, open a new window to use a faythe enhanced ssh configuration.
Finally, if you used this key-pair on any other devices, copy the files ${HOME}/.ssh/id_ed25519_essex.ac.uk* back to the other devices where you use faythe. On these devices run
ssh-add -d ${HOME}/.ssh/id_ed25519_essex.ac.uk
ssh-add ${HOME}/.ssh/id_ed25519_essex.ac.uk
and give your new passphrase. They should then work fine.