Install faythe ssh signed-key framework on windows

Owned by Bret Giddings
Last updated: Mar 29, 2024
3 min read

For access to linux servers, we require that you use a signed SSH key. A signed key may also be used with the ssh gateway, sftp and the RunDMC module.

Initial setup and configuration

This guide assumes that you already have SSH on your target client. This comes pre-installed on Linux/Mac and is available on Windows via OpenSSH from https://github.com/PowerShell/Win32-OpenSSH/releases/latest (note this is pre-installed on University SWAE laptops)

Initial setup and configuration

Windows

We recommend that you install OpenSSH from https://github.com/PowerShell/Win32-OpenSSH/releases/latest and also that you use Windows Terminal from Microsoft.

We also recommend Powershell 7, but this will also install fine with Powershell 5.1.

Mac/Linux

These already have everything you need.

Downloading and running the installer

1. Download the faythe installer

Note, you only need do this once per-machine.

To install on windows using the standard Microsoft OpenSSH from powershell:

invoke-webrequest -uri https://www1.essex.ac.uk/it/dev/finstall.ps1 -outfile finstall.ps1

To install on Linux/Mac/Mobaxterm/WSL

wget -O finstall.sh https://www1.essex.ac.uk/it/dev/finstall.sh

2. Run the faythe installer

On windows with powershell

.\finstall.ps1

On Linux/Mac/Mobaxterm/WSL

Note, you need to do this on each machine you use, but see below about copying your keys to the second or subsequent machine before running the installer on those.

The prompts are similar for both the powershell and posix sh versions - an example windows powershell setup is shown below.

Notes:

If you are prompted about enabling ssh-agent on windows, follow what is said and then try again.

  • Line 6: Provide your login name (not email alias) without the @essex.ac.uk.

  • Lines 8 & 9: Provide and confirm a passphrase for your newly generated SSH key. You should use something secure and ensure that you keep a record of this.

  • Line 11: Provide your new passphrase again to add the new key to your SSH agent.

  • Line 19: Provide your University of Essex password.

  • Line 20: Provide the MFA code from the Azure authenticator for your account.

When finished, close the window and open a new one. Check that this has worked by running

If no matching alias is found, seek assistance.

Checking it is working

To check it worked, the simplest thing is to try the following in a new terminal window

This shows that you successfully got your key signed and it was used to login to mdrive.essex.ac.uk. Note that if you don’t see line 5, seek advice. Second and subsequent connections during the signed key lifetime won’t prompt for your password or Microsoft verification code.

Other information…

Moving your enrolled key to a new client device

If you get another client device, you need to copy three files from ${HOME}/.ssh to the new the same location on the new device - these are

  • id_ed25519_essex.ac.uk
    your private key - you’ll need to know the associated passphrase - see below for lost passphrase…

  • id_ed25519_essex.ac.uk.pub
    your public key

  • config
    any locally changes you might have made to your ssh configuration

Once you have these on the new device, download the appropriate script (step 1 above) and run it. You should be prompted just for your login name and key passphrase. Once complete, open a new window to use a faythe enhanced ssh configuration.

Lost ssh key passphrase when moving to a new client device

If you have lost your ssh key passphrase, ask us to delete your current enrolled key, then run the following

Then download the appropriate script (step 1 above) and run it. Once complete, open a new window to use a faythe enhanced ssh configuration.

Finally, if you used this key-pair on any other devices, copy the files ${HOME}/.ssh/id_ed25519_essex.ac.uk* back to the other devices where you use faythe. On these devices run

and give your new passphrase. They should then work fine.