PuTTY with SSH key pair for secure Linux server access

If you’re lucky enough to have a terminal and OpenSSH available at any time see my article on using it to generate a private/public key pair and setup SSH.  For those of us on Windows PuTTY provides a suitable alternative.  In this article we’ll use PuTTYgen to generate a key, add it to Pageant to provide an authentication agent and PuTTY itself to make the SSH connection with no password required.

Generate a key with PuTTYgen

First, go download PuTTY.  I recommend the full installer, you’ll get everything and it will be easy to find on the Start menu.  Once that’s installed find and run PuTTYgen.

PuTTYgen ready to generate a key

Click Generate.  PuTTYgen will ask you to move the mouse around, this is used as additional random data for generating the key.

PuTTYgen with a newly generated key

Once finished you’ll see a similar screen.  You may enter a comment to remind you of what the key is for if necessary.  Using a passphrase is highly recommended.  If you do not enter a passphrase then anyone who gets ahold of your private key can use it.  The only protection you have in such an event is a strong pass phrase.  Note that once we have Pageant setup you will not need to enter this phrase every time the key is used but instead only when it is loaded into Pageant upon logging into your Windows account.

PuTTYgen saving a key

Save the key somewhere you can find it again such as My Documents.

Take note that in PuTTYgen you can load an existing key so long as you have access to it and remember the passphrase.  In doing so PuTTYgen will provide you with the public key appropriate for use with OpenSSH on the server side and can even save it as a separate file. Remember to keep your private key safe, your public key is for others (such as the server) to use.

Use Pageant as an authentication agent

Now you’ve generated a new key, but how do you use it?  In walks Pageant, the authentication agent in the PuTTY family.  With Pageant you can load your key and us it to login when connecting through PuTTY.  You’ll need to know the passphrase to load a key into Pageant.  If you logoff of Windows or restart the computer Pageant will have to load the key again at which point you’ll need the passphrase once more.

Open Pageant, if you used the full installer it will be available in the Start menu.

Pageant with no keys loaded

When you first load Pageant the key list will be empty as you haven’t loaded any yet.  Click Add Key to load the key you created in PuTTYgen.

Pageant file browser

Find and select the key you previously created in PuTTYgen.  Click Open.

Pageant loading a key

If you used a passphrase, and you should have, Pageant will need it to load the key.

pageant04

 

Once the passphrase is entered Pageant loads the key.  It is now available for use as authentication when logging in with PuTTY.

Connect with PuTTY

Next we’ll setup PuTTY.  The server(s) you’re connecting to will not yet recognize the key you generated, they have to be told about it.  So first you’ll have to login however you normally do, such as with a password.  Remember that public key I mentioned earlier?  We need to put that into ~/.ssh/authorized_keys for the user you intend to login as on the server.

So, first login to the server and create the directory if it doesn’t already exist and create or modify the authorized_keys file.

$ mkdir .ssh
$ chmod .ssh 700
$ cd .ssh
$ vim authorized_keys

Now you need to paste the public key that was displayed in PuTTYgen.  If you didn’t copy it down don’t worry, open PuTTYgen and load your private key file.  The public key will then be displayed where you can easily copy it.  Enter the key exactly, use copy and paste.  Note that with vim you may have to hit the insert or i key to enter insertion mode.  If you’re using PuTTY you may have to right click to paste.

It will look something like this.  Do not copy the fake key below, be sure to copy your own.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqyUfIvRo+lK53t60O2qH66b9qNKZATWsSk5q8W8ET8bcXWNZVpj0f6PsECmeaYiwCo0jrIFLZfAL657n/giPxuu5BALne4BNMu6AFUkvUf3S2Yol5fYvSORibtaeRXIbuYx3ygRy3AnOdeW/NY9Bi3eBgx+DhgJ74obfApI5oRAkv1k32N3HTX/CfgdgbLxHHyPUVEHvLVrWbGzP7Zae6idzNC5yjzVAUlxK6FI2626Wdb56NLXqNqJDg23r4wHUFSl7x0DVwSpzh4sFzLE9FVBS0MIaeVOOki9azyXt9o8eCPE+IdDTFMU7YFZqSKGTRAu3d7+mXSGe2U+fKyFwJw== foo@foo.com

Save the file.  You can do this in vim using :wq.  Then change the file to only be writable by the current user.  By default your SSH daemon is likely to reject keys if the authorized_keys file does not have the correct permissions.

$ chmod 600 authorized_keys

At this point you can logout and open PuTTY.

PuTTY initial screen

Enter the IP address or host name and port for the server you intend to connect to.  You can save a session by entering a name for it and clicking Save.  If a session with the same name already exists it will be overwritten.

putty02

Type in the username to login as.  This should be the same user you added your public key for.  For example if I wanted to login as foo I would have added my public key to /home/foo/.ssh/authorized_keys.

putty03

At this point you should immediately login without a password being required.  This is because by default PuTTY will use Pageant as an authentication agent and you loaded the private key into Pageant and then copied the public key to the server for the user you logged in as.

If for some reason you are unable to authenticate you should check a few things:

  • Is Pageant running with the private key you created loaded?  You should find a Pageant icon in the notifications area of your task bar.
  • Did you login as the same user for whom you copied the public key to .ssh/authorized_keys?
  • Did you copy the public key exactly?  Do not add or remove so much as a space or newline.  It’s very important that you copy into the authorized_keys file the exact content of the public key.  Remember to use the public key, not the private key.
  • Do .ssh and authorized_keys both have appropriate permissions?  .ssh should be 700 and authorized_keys should be 600.

Finally if you’ve checked all of this try looking in the server log at /var/log/secure.  It should provide information on why your authentication is being rejected.

Last but not least you can make this process even easier by telling PuTTY which user to login as.  Open PuTTY, if you have the session saved load it, then go to Connection -> Data.

PuTTY login configuration

Enter the username you will be logging in as under Auto-login username.  PuTTY will now login as that user and authenticate using your private key.

PuTTY with automatic login

Voila, you can now login to your server without so much as a single keystroke.  You can even take the security a step further and completely disable using password authentication for remote SSH logins.  This is a big step towards protecting your server from brute force SSH attacks.  It also means that if you lose your key you will not be able to login through SSH, you’ll have to use a local console.  Most ISPs provide a way to access a local console through their control panels.

Load Pageant at Startup

Our current setup works great, but it requires starting Pageant and loading the private key. We can configure Pageant to do this automatically for us whenever we login to Windows. Navigate to Start Menu > Programs > Startup and open the folder.  You may have to right click on it in the Start Menu to do this.

startup01

 

Right click and create a shortcut to Pageant.exe.

startup02

 

The shortcut should look something like this depending on where you installed Pageant.

startup03

Now in the Target field add the path to your private key at the end.  Here you can see the private key I saved in My Documents.  Save the shortcut.

Test the shortcut by double clicking on it.  Pageant should start and load the key.  From now on this will happen at startup.  If you used a passphrase with your key Pageant will ask for it once each time it loads.

Sharing Saved Sessions

One last tip.  If you’re working in an environment where you regularly connect to several servers and want to share your list, or if you simply want to backup your PuTTY configuration or move it to a different machine, the configuration can be found in the Windows Registry.

Note that this will include information such as the auto-login username and any customized colors or other changes you’ve made for a saved session.  It does not include your public or private key.  PuTTY delegates to Pageant for this, so there’s no risk of exposing your key, it’s simply a convenient way to save and load a large list of saved sessions.  Go to Start Menu > Run and type in regedit and hit enter.

puttyshare

This will open the Registry Editor.  You can find PuTTY configuration under HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions.  You can select that node and export it as a .reg file.  Copying that file to another machine and running it will load the same registry entries there.  Running PuTTY on that machine once the registry entries are loaded will pick up the saved session configurations.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>