Wednesday, July 20, 2011

SSH: Public Key Authentication with Putty

Putty is a set of Windows based SSH GUI client.  It has small footprint that may even work without installation by execute the program in standalone mode.  These are the common Putty applications:

  1. Putty.exe is SSH client program
  2. PuttyGen.exe is a program to generate public/private key pair
  3. Pageant.exe is a SSH authentication agent for Putty
  4. Plink.exe is command line interface to Putty back ends.

Generate Key Pair

Run PuttyGen.exe and press Generate button to start generating a key pair.  You may need to move mouse cursor over the blank area to generate randomness for key generating:


After finish generating, you should see public key shown on screen.  Private key has generated too, but it doesn’t show on screen for safety reason:


As shown on screen, the key length is 1024 bits which is consider very secure from hacking.   The public key generated is shown on top of windows.  The “Key passphrase” and “Confirm passphrase” are there to protect the private key if save the key in file.  Empty passphrase for private key will left the private key unencrypted.  If the private key has compromised, others may use the private key just as the owner has.  A passphrase provide an extra shield to protect the private key.  User will need to enter the passphrase whenever the private key is needed.

If you are ready for the key pair, copy the public key in clipboard for next stage.

Deploy Public Key to SSH service

Public key should keep in SSH server.  Copy and paste the public key text in any text editor and save the file as “authorized_key”.


Find a way to copy the file to your home account in SSH server.  The file should copy in in folder ~/.ssh/.  You may use SCP or home account in samba share to copy the file into ~/.ssh/.  The folder ~/.ssh/ might not exist, create the folder to store authorized_keys.

$ cd ~/.ssh
$ chmod 0600 authorized_keys $ ls -gG total 4 -rw------- 1 226 Jul 17 13:07 authorized_keys -bash-4.1$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBuSYSpUY3CxoLMmxnimmuC8kXRfJ8fmqDtyi6MqHLNWMGSdP/LYfc6LPatVq2tYlfDPiFrLXiMeqYBiZHLwAGDfJdm40BpclVmbovYOL4b/kFm81gk2iENSscnV6gI07aniABOJNXsWnvUeAnHpbYLR5YSc2Ko48ubjyCzBWJM/w== rsa-key-20110718

Deploy Private Key to Putty

Private key supply from SSH client end.  Private key may persist with passphrase and without passphrase.  Pass-phrased private key has extra security to protect private key.  Pass-phrased private key without private key is plain text key that may use directly for SSH authentication.  Both type of private key should keep safely from others to obtain it.

Private key may keep in any media or location or even a flash drive that carry with you anytime.  For illustration purpose of this article, the private key keep in %userprofile%/.ssh/key.ppk.  Please note that Putty requires the private key file in Putty key format.

There are numbers of SSH client application supports public key authentication.  There should be a place in setting to specify the private key file.  Just supply the private key as is to make the SSH connection works.

Access SSH with public key authentication

Try run Putty.exe and configure the SSH client for public key authentication:


Click Open button to start login:

login as: <user-name>
Authenticating with public key "rsa-key-20110718"

The above example show login using private key without passphrase.  If SSH screen shows something like above, then the public key authentication is success.  You may have notice that the text “rsa-key-20110718” is key comment shown PuttyGen.exe.

For passphrase protected private key, the login screen looks like this:

login as: <user-name>
Authenticating with public key "rsa-key-20110718"
Passphrase for key “rsa-key-20110718”: <enter passphrase here>

Pageant: SSH login with key agent

Pageant is Putty key agent that cache a list of private key.  Private keys with or without passphrase may cached in Pageant.  By using Pageant, you may ignore the private key setting in Putty’s session (located in Connection | SSH | Auth, “Private key file for authentication”).  Pageant is smart enough try try try with all private keys cached for authentication.

To use Pageant.exe, double click Pageant.exe to launch pageant program.  The program will stay in Notification Areas at right end of Windows Task Bar:


To add a private key, right click on Pageant icon to bring out a context menu and choose “Add Key” to add a private key.  A passphrase dialog will prompt out if the private key is protected with a passphrase.

Please note that you should check “Attempt authentication using Pageant” for the SSH session to realize Pageant authentication:


Putty: Auto login user name

Putty session configuration allow you to specify user name to for auto login:


By combining Pageant and auto login user name, you may use Putty by just double click on the SSH session without supply user name and passphrase.  The SSH session is available right after you double click.

Putty: Use private key generated by OpenSSH

Windows Putty.exe can’t use the private key generated by OpenSSH directly.  Putty.exe require private key that store in putty format.  Thus, the OpenSSH private key should convert to Putty format.  Run PuttyGen.exe to perform the conversion.  Use File | Load private key function as follow:


The PuttyGen will prompt a message to show you how to save the private key as putty format:


Click “Save private key” button to save the private key in Putty format.  The private key file may then use for SSH public key authentication using Putty.

No comments: