Problem: How do you generate a key pair using PuTTY?
PuTTY comes with the program PuTTYgen to generate public and private key pairs. To use PuTTYgen:
In the Parameters section are three options for the type of key to generate. SSHv1 only supports one type of key, so if you need to authenticate to a server that only supports SSHv1 make sure the radio button next to SSH1 (RSA) is selected.
If you will be connecting to a server that supports SSHv2, you have two choices for keys: SSH2 RSA and SSH2 DSA. The server you are connecting to may only allow one type of key, so you may have no choice as to what type of key you need to create. Click on the radio button next to the type of key you choose to create.
The Key Comment field allows you to add a comment to help you remember the purpose of this key-pair. This comment will be displayed whenever PuTTY asks you for the passphrase to unlock the key. A comment is not required, so it can be left blank.
As you enter a passphrase into the Key Passphrase field, you will not be able to see what you are typing as asterisks or bars will appear to prevent anyone from "shoulder surfing" and seeing your passphrase.
You may be tempted to leave your passphrase blank. Don't! While there are times when this may be necessary, generally you should never have a blank passphrase for your personal account. If you left the passphrase blank and someone were able to get your private key, they would be able to authenticate to the remote server as you without authentication. The only time you should use a blank passphrase is when you need to run scripts automatically using SSH. When this happens, you should create and lock down a separate account on the remote server to minimize the potential damage if the account were compromised.
Make sure your passphrase is obscure but memorable as there is no way to recover it!
Now that your public and private keys are created, you need to set up the remote server to accept our newly generated keys:
login as: sshuser email@example.com's password: ******* [firstname.lastname@example.org]$ cd .ssh [email@example.com]$ ls -l total 2 -rw-rw-r-- 1 sshuser sshuser 226 Aug 11 12:46 authorized_keys -rw-r--r-- 1 sshuser sshuser 223 Aug 10 13:27 known_hosts [firstname.lastname@example.org] $
If the file does not exist, you can create it with your favorite editor. (In the rest of this example, we will refer to this file as the authorized_keys file, although the actual filename may differ depending on your version of SSH.)
If the authorized_keys file does not have the correct owner or permissions, your SSH server may not allow you to log in using public key authentication.
[email@example.com]$ ls -l total 2 -rw-rw-r-- 1 sshuser sshuser 238 Jan 21 22:20 authorized_keys -rw-r--r-- 1 sshuser sshuser 223 Aug 10 13:27 known_hosts [firstname.lastname@example.org]$
[email@example.com]$ chown sshuser authorized_keys
-rw-r--r-- 1 sshuser sshuser 238 Jan 21 22:20 authorized_keys
If the authorized_keys file permissions are incorrect, change them with the chmod command, as shown below:
[firstname.lastname@example.org]$ chmod 644 authorized_keys
Now we need to tell PuTTY to use public key authentication to log into the server:
login as: sshuser Authenticating with public key email@example.com Passphrase for key "firstname.lastname@example.org": *************************** [email@example.com]$
We have seen that we can use public key authentication with PuTTY, the graphical SSH interface, but sometimes we may want to use public key authentication when using the PuTTY command line tools PSCP, PSFTP and Plink.
Each of these programs provides a “i command line option for specifying the path and filename of the file containing the private key. Whenever the “i option is specified for any of these tools, they will automatically try to authenticate using public key authentication.
The following example shows how to use PSCP to transfer files using public key authentication. The same procedure is used for PSFTP and Plink:
C: emp>pscp -i "c: empmykeysmy_private.PPK" test.pl firstname.lastname@example.org:. Authenticating with public key email@example.com Passphrase for key "firstname.lastname@example.org": ************************* test.pl 22 kB 22.0 kB/s ETA: 00:00:00 100% C: emp>
Since your public and private keys are stored locally in a file, removing them is as simple as deleting the file. Of course, this will only delete them on your local machine and not any servers where you may have copied your public key. To remove those, refer to Action 4.3.4.
SECTION I - Obtaining, Compiling and Installing OpenSSH
SECTION II - How to Use OpenSSH Clients for Unix-to-Unix Connectivity
SECTION III - How To Use PuTTY/WinSCP For PC-To-Unix Connectivity
SECTION IV - Using Public Key Authentication
SECTION V - Troubleshooting SSH Connections
SECTION VI - Advanced SSH Topics
Appendix - Sample sshd_config File