SSH key authentication in PuTTY

SSH key authentication in PuTTY

Introduction

In this guide, you will learn how to set up SSH key-based authentication using PuTTY, a popular SSH client for Windows. By using key-based authentication instead of password-based authentication, you can enhance the security of your SSH connection. Key-based authentication ensures that only those with the corresponding private key can log in, providing a more secure and reliable method of authentication.

This guide covers the process of setting up SSH key authentication using PuTTY and a client application.

Important Security Warning: The private key must be kept strictly confidential. Never share it with third parties, store it on unsecured devices, or use it without a passphrase for added protection. If the key is compromised, immediately generate a new key pair and update the authorized_keys file on the server.

1) Generating Keys

PuTTYgen is a tool from the PuTTY suite, primarily for Windows, designed to generate SSH key pairs and convert key formats. Its main function is to create pairs of public and private keys, which can be stored in the .ppk format (specific to PuTTY). Additionally, PuTTYgen can convert keys between formats, ensuring compatibility with various SSH clients and servers, such as OpenSSH.

PuTTYgen generates key pairs consisting of a public key, which can be shared, and a private key, which must remain confidential. The public key is used for authentication when connecting to remote servers.

The .ppk format is specific to PuTTY, but PuTTYgen can convert keys to other formats, such as OpenSSH.

Alternative: Generating Keys in PuTTYgen

You can generate keys directly in PuTTYgen on a Windows machine without using a Linux server. To do this:

  1. Open PuTTYgen.
  2. Select the key type (e.g., RSA or EdDSA) and size (2048 bits or higher is recommended). SSH key authentication in PuTTY
  3. Click Generate and move the mouse to generate entropy.                                    SSH key authentication in PuTTY
  4. Save the public key (copy the text from the "Public key for pasting into OpenSSH authorized_keys file" field) and the private key as a .ppk file. SSH key authentication in PuTTY
  5. Add the public key to the ~/.ssh/authorized_keys file on the server (see below).

However, in this guide, we will focus on generating keys on a Linux server using ssh-keygen and then converting them for use with PuTTY.

Prerequisites

Before starting, ensure you have the following components:

  1. PuTTY and PuTTYgen — Download from the official website. PuTTYgen is included in the PuTTY suite.
  2. Linux Server with OpenSSH installed (typically pre-installed on most distributions).
  3. SSH Access to the Server with a password (for initial key setup).
  4. Optional: A passphrase to protect the keys (recommended for enhanced security).

Verifying Server Configuration

Before generating keys, ensure that key-based authentication is enabled on the server. Open the /etc/ssh/sshd_config file (with root privileges):

sudo nano /etc/ssh/sshd_config

Ensure the line PubkeyAuthentication yes is present and not commented out. If changes are made, save the file and restart the SSH service:

sudo systemctl restart sshd

(In some distributions: sudo service ssh restart.)

Step-by-Step Guide to Generating Keys in Linux

Connect to the server via SSH with a password (using PuTTY or another client) and perform the following steps as the user you want to authenticate (preferably not root for security; use sudo if needed).

Run the ssh-keygen utility. It will prompt you to specify where to save the keys (default is ~/.ssh/id_rsa) and to set a passphrase (recommended for added security; press Enter to skip).

ssh-keygen -t rsa -b 2048

(Optional: Use -t ed25519 for a more modern algorithm.)

You now have two files in the ~/.ssh directory:

  • id_rsa — the private key.
  • id_rsa.pub — the public key.

View the keys (optional, for verification):

cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub

Navigate to the ~/.ssh directory (if not already there):

cd ~/.ssh

Add the public key to the authorized_keys file (use >> to avoid overwriting existing content):

cat id_rsa.pub >> authorized_keys

Set the correct permissions (critical for SSH functionality):

chmod 700 ~/.ssh
chmod 600 id_rsa
chmod 600 authorized_keys

After these steps, the server is ready to accept key-based connections. Restart the SSH service if you modified the configuration:

sudo systemctl restart sshd

2) Converting the Key and Authenticating with PuTTY

Now, transfer the private key (id_rsa) from the server to your local Windows machine and convert it to the .ppk format for PuTTY.

Transferring the Key to the Local Machine

Use scp (from the PuTTY suite — pscp.exe) or another secure method. Example with pscp (run in the Windows Command Prompt):

pscp user@server_ip:~/.ssh/id_rsa C:\path\to\local\id_rsa

(Replace user@server_ip with your details and C:\path\to\local with the local path.)

Warning: Never transfer the key over unsecured channels (e.g., email). Use encrypted methods.

Converting to .ppk Format with PuTTYgen

Open PuTTYgen on Windows.

SSH key authentication in PuTTY

Click Load and select the id_rsa file (PuTTYgen supports the OpenSSH format).

SSH key authentication in PuTTY

If the key is passphrase-protected, enter the passphrase.

SSH key authentication in PuTTY

After loading, click Save private key and save the file as a .ppk file (e.g., mykey.ppk). Agree to save without a passphrase if you don’t want an additional one (though a passphrase is recommended).

Configuring PuTTY to Use the Key

Open PuTTY.

In the main window, specify the server’s IP address, port (usually 22), and SSH connection type.

Navigate to Connection → SSH → Auth → Credentials.

In the Private key file for authentication field, specify the path to the .ppk file.

SSH key authentication in PuTTY

Optional: For auto-login, go to Connection → Data and enter the username (e.g., root or your user) in the Auto-login username field.

Save the session for convenience and connect.

Upon connection, if the key is passphrase-protected, PuTTY will prompt for the passphrase. If everything is set up correctly, you will log in without entering the server’s password.

Tip: For managing multiple keys, use PuTTY Pageant (a key agent from the PuTTY suite). Load the .ppk file into Pageant, and PuTTY will use it automatically.

Conclusion

By setting up SSH key authentication with PuTTY and a Linux server, you establish a more secure and reliable connection. Using SSH keys eliminates the need to enter passwords, reducing the risk of brute-force attacks and interception. Follow the steps in this guide to configure SSH key authentication with PuTTY and enjoy the benefits.

Additional Tips: Regularly update your keys, monitor server logs (/var/log/auth.log), and disable password authentication in sshd_config (PasswordAuthentication no) if keys are the only login method. If issues arise, verify file permissions and server configuration.