Public key authentication is a means of identifying yourself to a login server. It is more secure and more flexible, but more difficult to set up then using password authentication.

Public key authentication solves the problem of sending a password to the login server.

You generate a key pair, consisting of

• a public key (which everybody is allowed to know), which is copied to the server and
• a private key (which you keep secret and do not give to anybody), which is used to generate signatures.

When the server asks you to prove who you are, a signature must be generated using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.

If your private key is stored unprotected on your own computer, then anybody who gains access to it will be able to generate signatures as if they were you. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase. In order to generate a signature, the must be decrypted using the passphrase. This can make public-key authentication less convenient than password authentication: every time you log in to the server, instead of typing a short password, you have to type a longer passphrase. One solution to this is to use an authentication agent, a separate program which holds decrypted private keys and generates signatures on request.

Using PuTTY the problems described above are solved conveniently. The encryption and sending of the signature can be configured and the use of the passphrase automated. PuTTy has an authentication agent called Pageant. When you start your Windows session, you start Pageant and load your private key into it (typing your passphrase once). For the rest of your session, you can start PuTTY any number of times and Pageant will automatically generate signatures. When you close your Windows session, Pageant shuts down, without ever having stored your decrypted private key on disk. Many people feel this is a good compromise between security and convenience.

I will show you the steps to take to configure and install Public Key Authentication for PuTTY (and Pageant)

Start PuTTYgen. The following window appears:

Generate a key pair by pressing the button Generate.

The window will show as:

Do not forget to move the mouse over the blank area!

After some time the window will look like this:

Enter the key passphrase fields. DO NOT FORGET THE KEY PASSPHRASE. Write it down or save in your favorite password vault

Save public key and Save private key

Save the public key text. For every server/user combination you want to use with PuTTY add this text to the file $HOME/.ssh/authorized_keys

OpenSSH must be installed on the server

IMPORTANT
The directory .ssh and the file authorized_keys must be ONLY readable and writable for the user!

You can do this by executing the following commands:

cd ~/.ssh
chmod 700 .
chmod 600 authorized_keys

Open PuTTY. You see the Session tab:

Load a saved session. (So you know the connection worked)

Click Connection>SSH and select Auth

Click button Browse to add the private key file for authentication

Browse to the directory with your privatekey file, select the correct file and click Open

The private key file is configured.

Do NOT click the Open button in the Configuration window.

First go back to the Sessions Tab by clicking Sessions. Then you can save the configuration:

You do not want to enter the passphrase every time you connect to a server. Pageant takes care of this by saving the private keys and passphrases. Only the first time you use a key file Pageant will ask for the passphrase.

Windows only:

The simplest way to use Pageant is to start it up when you start your PC.

Create a shortcut to Pageant in the Start-Up directory:

Press the Windows logo key +R, type shell:startup, then select OK. This opens the Startup folder

In the Startup Folder: Right-click and select New > Shortcut

Type in or Browse to the path of pageant.exe, e.g. “C:\Program Files\PuTTY\pageant.exe”. and click OK

In the next window enter a name, e.g. “Startup Pageant” and click OK

To add the keyfiles on startup we can add them to the command in the shortcut.

Right-click on the shortcut and select Properties

Add to the target in the Shortcut tab the path(s) of the private key file(s)

Full example: "C:\Program Files\PuTTY\pageant.exe" "C:\ssh\privatekey.ppk"

On windows startup, pageant.exe will be started, the private key file will be added and you will be asked to enter the passphrase.

Open PuTTY and connect to the server.