PuTTY and passwordless ssh logins

One of the nice features of an ssh server on UNIX is the ability to use ssh keys for authentication, and dispense with typing in passwords altogether. Unfortunately some of us work though VPNs that don’t support UNIX clients. As a result we have to use Windows based ssh clients like PuTTY.

What follows is a discussion of how to set up PuTTY so it can make passwordless ssh logins to your UNIX servers.

Basically the way passwordless ssh logins work on most UNIX systems, including Linux, is:

1. Generate a key pair using ssh-keygen. The resulting keys will be created under ~/.ssh by default. One will be called something like id_rsa (your private key) and the other id_rsa.pub (your public key).

2. Copy the public key into a file called authorized_keys under ~/.ssh on any machine you want to authenticate to using keys only.

3. Make sure that only the user (not group or other) has access to the ~/.ssh directory. If that is not the case do a chmod go-rwx ~/.ssh on it.

4. Test logging in from the machine where you have your private key under ~/.ssh to the machine where you’ve installed ~/.ssh/authorized_keys.

This whole process is pretty straightforward on any UNIX system running the standard open source OpenSSH server.

Where things get sticky is when you try using a Windows based ssh client to connect. Microsoft has chosen to implement PKI in a completely proprietary way, and Windows does not ship with either an ssh server or client.

To the rescue come products like PuTTY. Without any special configuration, PuTTY works well as an ssh client. It also provides the missing infrastructure necessary to use ssh keys for authentication in the PuTTYgen and Pageant utilities.

If you’re like me, you already have a UNIX (or UNIX-like) workstation that you’re already using to do this kind of thing. If that’s the case, you can just copy your private and public keys from there to your Windows machine and use PuTTYgen to convert them to PuTTY’s *.ppk format.

If you don’t have a UNIX machine to generate your keys on, you can use PuTTYgen to create an initial key pair and then export the public key to one of the two common UNIX formats (OpenSSH or ssh.com, the former is the most common and what you’ll find on Linux).

For those who already have UNIX ssh keys:

It’s all there in the PuTTY documentation, of course, but here are the steps in sequence.

1. Go to the Start menu, Programs, PuTTY and select PuTTYgen.

2. Click Conversions… Import Key.

3. Browse to the location where you downloaded your UNIX private and public keys, and select the private key (for example id_rsa).

4. Enter the key’s passphrase and click Save Private Key. Save as [keyname].ppk (for example, id_rsa.ppk).

5. Click Save Public Key, and save as [keyname].ppk (for example, id_rsa_pub.ppk).

6. Now run Pageant, found in the PuTTY menu folder.

7. Click Add Key and select the private PuTTY key (the one with a .ppk extension), and Close.

8. Copy the shortcut for Pageant to the Startup folder, so that it will start the next time you log in. Edit the text in the Target window for this new shortcut so the command will point to the full path for your private key. For example: “C:\Program Files\PuTTY\pageant.exe c:\usersmyuserid_rsa.ppk”. If your key is protected with a passphrase (which it should be!), you will be prompted for it at the beginning of each Windows session.

9. Open PuTTY . In the left hand Configuration window go down to SSH and expand it. Select Auth.

10. In the Auth window click Browse and navigate to where your converted private key (for example, id_rsa.ppk) is. Select it and click Open.

11. Finally, go up to Session, highlight the Default Settings and Save.

12. Copy your public key to an authorized_keys file and upload to ~/.ssh on all target machines (make sure only user has access to .ssh).

If you don’t already have a UNIX ssh keys and want to create on Windows:

1. Open PuTTYgen.

2. Click Generate.

3. Enter a passphrase.

4. Click Save Private Key, save to disk (for example, my_rsa.ppk).

5. Click Save Public Key, save to disk (for example my_rsa.pub).

6. Now run Pageant, found in the PuTTY menu folder.

7. Click Add Key and select the private PuTTY key (the one with a .ppk extension), and Close.

8. Copy the shortcut for Pageant to the Startup folder, so that it will start the next time you log in. Edit the text in the Target window for this new shortcut so the command will point to the full path for your private key. For example “C:\Program Files\PuTTY\pageant.exe c:\usersmyuserid_rsa.ppk”. If your key is protected with a passphrase (which it should be!), you will be prompted for it at the beginning of each Windows session.

9. Open PuTTY. In the left hand Configuration window go down to SSH and expand it. Select Auth.

10. In the Auth window click Browse and navigate to where your converted private key (for example, id_rsa.ppk) is. Select it and click Open.

11. Finally, go up to Session, highlight the Default Settings and Save.

12. Copy your public key to an authorized_keys file and upload to ~/.ssh on all target machines (make sure only user has access to .ssh).