Generating and Using SSH Keys With PuTTY

Securing your servers with RSA while logging in faster than using a traditional password.


PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham —

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Security is important, whether you’re running a hobby website or a full scale business network. SSH Keys can help you secure your SSH by pairing private and public keys, removing the ability to have your password brute-forced, as you’ll be disabling passwords altogether.

How SSH keys work

A pair of SSH keys (DSA or RSA) work together to authenticate your logins. One of the two keys, the private key, is stored on your computer and should be safeguarded and never given out. The key it works with is called the public key. This one will be stored on your server and is safe to share with anyone you may need to. Giving your public key to someone can give you the ability to log into their server, since the two are uniquely paired together.

How to set up your keys using PuTTYgen

You’ll need to grab two different programs if you don’t have them already. Click here to find the latest versions of PuTTY and PuTTYgen (.exe files). Install PuTTY. PuTTYgen doesn’t need to be installed, the usage for it is simply opening the .exe file. Go ahead and open up PuTTYgen, so we can generate your RSA key set. Under the Parameters section, select the radio button that says SSH-2 RSA. The number of bits can be either 2048 or 4096, whichever you’d like. 4096 provides more security in that it can’t be cracked as easily, but 2048 is more widely used and it’s hard to say that it’s really any less secure.

Now go ahead and hit the Generate button. After clicking that button, move your mouse around randomly in the area underneath the progress bar to randomly generate your key. Get wild with that mouse! Now that the keys have been generated, you’ll have the public key in the text area, and the text boxes called Key fingerprint, Key comment, Key passphrase, and Confirm passphrase. There are also the “save public key” and “save private key” buttons; click on those, name them anything you’d like, and save them in a safe location on your computer. You don’t need to touch any of the other fields, but if you’d like, you can type anything into the key comment field. This will be your personal identifier, so name it anything you need to in case you’ll be creating a lot of SSH keys.

The passphrase is a bit of extra security, but not really essential (and will not allow you to automate anything with them). Copy all of the text from the top (public key for pasting into authorized_keys file) into your clipboard. SSH into your server, we’ll be pasting this text. If you don’t have the .ssh folder in your user’s /home/username folder, go ahead and create it and give it the correct permissions.

mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys
sudo nano ~/.ssh/authorized_keys

The last line will open up the authorized_keys file, so paste your public key into there and save the file.

Open PuTTY to save your settings for quicker logins

Now that we have your public key on your server, let’s open up PuTTY itself and save your configuration for fast access. On the first screen of PuTTY, put your server’s IP address into the Host Name field. Type your port number (this is usually 22 unless you’ve changed it). On the left, under Category -> Connection, click on Data. Put your username into the Auto-login username field (the same username where you’ve placed the authorized_keys file). Now click on SSH -> Auth. There will be a “Browse…” button at the bottom which you’ll use to place your private key. Remember, your public key is on your server. Your private key will be on your computer, and this will be the file you’ll navigate to with the browse button. Its extension will be .ppk whereas your public key’s extension shouldn’t matter, as it’s just text you paste. Go back to the first PuTTY screen (Session is the category), and under Saved Sessions is a text box. Type in whatever you’d like to identify your login. I normally go with something like

username@host.example.com

to easily identify which user and host name I’ll be logging in with. Click the Save button on the right.

Logging in with your SSH key

Phew. All right, now it’s time for you to test your SSH keys. Press the Open button in PuTTY to open the connection with your server. From here, it should automatically log you in after showing something like this:

Using username “username”. Authenticating with public key “Our VPS”

If you decided to go with a passphrase during the key creation, you’ll need to enter that as well. If you didn’t log in, skip what’s below and read why it may not have worked. Come back here once it’s fixed. Now let’s disable password entry, since the key is redundant if you allow one or the other.

sudo nano /etc/ssh/sshd_config

Find (Ctrl + W)

PasswordAuthentication yes

and replace yes with no. Now find

UsePam yes

and change that to no. Keep in mind that changing this to no removes the Message of the Day (motd) that pops up when you first log into your server. If you don’t mind, go ahead and save the file. Otherwise, instead of changing UsePam to no, keep it at yes and add this into the file:

ChallengeResponseAuthentication no

All done! Now reload SSH for the above settings to take effect and you’re good to go.

sudo service ssh reload

Oh… but the previous step didn’t log me in and I got “server refused our key” message

That can happen. If this happens to you, make sure to verify the following:

  1. The authorized_keys file is located in the correct placed (
    /home/username/.ssh/authorized_keys

    ).

  2. Your folder and file permissions are set correctly (0700 for the .ssh folder and 0644 for authorized_keys).
  3. The user you’re logging in with, using PuTTY, is the same user you’ve added the above folder/file to.
  4. The user you’re attempting to log in with owns the .ssh folder and authorized_keys file:
    chown -R username:username /home/username

The last one tends to happen when you’re creating folders and files using the root account, or prepending

sudo

to your commands. Now go back to the previous section and disable logging in with usernames/passwords.   That about covers it! If you have any questions or need some help, leave a comment and I’ll see what I can do to help you out. Keeping your servers secure is a big deal, no matter how you use them. SSH keys are one way to keep your stuff yours.