PuTTY and SSH Key-Based Authentication (Windows)

Guide: PuTTY and SSH Key-Based Authentication (Windows)

Last updated on

As well as offering additional security, SSH key authentication can be more convenient than the more traditional password authentication. When used with a program known as an SSH agent such as PuTTY, SSH keys can allow you to connect to a server, or multiple servers, without having to remember or enter your password for each system.

1. Create User with Sudo Privileges

If you already have a non-root account with sudo privileges or know what you’re doing and want to set this up for the root account, skip to Step 2. Otherwise, read on.

The root user is the administrative user in a Linux environment that has heightened privileges and you are discouraged from using it on a regular basis. It is recommended that you set up an alternative superuser account.

To set up this account, you will need to access you Linux box via SSH. If you are using DigitalOcean or similar cloud hosting, you should have SSH access via the control panel. If not, you can try logging into your Linux box from Windows.

Once in terminal, create a new user. In this example we are adding a user called john.

adduser john

Enter a password. You will also be asked to enter contact details, just press ENTER for defaults.

Once the user is created, give it superuser privileges.

usermod -aG sudo john

Now that our new user is set up, we can log out of Linux and return to Windows.

logout

2. Download and Install PuTTY

PuTTY is an SSH and telnet client for the Windows platform. You can download from http://www.putty.org

When you install the PuTTY client, it will also install the PuTTYgen utility, which you will use to generate your SSH keys.

3. Generate a Key Pair with PuTTYgen

You should see PuTTYgen in the start menu. You can also find it in C:\Program Files\PuTTY\puttygen.exe or C:\Program Files (x86)\PuTTY\puttygen.exe

Click Generate and start moving the mouse within the Window. Putty uses mouse movements to collect randomness.

Copy your Public key to clipboard as we will paste this into terminal later.

Also save both your Public and Private keys somewhere safe. When saving the Private key, you will be prompted for a passphrase to secure the key. You can leave this blank if you want to just connect into SSH without having to type a password every time.

4. Install Key On Server

You now need to paste this public key into the authorized_keys file. Log in via SSH using the account you created in Step 1 (or if you skipped step 1, log in either using your account with sudo privileges or the root account).

If you are using DigitalOcean Droplet or similar cloud service, you should be able to access your terminal via the control panel. Alternatively, you can access your server using PuTTY.

Once in terminal, create a new directory called .ssh:

sudo mkdir ~/.ssh

Note that ~/ is shorthand for the currently logged in user’s home directory, usually in /home/username/

Restrict its permissions:

sudo chmod 700 ~/.ssh

Using the nano text editor, create a new file in this folder called authorized_keys.

sudo nano ~/.ssh/authorized_keys

nano will open a blank file. Make sure you have your public key in your clipboard, which you copied from step 3.

Paste the public key into nano by clicking the right mouse button once anywhere in the nano program.

Once the key is pasted, you can use the left arrow on your keyboard to move the cursor back to make sure it has pasted in the entire key.

Save and close (Press CTRL + X, then press y and ENTER to confirm save)

Now restrict the permissions of the authorized_keys file:

sudo chmod 600 ~/.ssh/authorized_keys

You must also make sure that the user and not root owns both /.ssh and /.ssh/authorized_keys. This command will recursively set the owner. The $(whoami) variable returns the currently logged in user.

sudo chown -R $(whoami):$(whoami) ~/.ssh/

You’re done. If you want to add keys for other users, simply log in as that user and repeat Steps 3 and 4.  Or, if you’re sudo, you can just replace ~/ with the user’s home directory, eg. /home/username and replace $(whoami) with their username.

Finally, log out.

logout

5. Configure PuTTY Connection

In Windows, open up PuTTY from the start menu. You can also find it in C:\Program Files\PuTTY\putty.exe or C:\Program Files (x86)\PuTTY\putty.exe

Click Connection > Data in the left-hand navigation pane and enter your username in the Auto-login username field.

Click Connection > SSH > Auth in the left-hand navigation pane and Browse for the Private key you saved earlier.

Click Session in the left-hand navigation pane and enter your server’s IP address.

Enter a name for your stored session (e.g. “LinuxServer”) and click Save.

Finally, click Open to connect to your server.

If you saved your key with a passphrase earlier, you will be prompted to enter that passphrase.

Using username "john".
Authenticating with public key "rsa-key-20170825"
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-92-generic x86_64)

Last login: Fri Aug 25 08:20:29 2017 from 192.168.1.10
john@linuxserver:~$ 

If you see Authenticating with public key, you have configured SSH key-based authentication correctly. Well done!

Recommended: Disable Password Authentication on your Server

If you can login to your account using SSH without a password, you have successfully set up SSH key-based authentication. However, password-based authentication is still active so your server is still exposed to brute-force attacks.

Log into your remote server as root or with an account with sudo privileges.

Open the SSH daemon’s config file:

sudo nano /etc/ssh/sshd_config

Search for PasswordAuthentication. This may be commented out with #. Uncomment the line and set the value to no.

/etc/ssh/sshd_config
PasswordAuthentication no

This will disable the ability to log in through SSH using passwords.

Save file and exit. (Press CTRL + X, press Y and then press ENTER).

For the changes to take effect, you must restart the service.

sudo service ssh restart

Let me know in the comments if this helped. Follow me @DevAnswers or read more.

1 Star2 Stars3 Stars4 Stars5 Stars 4.80 (10 votes)

Feedback

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

2 replies

OK, so I have been scratching my head with this one for a while because I also got that error when going through the guide again.

It turns out the problem is that the ownership of both /.ssh and /.ssh/authorized_keys was set to root. You must make sure that the user owns these and not root.

This command will recursively set the ownership of the directory. The $(whoami) variable returns the currently logged in user.

sudo chown -R $(whoami):$(whoami) ~/.ssh/

More info: https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder