Generate SSH Keys on Windows with PuTTYgen

Posted 

5 min read

Secure Shell (SSH) is a cryptographic network protocol used for a secure connection between a client and a server and supports various authentication mechanisms.

The two most popular mechanisms are passwords based authentication and public key based authentication. Using SSH keys is more secure and convenient than traditional password authentication.

This tutorial explains how to generate SSH keys on Windows with PuTTYgen. We will also show you how to set up an SSH key-based authentication and connect to your remote Linux servers without entering a password.

Download PuTTYgen

PuTTYgen is an open-source utility that allows you to generate SSH keys for the most popular Windows SSH client PuTTY.

PuTTYgen is available as a standalone executable file and it is also a part of the PuTTY .msi installation package. If you don’t have PuTTYgen installed, head over to the PuTTY download page and download the PuTTY installation package. The installation is simple, double-click on the installation package and follow the instructions.

Creating SSH keys with PuTTYgen

To generate an SSH key pair on Windows using PuTTYgen perform the following steps:

  1. Start the PuTTYgen tool, by double-clicking on its .exe file or going to the Windows Start menu → PuTTY (64-bit) → PuTTYgen.

    Start the PuTTYgen tool

    For “Type of key to generate” leave the default RSA. The “Number of bits in a generated key”, 2048 is sufficient for most people. Alternatively, you can change it to 4096.

  2. Click the “Generate” button to start the process of generating the new key pair.

    Generate SSH Keys PuTTYgen

    You will be asked to move your mouse over the blank area of the Key section to generate some randomness. As you move the pointer, the green progress bar will advance. The process should take a few seconds.

  3. When the generation process is complete, the public key will be displayed in the Window.

    Passphrase PuTTYgen

    Optionally, if you want to use a passphrase type it in the “Key passphrase” field and confirm the same passphrase in the “Confirm passphrase” field. If you choose to use a passphrase you will get an extra layer of security by protecting the private key from unauthorized use.

    If you set a passphrase, you will need to enter the passphrase every time the private key is used.

  4. Save the private key by clicking the “Save private key” button. You can save the file in any directory using the .ppk extension (PuTTY Private Key) but it is advisable to save in a place where you can easily find it. It’s common to use a descriptive name for the private key file.

    Optionally, you can also save the public key, though it can be regenerated later by loading the private key.

  5. Right-click in the text field labeled “Public key for pasting into OpenSSH authorized_keys file” and select all characters by clicking “Select all”. Open a text editor, paste the characters and save it. Be sure you are pasting the entire key. It is advisable to save the file in the same directory where you saved the private key, using the same name the private key and .txt or .pub as a file extension.

    Public Key PuTTYgen

    This is the key that you will add it to your Linux server.

Copy the Public Key to Your Linux Server

Now that you generated your SSH key pair, the next step is to copy the public key to the server you want to manage.

Launch the PuTTY program and login to your remote Linux server.

If your user SSH directory does not exist, create it with the mkdir command and set the correct permissions:

mkdir -p ~/.ssh
chmod 0700 ~/.ssh

Open your text editor and paste the public key that you copied in step 4 when generating the key pair into the ~/.ssh/authorized_keys file:

nano ~/.ssh/authorized_keys

The entire public key text should be on a single line.

Run the following chmod command to make sure only your user can read and write the ~/.ssh/authorized_keys file:

chmod 0600 ~/.ssh/authorized_keys

Login to your server using SSH keys

Pageant is a PuTTY SSH authentication agent which holds the private keys in the memory. Pageant binary is a part of the PuTTY .msi installation package and can be launch by going to the Windows Start menu → PuTTY (64-bit) → Pageant.

When you start Pageant, it will place an icon into the system tray. Double-click on the icon and the Pageant window will open.

To load a key, press the “Add Key” button which will open a new file dialog. Locate the private key file, and press “Open”. If you haven’t set a passphrase the key will be loaded in immediately. Otherwise, you will be prompted to enter the passphrase.

Pageant Load Key

Enter the password and Pageant will load the private key.

After completing the steps above you should be able to log in to the remote server without being prompted for a password.

To test it open a new PuTTY SSH session and try to login to your server. PuTTY will use the loaded key and you will be logged into your Linux server without entering the password.

Disabling SSH Password Authentication

To add an extra layer of security to your server you can disable the password authentication for SSH.

Before disabling SSH password authentication make sure you can log in to your server without a password and the user you are logging in with has sudo privileges.

Log into your remote server and open the SSH configuration file /etc/ssh/sshd_config with your text editor:

sudo nano /etc/ssh/sshd_config

Search for the following directives and modify as it follows:

/etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Once you are done save the file and restart the SSH service by typing:

sudo systemctl restart ssh

At this point, the password-based authentication is disabled.

Conclusion

In this tutorial, you have learned how to generate a new SSH key pair and set up an SSH key-based authentication. You can add the same key to multiple remote servers. We have also shown you how to disable SSH password authentication and add an extra layer of security to your server.

By default, SSH listens on port 22. Changing the default SSH port will reduce the risk of automated attacks.

If you have any questions or feedback, feel free to leave a comment.