Three different factors to prove your identity can be used: Something you know, something you have and something you are. To make the authentication procedure more reliable, you should always try to use at least two of these three factors. When using public/private keys for authentication, and protecting the private key with a passphrase, you can combine two authentication factors and thus make the authentication procedure more reliable and hence, your server more secure.
When using SSH public/private key authentication, a user needs to generate a public/private key pair on his workstation. After generating them, the user must copy the public key to a file with the name authorized_keys. This file is typically in the users home directory on the server, placed in a hidden subdirectory that has the name .ssh. In this procedure you'll learn how to generate a public/private key pair on a Windows workstation where PuTTY is used.
- Make sure that the complete PuTTY package is downloaded from
- http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. This package includes the PuTTYgen command. Start this command. It opens the PuTTYgen Key Generator window (see Figure 1).
Figure 1: Using PuTTYgen you can generate a public/private key pair from a graphical interface
- Specify in the lower part of the window what type of keys you want to generate. I advise you to use a 2048 bits DSA key, with less than this amount of bits the security level that is obtained is not high enough. Select this option, and click "Generate." To generate the key, you must move the mouse cursor over the PuTTYgen window, this generates random data that PuTTYgen uses to generate the key pair.
- Once the key pair is generated, you see a window as in Figure 2. In this window, you need to specify the key properties. You have to accomplish two important tasks here. To begin with, you need to copy the public key that you see in the upper part of the window and save it in a file. Don't use the option ¨Save public key" as it doesn't save the key in a format that is useable in Linux. Therefore copy the public key, open Notepad and past the key in a new file. Next save the file on your computer.
Figure 2: You must save the public key using copy and paste to a file.
- Next, still from the same window that you see in Figure 2, you can specify a passphrase to protect the private key against unauthorized use. Of course you could choose not to use a passphrase, but that really is a security risk, therefore it is really recommended to use a passphrase anyway. Choose one that is not too easy to guess and enter it in the fields "Key passphrase" and "Confirm passphrase." Next click "Save private key" to save the passphrase in a file.
- Now open the PuTTY window en load the configuration in which you want to use the passphrase. In the lower left part of the screen, open Connection > SSH > Auth. This opens another window that you see in Figure 3. In this window, click "Browse" to browse to the location where the private key is saved and add the private key to this session.
Figure 3: In PuTTY, you need to specify which private key you want to use.
- Next, still in PuTTY, go back to the option "Session" in the left part of the window and click "Save." This saves the private key to be available the next time you open a PuTTY session as well.
- Now you temporarily need to quit the PuTTY window to open a Windows command prompt. From this command prompt, use the command "pscp" (part of the PuTTY package as well) to copy the public key to a temporary file on your Linux server. Create this file in the home directory of the user that is going to use the key; that would be the user root in most cases. In the example below you see how to copy the PuTTY public key to a temporary file with the name tempkey in the home directory of user root on server myserver.example.com:
pscp pubkey firstname.lastname@example.org:/root/tempkey
- Now establish an SSH session to the server. On the server, use cd to activate the home directory of the user root and use the following command to add the public key to the authorized_keys file in the subdirectory .ssh:
cat tempkey >> .ssh/authorized_keys
- You now are ready. Since SSH on all distributions accepts login based on public/private key by default, PuTTY will automatically log you in using the key pair the next time that you establish a session with that server.
In this article you have read how to use public/private keys to establish a better secured session between a Windows client and a Linux server. Use it if possible, because using keys is so much more secure than using passwords when establishing a remote session using an untrusted network such as the Internet.
About the author: Sander van Vugt is an author and independent technical trainer, specializing in Linux since 1994. Vugt is also a technical consultant for high-availability (HA) clustering and performance optimization, as well as an expert on SLED 10 administration.
This was first published in September 2007