Do you have the need to work with SSH keys from Windows and you find that this becomes a hassle very quickly?
HTG goes into how to make the process as transparent as possible, using The PuTTY package suite.
Image by kaneda99.
In this guide we’ll explain how to SSH to a Linux machine from Windows with your public key, using Putty & Winscp. In addition, we will enable the forwarding option. This will allow you to continue to jump from the machine you’ve connected to with your key, to another machine that supports SSHing with keys. We will not go into how to put your public key on the Linux machine, as we have already covered this topic.
Install basic programs/packages
- Obtain the PuTTY package (not just the executable) and install it.
- Optionally obtain the programs WinSCP and mRemote, and install them.
Generate a Key pair
If you haven’t created a key pair yet, and you want to do it from the comfort of your Windows desktop, you can use “PuTTY Key Generator” which was installed as part of the “PuTTY package“:
- Open “PuTTY Key Generator” by going into “Start” -> “PuTTY” -> “PuTTYgen”
- While not required, it is recommended that you change the length of your key from the default 1024. Change the number of “bits” at the bottom from “1024” to “4096”.
- Click “Generate” and move your mouse around randomly until the bar reaches 100%. This “salts” your key, so try to make your mouse movements as random as possible.
- Once the program is done generating the key,
- On the “Key Comment” line, change it to be something more useful like your name. For example:
- While not required, it is highly recommended that you set a passphrase on the private key. This will protect your private key in case some one gains access to it and you will only be bothered with entering once at machine boot up, if you perform all the steps in the guide.
- Click on “Save private key”.
Configuring the Key-quartermaster
The “Pageant” program that was installed as part of the PuTTY package, can store your key/s and give them to mRemote, WinSCP and PuTTY as required.
- Open “Pageant” from the start menu. (Note: it may run off to the system tray)
- If it has run off to the system tray, double click it, to bring up the main window.
- Click “Add Key” and give it your saved Key Pair.
- If need be, provide the passphrase.
Done, from now on, Putty, WinSCP and any program that serves as a fronted for them (like mRemote) will first consult with the Pageant program if there is a key to use for the connection.
Loading Keys automatically at startup (Optional)
The process above needs to be repeated after every machine reboot, as Pageant doesn’t save loaded key configurations. To have it load the configuration automatically at startup, you can use one of the two methods below:
- Assuming you’ve allowed Pageant to take over the ppk suffix, you should be able to simply add the key files to the Windows “startup” folder.
- Create a shortcut to the program that passes the key-files as parameters. For example, the “Target” command for two(2) keys would look like:
“C:\Program Files (x86)\PuTTY\pageant.exe” “C:\Users\AviadR\Documents\aviad’s 4096.ppk” “C:\Users\AviadR\Documents\aviad’s 1024.ppk
- Then, add this shortcut to window’s startup.
Enable SSH Agent forwarding (PuTTY/mRemote)
This configuration is optional, but doing it will allow you once you’ve SSHed into a machine to continue and SSH from it, to the next machine, with the same key. To do this:
- Open PuTTY.
- Under “Connection” -> “SSH” -> “Auth”.
- Check the “Allow agent forwarding“.
- Go back to “Session”
- Select the “Default Settings” entry.
- Click on “Save”.
Enable SSH Agent forwarding (WinSCP)
Note: for more on this topic, please read our guide on SSH agent forwarding.
- In a WinSCP new connection tab, Enable the Advance options checkbox.
- Go to the “SSH” -> “Authentication”.
- Check the “Allow agent forwarding” checkbox.
- Go to the “General Options” by clicking on “Preferences” -> “Preferences”.
- Enable Putty to be invoked with the forwarding option by going into “Integration” -> “Application” and appending the “-A” CLI option.
- You can now make this the template for subsequent connections by going back to “Session” and typing in, the basic information that you know will be uniform across all connections (if any), like Username, IP, Etc’. Then “save” the session.