Private public keys with Putty and OpenSSH
a quick start guide for setting up and using Putty and OpenSSHThe setup of SSH requires some bit of explanation and understanding, which the following post tries to supply. This is based on repeated requests at my workplace.
Challenges #
When working under Microsoft Windows, one most likely is using Putty. However, the remote side is often a linux machine using OpenSSH. In addition, one might be using git or Gerrit.
Real world #
In the real world, one keeps a key in a keyring and never leaves that one unattended. Only temporary, a key is inserted in a lock, turned around and then it removed from the lock. The rooms all have locks and only one key fits.
The guide pins or other obstructions in the lock make it possible for one key to fit. One could take the lock apart and the build a fitting key. Lock pickers have build tools for few kind of locks that do the decoding.
That means that everybody needing access to a room, must have an exact copy of the key. As an extreme case each room has a different lock and people with access keep huge keyrings.
Private public key infrastructure #
In the Private-key-infrastructure (PKI), it is different.
Compared with the real world, one would only posess a single key and when getting access to a new lock/room, the lock is modified to accept an additional key. This is nearly impossible with mechanical locks, but it is trivial with electronic locks. This is why getting access in the PKI world means sending the public key to the maintainer of the lock instead of receiving another physical key. Getting access is not about aquiring the right private key, but to have the corresponding public key added to the other side.
The private key and the public key are mathematical related. One can derive a public key from a private key, but not the other way around. This means that the private key must be protected in some way. It should be stored on a restricted access folder in the home directory, not on a public folder. Moreover, it can be password protected (aka using a passphrase).
Instead of sending the private key to the other side, and the other side comparing it with stored keys (as it happens with passwords in basic authentication schemes), the private key never leaves the computer. The mathematics behind the PKI allows a proof of ownership. The lock-side sends a challenge, the key-side encodes the challenge using the private key and sends the response back. The lock-side then decodes the response using each stored public key - one fits and ownership is proven In case of SSH, the lock-side is represented by the ssh-daemon (sshd) and it keeps a bunch of public keys in a file “~/.ssh/authorized_keys”.
Remember: the keys come in pairs - to each private key belongs a public key!
Formats #
Unfortunately, there are different formats to store the keys. Commercial Unix systems and Putty are using one format (old), while GNU systems like Linux are using the OpenSSH format (new).
Software | Format |
---|---|
HPUX, Sun OS, Solaris, AIX | old format |
WinSCP, FileZilla | old format |
Putty | generate and uses old format, writes new format |
OpenSSH | new format |
git | new format |
Windows ssh | new format |
Gerrit | new format |
GitHub | new format |
Fortunately, Putty is always used on the client side, while the new format is expected on the server side.
Public keys #
The old format was adapted to be send by email and had a limited line length. Moreover, the key is surrounded by guard lines and all non-whitespace characters belonged to the key and were base64 encoding of the key.
The public key in new format is just one line, albeit sometimes a long line (RSA keys of 4096 bits). The new format is used in the “~/.ssh/authorized_keys” file, where each line belongs to one public key.
Quick start #
Remember: the keys come in pairs!
Generate a new key pair #
A key for putty can be generated by the program “puttygen”. Start the program and do the following:
- Press the button “Generate”
- Move the mouse over the field above, a progress bar will appear and fill.
- Stop when the progress bar is replaced by several text-boxes.
- Press the button “Save private key” - store the file in a secure location like your home directory. Do not store it in a location accessible by others! Moreover, the stored file contains both the private and the public key.
- Select all the text in the big textbox above under the title “Public key for pasting into OpenSSH authorized_keys file”
- Store (paste) it in a local text file, send it to the remote part requesting it or save it directly into an “authorized_keys” file.
Remember, it is the private key that gives you access (keep it secure), the public key is proves that you have the private key.
Get the OpenSSH public key from a saved private key #
Start the program “puttygen” and do the following:
- Press the button “Load”
- Select the file where you previously stored the private key
- Select all the text in the big textbox above under the title “Public key for pasting into OpenSSH authorized_keys file”
- Store (paste) it in a local text file, send it to the remote part requesting it or save it directly into an “authorized_keys” file.
Get the OpenSSH private key from a saved private key #
When you want to reuse the private key, but use it in connection with git, gerrit or the Windows SSH program, then you need to specify a private key in the OpenSSH format. To do that, start the program “puttygen” and do the following:
- Press the button “Load”
- Select the file where you previously stored the private key
- The menu entry “Conversions” provide a selection of choices
- Select the right choice
- Store the converted private key in the right directory, most likely in “C:\users\<username>\.ssh\id_rsa”
Passphrase protection and “agents” #
If the private key is stored on a computer that is used by many and also gives other users administrative rights, then one is advised to protect the private key with a passphrase. Then even the administrative user cannot use the private key even though she/he is able to read the file.
Protecting the private key with a passphrase requires the passphrase every time the private key is used. This can be cumbersome and that is where puttyant and ssh-agent come in handy. Those programs can be started and they will run in the background. They request the passphrase at startup and will keep it as long as they are running. SSH programs will then request the passphrase from the agent. If an agent cannot be found, the user will be requested to enter the passphrase.