I had to write these instructions up for an intern at WebSanity who uses Windows. We need him to SSH (& SFTP) to our Linux server & we only allow access via keys. On a Mac OS X or Linux box, this is a pretty easy process, as I’ll detail soon. On a Windows machine, it’s far more complicated.

Table of Contents

  1. Install PuTTY
  2. Generate the SSH key
    1. Create Windows SSH keys
    2. Create UNIX SSH keys
  3. Configure PuTTY
  4. Log in with PuTTY

Install PuTTY1

Go to http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (you can find this page by Googling for putty) & download the EXE installer under A Windows installer for everything except PuTTYtel.

Double-click on the EXE & install it.

Generate the SSH key

You’re going to generate SSH keys that work on Windows & UNIX (Linux & Mac OS X). If you’re using Windows only, you certainly don’t need to generate the UNIX keys. But who knows—one day you might get a real operating system (that’s the UNIX bias in me speaking out), & it would be nice to have your SSH keys for UNIX already made.

You’re going to need to store the keys somewhere. I would not recommend using the PuTTY folder in Program Files, as you will forget about it & fail to back it up. Instead, create a folder called SSH Keys (in Documents, for instance) on your hard drive & use that. Or you can use Dropbox or even Microsoft SkyDrive. Just make sure you keep those keys safe & backed up!

Create Windows SSH keys

Go to Start > PuTTY > PuTTYgen. The PuTTY Key Generator opens.

Leave the defaults alone & press Generate. Move your mouse rapidly over the blank area of the window to create random date it can use to create the key.

Press Save Public Key.

  • When asked where you want to save the file, navigate to the SSH Keys folder you created earlier.
  • For File Name, just enter public.

Press Save Private Key.

  • When asked “Are you sure you want to save this key without a passphrase to protect it?”, press Yes.2
  • When asked where you want to save the file, navigate to the SSH Keys folder you created earlier.
  • For File Name, just enter private.

You have now created the SSH keys that will work on Windows with PuTTY.

Create UNIX SSH keys

Select Conversions > Export OpenSSH Key.

  • When asked “Are you sure you want to save this key without a passphrase to protect it?”, press Yes.
  • When asked where you want to save the file, navigate to the SSH Keys folder you created earlier.
  • For File Name, enter id_rsa. Make sure that Windows or your text editor didn’t add an extension onto the end.3

To save the public key, select the text in the box under “Public key for pasting into OpenSSH authorized_keys file” & copy it. It should look something like this:

ssh-rsa AAAAB3NzaC1yc2EAATUDNWEIOKZAixw8LANsVbPCnE7OT4OFwC37AQr7kjP6gOoONc/duxnP0iPf+jZM7vRS/vTkq8kUnDoTvHRxI6slCj8HWWu+Z+jSukggf48DpZ+Ty9Wn7wceDhdYcrWT1UAoPKBwQit/h3vPx777hsaTKCYsjkpeCo++zPgf6JitABCDEFGekNU= rsa-key-20630316

Paste it into a text editor like Notepad++ or Sublime Text (NOT Notepad or Word!) & save.

  • When asked where you want to save the file, navigate to the SSH Keys folder you created earlier.
  • For File Name, enter id_rsa.pub. Look in the SSH Keys folder to make sure that Windows or your text editor didn’t add another extension onto the end, like .txt or .htm or something like that.

Configure PuTTY

Open PuTTY.

Select the Session category.

For Host Name, enter foobar.com (or whatever your SSH server’s host name is).

Select the Data category.

For Auto-Login Username, enter admin (or whatever SSH username you’re using).

Select the Connection category > SSH > Auth4.

For Private Key For Authentication, choose private.ppk.

Go back to the Session category.

For Saved Sessions, enter FooBar (or whatever descriptive text you’d like) & press Save.

Log in with PuTTY

Open PuTTY.

Select the Session category (it’s the default).

Select the FooBar saved session, press Load, & then press Open.

The very first time you connect to your SSH server, you will see a PuTTY Security Alert that says “The server’s host key is not cached …”. Press Yes & you’ll never see that again.

You should now be logged into your SSH server. Start issuing commands.

  1. Why PuTTY? Because a decent, free SSH client on Windows is like hen’s teeth. In the UNIX world, there are a plethora of great, free SSH clients (we call them terminals, he said snarkily), but when it comes to Windows, you have a bunch of expensive software and … PuTTY (if you loathe PuTTY—& believe me, I understand—this page at ServerFault has some good options). And no, Cygwin is overkill. 

  2. Why no passphrase? Well, convenience, really. In Linux Phrasebook, I explained it this way:

    Some of you are wondering about the security of this trick. No passwords? Freely exchanging keys? It’s true, but think about it for a moment. True, if someone gets on pound, he can now connect to eliot without a password. But that simply means that you need to practice good security on pound. If pound is compromised, you have enormous problems whether or not the attacker realizes that he can also get to eliot. On top of that, you shoot passwords around the Internet all the time. If an attacker acquires your password, he can do major damage as well. Isn’t your private key as important as a password? And aren’t you going to back it up and safeguard it? When you think about it in those terms, exchanging keys via ssh is at least as secure as passwords, and in most ways much more secure.

    That said, if you’d rather use passwords, then you’ll probably want to use ssh-agent so you’re not constantly forced to keep entering your password when you use your SSH keys. 

  3. Of course, you need to be able to see the extensions on your files in the first place, something that Windows hides by default (Mac OS X does too, & it’s just as stupid for Apple as it is for Microsoft). I’ve written instructions detailing how to turn on file extensions in Windows that have proven quite popular over the years. 

  4. This is one poorly-designed GUI. Really, I have to jump around three different screens to enter info that should be on one? Ridiculous.