SSH - PuTTYgen

This article will take you through generating RSA keys using PuTTYgen on Windows for secure SSH authentication with OpenSSH.


Introduction

One effective way of securing SSH access to your slice is to use a public/private key. This means that a 'public' key is placed on the server and the 'private' key is on our local workstation. This makes it impossible for someone to log in using just a password, provided you have setup SSH to deny password-based authentication (which you can learn how to do here).

Generate Keys

PuTTYgen

In Windows we will use PuTTYgen to generate our public and private keys. Download PuTTYgen from the official website and open it. Click the Generate button as seen below. You will notice that it generates the keys for you. All you need to do now is save the public and private keys by clicking the buttons stating as such.

PuTTYgen

Open up your public key, copy it to the clipboard (ctrl+a, ctrl+c) and paste it at the very end of ~/.ssh/authorized_keys on your Slice. If that file doesn't already exist, you will have to create it (nano ~/.ssh/authorized_keys).

Usage

To make use of your newly generated RSA key pair, you will need to tell PuTTY to use it when connecting to your Slice. Do this by opening PuTTY and going to the "SSH" -> "Auth" section. Browse to where you saved the keys and load the private key as seen below:

PuTTY Key

Make PuTTY use the key every time you connect to your Slice by saving this configuration. After loading your key as shown above, go back to "Session" and save your session:

PuTTY Session

Once you have saved your session, your key will be loaded automatically upon connecting to your Slice.

Summary

Opting for a key-based authentication to your SSH server is beneficial in many ways. By eliminating the possibility of SSH brute-force attacks targeted towards your Slice, the chances of it being compromised are decreased by an order of magnitude.

Josh

Article Comments:

Reed Botwright commented Wed Feb 04 21:48:08 UTC 2009:

Awesome! I just went through this entire process and then again on my laptop to set up access. A tip for Slicers is that you can use the console on the Slice Manager to add another key if you are in a bind. Make sure you allow javascript access to the browser so you can paste in the key, or have some way to transfer the Unix-specific key (the one you copy out of the window in PuTTYgen) to your server. Any subsequent keys can just be concatenated on the end of the file of public keys. Make sure you have the appropriate privileges. Of course, the easier way to do this is to set up the second key using your first PuTTY or other SSH access.

Marc commented Fri Feb 06 21:07:36 UTC 2009:

If you have a current private key on a linux or mac box you can import into putty with puttygen you will have to get it on your windows box somehow

1 - open puttygen 2 - File -> Load Private Key -> choose to were your private key is 3 - You will get a notice saying "Successfully imported foeign key..." 4 - click on the "Save Private key" button and choose where to save it. 5 - Then use the steps in the above article to launch your session using the Private key.

John commented Sun Feb 15 00:07:47 UTC 2009:

No matter how many times I try to do this whenever I try to log into my slice it tells me "Server refused our key" and then asks me for my password.

I'm on Ubuntu 8.10 ... I know that's not much to go on, but I'm completely at a loss. Any ideas?

Steve commented Sun Feb 15 20:00:06 UTC 2009:

You can also use Putty's own Authentication Agent, Pageant (http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe) as opposed to statically linking your Private key in SSH -> Auth.

Saves a lot of Putty session tweaking, and having to enter the passphrase everytime you want to start up a new SSH session (if you don't unload your key or exit pageant between sessions).


@John, have you tried the alternative format in ~/.ssh/authorized_keys? I.e. the one liner starting ssh-rsa ....

Christopher Stoudt commented Sun Feb 22 23:41:17 UTC 2009:

We are trying to secure our ssh connection. Everytime we login we get "Server refused our key". THis happens every time i connect no matter how many users i create. Please help asap. The only way i was able to access was to rollback the iptables to the default non secure settings.

Ismail commented Thu Mar 12 23:36:13 UTC 2009:

Christopher and John

The problem you have is if you are using openssh server with ssh2 then authorized_keys file should be one line format. Typically you will want to select the entire contents of the box using the mouse, press Ctrl+C to copy it to the clipboard, and then paste the data into a PuTTY session which is already connected to the server.(You can do this before you save the public key). Again, check the content of the authorized_keys, it should be one line format.

Another reason; you may use ssh.com (not likely) for ssh server and try to use OpenSSH public key for server. That doesnt work. You need to convert your key to ssh.com format from conversion menu in puttygen.

zoltan commented Sun Apr 05 18:53:35 UTC 2009:

@John, and anyone with the same problem:

[How to set up SSH keys: Frustration with "Server refused our key"](http://andremolnar.com/howto_setupsshkeyswithputtyandnotgetserverrefusedour_key

This worked for me.

typer474 commented Sun Apr 19 10:53:21 UTC 2009:

@zoltan That's a great site and really helped out. Thanks!

seanl commented Tue May 19 19:13:33 UTC 2009:

i tried this and had some sucess but in the end used this guide which is simple, concise and just works. http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/pka-putty.html

Yang commented Thu Sep 03 01:45:29 UTC 2009:

There's one potential very dangerous loophole on this. What would happen when you lost your private key and have prohibited password authentication as well as root login in /etc/ssh/sshd_config?

Anyway to rescue the server when this happens? It sure CAN happen to anyone.

PickledOnion commented Thu Sep 03 14:24:52 UTC 2009:

Yang,

Sure, simply use the console in the Slicemanager. This is a direct connection to your Slice. You can then log in and change the settings (remove the keys, etc).

The web console is perfect for such occurrences.

PickledOnion

Stefan Koziolek commented Wed Sep 22 13:59:14 UTC 2010:

The whole tutorial is sloppy. I've spent numerous hours trying to load a key using the "help" and still get the error "Server refused our key".

Jered commented Wed Sep 22 18:29:52 UTC 2010:

I confess, it seems pretty straightforward to me, as instructions go. The article doesn't cover everything that could go wrong though - it just covers the basic steps you take copying the key to the server.

That said, I wouldn't mind adding some troubleshooting advice, so if we can figure out what went wrong for you, I'll work that in there. Some possibilities...

Make sure that the key you pasted into authorized_keys is all on one line (no new lines after "ssh-rsa" for example).

Make sure you didn't accidentally leave a character out when you copied and pasted. I only mention this one because I've done it before and it took a while before I found that mistake.

If you had to create the authorized_keys file, you might need to make sure the permissions are restrictive enough that SSH feels comfortable using the key (if you're uncertain, just run "chmod 600 authorized_keys" and try connecting again).

The permissions on your .ssh directory may also need fixing. Try a "chmod 700 .ssh" in your home directory and then try the connection again.

Failing those, I'll fix the link someone posted above to a decent blog post someone made specifically for troubleshooting that issue. Creating the key on the server and then importing that private key into putty is an option they mention there. It's a good option if you still have trouble with what puttygen creates, so I'll plan on getting an article up here that describes that process too.

Andy commented Mon Jan 10 03:21:58 UTC 2011:

"Open up your public key, copy it to the clipboard (ctrl+a, ctrl+c) and paste it at the very end of ~/.ssh/authorizedkeys on your Slice. If that file doesn't already exist, you will have to create it (nano ~/.ssh/authorizedkeys)."

Whenever I run "nano ~/.ssh/authorizedkeys" and try and writeout, I get the error: [ Error writing /root/.ssh/authorizedkeys: No such file or directory ] - so how do I create this file first, so that I can save to it?

Jered commented Tue Jan 11 15:50:05 UTC 2011:

I expect you'll also need to create the ".ssh" directory in root's home directory, so "mkdir /root/.ssh". Be warned, though, that you probably don't want to allow direct SSH connections to the root account if you can help it. It's more secure to disable root logins entirely via the sshd_config then ssh into a user account you've created. Then you can use sudo to perform administrative tasks from there.

joshua commented Thu Feb 10 23:51:00 UTC 2011:

yeah, i did have a little trouble with this, but i am by no stretch of the imagination well versed in bash or really any server stuff.

@jared + others, your comments helped, though. i think, ultimately, the issue for me was that putty wasn't saving the reference to the file in the session profile (after i'd done half a dozen other things wrong first lol)

changing permissions, making sure that putty is using your private key, worked for me. thanks to all.

Alauddin commented Fri Jun 10 05:14:48 UTC 2011:

Ok, got ssh key to work using instructions found here - adnrewmolnar.com

Basically, it seems Puttygen generated keys are not compatible with openssh keys...so you need to generate the keys on the server and then import the key in puttygen using 'load' option to modify it to work with putty.

hope that helps others.

Jered commented Fri Jun 10 16:34:40 UTC 2011:

The comment system's a little weird with underscores. Well, and a few other things. Sorry about that Alauddin.

I went ahead and fixed the original URL by turning it into a link, then went ahead and removed your additional attempts. Thanks for trying so hard, and for posting the link. ;)

Sysadmin commented Wed Dec 14 19:48:05 UTC 2011:

For those who is afraid of their private key to be stolen: you can add the 'from="xx.xx.xx.xx"' parameter just before 'ssh-rsa' words in your authorized_keys file. This makes ssh-server to refuse the key when client is connecting from the ip-address other than xx.xx.xx.xx

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)