Generating Public/Private Key Pair for PKI Access
Preliminary Setup
Setting up public key authentication to access a particular remote host is a one-time procedure comprising three steps.
1.
Generate a public/private key pair on your local desktop.
From the Start menu, run Start > All Programs > PuTTY > PuTTYgen
Click the Generate button. You will be prompted to move the mouse over the blank area to generate some randomness, do so. Shortly thereafter, the program will generate the key and display the result.
Enter a passphrase in the “Key passphrase” and “Confirm passphrase” boxes. Your CCID password makes a good choice since you have probably already committed it to memory and it has withstood password cracking tests. However, the PuTTY documentation recommends an actual phrase of 10 to 30 characters with word breaks, mixed case, numbers, and non-alphanumeric characters, for example, “DoN’t (expect snow)^july.” Instead of trying to create a good passphrase on your own.
Under no circumstances should you leave these fields blank.
Select all of the text in the box labeled “Public key for pasting into OpenSSH authorized_keys file” (near the top of the window) by dragging the cursor. Right-click over the selection and choose Copy. Finally, click the “Save private key” button to save the private key to a file.The private key must be kept secret. Accordingly, the contents of the file are encrypted using the passphrase, and you should pick a file location that is accessible only to you.
If you share your computer and you do not have a separate account (id) with private disk space, do not use public key authentication. If in doubt, do not use public key authentication.
You can recover the public key from the private key with PuTTYgen by clicking the Load Button. You can not recover the private key from the public key however.
2.
Install the public key on the remote host to which you want to connect. Do this by pasting the public key from the Clipboard into the the authorized_keys file, which is located in the .ssh directory in your home directory on the remote host.
Type G on the keyboard to go to the end of the file. Enter insert mode on a new line by typing an o (lowercase oh), then right-click to paste the public key.
Press the Esc key to exit insert mode. And finally, type :wq to save the changes to the file and exit the editor. Repeat this procedure to install the same public key on as many additional remote hosts as you like.
The private key is not installed on any remote host.
3.
Verify that public key authentication works. Basic public key authentication is enabled for a particular session in the Connection > SSH > Auth window. You must load the session profile before configuring the Auth window
Browse to select mykey.ppk in the “Private key file for authentication” text box. Be sure to go back to the Session window and click Save to update the profile.
To invoke basic public key authentication for file transfers with winscp.exe or scp use the -i flag on the command line and specify mykey.ppk as the flag’s argument.
During either login or file transfer, supplying the passphrase when prompted decrypts the private key on the fly for use in the authentication process. If you see a password prompt instead of a passphrase prompt, the administrators of the remote host may have disallowed public key authentication. Some sites take this step to prevent the use of unencrypted private keys (generated with a null passphrase), which pose a security threat.
Leave a Reply