Key-Based SSH Logins With PuTTY
Create private/public key pair to log in to a remote system with SSH using PuTTY.
What is PuTTY?
PuTTY is an SSH client for logging in to remote servers from your local Windows PC. Linux and Mac have a terminal that includes a SSH client.
Why use a Public/Private key pair?
Key-based SSH logins are far more secure than the standard Root/Password method. Brute Forcing software can be used to automate attacks against servers.
Your server/website is under constant attack from bots and evil hackers running brute-force attacks on your system. Just take a peek at your log files to see just how often this happens. Your server is probably being attacked by some kind of bot as you read this now!
Follow this guide disable disable the username/password logins so only users with a valid private/public key pair can log in.
We use a Windows desktop to connect to SSH server on Debian 8 (this should work for some other versions of Debian and Ubuntu though I haven’t tested it yet)
- Local = you on your Windows computer
- Remote = your remote server
- IP Address
- Root account and Password
- PuTTY, PuTTYgen, and Pageant – Download from here
- Nano on remote server (or whatever text editor you use)
Install PuTTY, PuTTYgen, And Pageant.
We’ll require PuTTY, PuTTYgen, and Pageant on our local Windows PC.
Download Putty, PuttyGen and Pageant from the PuTTY download page and save them on your local Windows PC
- Start PuTTY.exe with a double-click
Create a profile in Putty for our Server
You can create a profile in PuTTY for your various SSH servers.
Our servers IP is going to be 192.168.0.100.
Open PuTTY.exe (see image below)
- Enter your servers IP address under Host Name (or IP address)
We’re using: 192.168.0.100
- Go to Connection > Data and enter the username with that you want to log in to your SSH server under Auto-login username.
We’re use root:
- Click on Session on the left hand tree menu
- Enter a name for the profile under the Saved Sessions option (see image below) we used 192.168.0.100 but you can use anything memorable e.g. Debian Server
- Click Save
In future you’ll be able to select your profile from the Saved Sessions then click Load & Open.
Well done, we’re almost finished.
Add the private key to your local PuTTY profile
- Close/disconnect from the remote server then launch PuTTY again.
- Load the profile of your SSH server (ours is 192.168.0.100):
- Go to SSH -> Auth and click on Browse:
- Browse your file system and select your previously created private key
- Then go to Session again and click on Save
The private key is attached to the PuTTY profile.
Now we’re ready for our first key-based login to our SSH server.
- Click on Open
As you can see, the public key is now used for authentication, and you are asked for the passphrase (if you crated one)
Disable Username/Password Logins
Even without private key the evil hacker will still be able to brute-force the username and password. This makes what we’ve done until now, pointless. so we must disable the username/password logins
(Only when you know that your key-based logins are working, or you’ll lock yourself out – BE CERTAIN ITS PRIVATE KEY AUTHENTICATION IS WORKING)
We modify the sshd configuration file to disable the username/password logins. On Debian/Ubuntu systems it’s /etc/ssh/sshd_config.
Set Protocol to 2 (this is already the default) and PasswordAuthentication to no.
- Log in to a SSH session using the PuTTY profile/Key you created earlier.
- Open sshd_config with Nano – see below
Find the following part in the file you’ve just opened
[...] Protocol 2 #PasswordAuthentication yes UsePAM no [...]
Remove the comment # from in front of the line: #PasswordAuthentication and change the no to yes so it looks as below:
[...] Protocol 2 PasswordAuthentication no UsePAM no [...]
Then restart sshd. On Debian/Ubuntu, you can do it like this:
$ service ssh restart
On Older versions, use the init script instead of the service command:
$ /etc/init.d ssh restart
Now if you open a PuTTY session without your private key attached, you shouldn’t be able to log in anymore.
Use Pageant to remember the Key Passphrase (if you set one…)
Whenever you use your key-based login now, you still need to specify your key passphrase.
You can tell the passphrase to Pageant which will then provide the passphrase whenever you log in to your SSH server.
- You can start Pageant.exe by double-clicking it.
You’ll see Pageant in the taskbar running :
Now double-click the Pageant icon in the taskbar. The following window comes up.
- Click on Add Key:
- Browse your filesystem and select your private key:
- Enter the passphrase for the private key:
The key is now listed in Pageant’s key list.
- Click on Close:
You can log in to your server without providing the passphrase while Pageant is running in the background.
When you stop Pageant, it forgets all keys, so the next time you start Pageant you must add the keys again.