×
  • Shared Hosting

    Fast reliable and affordable cPanel Web Hosting from $2.99 per month.

  • Reseller Hosting

    Multiple websites? No problem with our multi-site hosting package. From $5.99 per month.

  • Annual Hosting

    Save money on web hosting by paying annually. Starting at $29.99 per year.

  • VPS Servers

    Need more power and resources? Choose our VPS server, only $7.99 per month.

  • FREE HOSTING PLAN

    Ideal for students and unemployed.

    Register

Using Key-Pair SSH Logins from Windows with PuTTY to your Debian VPS

Key-Based SSH Logins With PuTTY

Create private/public key pair to log in to a remote system with SSH using PuTTY.

What is PuTTY?

PuTTY is an SSH client for logging in to remote servers from your local Windows PC. Linux and Mac have a terminal that includes a SSH client.

Why use a Public/Private key pair? 

Key-based SSH logins are far more secure than the standard Root/Password method. Brute Forcing software can be used to automate attacks against servers.

Your server/website is under constant attack from bots and evil hackers running brute-force attacks on your system. Just take a peek at your log files to see just how often this happens. Your server is probably being attacked by some kind of bot as you read this now!

Follow this guide disable disable the username/password logins so only users with a valid private/public key pair can log in.

Preliminary Note

We use a Windows desktop to connect to SSH server on Debian 8 (this should work for some other versions of Debian and Ubuntu though I haven’t tested it yet)

Terminology

  • Local = you on your Windows computer
  • Remote = your remote server

Requirements

  • IP Address
  • Root account and Password
  • PuTTY, PuTTYgen, and Pageant – Download from here
  • Nano on remote server (or whatever text editor you use)

Install PuTTY, PuTTYgen, And Pageant.

We’ll require PuTTY, PuTTYgen, and Pageant on our local Windows PC.

Download Putty, PuttyGen and Pageant from the PuTTY download page and save them on your local Windows PC

  • Start PuTTY.exe with a double-click

Create a profile in Putty for our Server

You can create a profile in PuTTY for your various SSH servers.

Our servers IP is going to be 192.168.0.100.

Open PuTTY.exe (see image below)

  • Enter your servers IP address under Host Name (or IP address)

We’re using: 192.168.0.100

Putty program started

  • Go to Connection > Data and enter the username with that you want to log in to your SSH server under Auto-login username.

We’re use root:

Set the SSH connection data

  • Click on Session on the left hand tree menu
  • Enter a name for the profile under the Saved Sessions option (see image below)  we used 192.168.0.100 but you can use anything memorable e.g. Debian Server  
  • Click Save

Saved sessions

In future you’ll be able to select your profile from the Saved Sessions then click Load & Open.

Well done, we’re almost finished.

Add the private key to your local PuTTY profile

  • Close/disconnect from the remote server then launch PuTTY again.
  • Load the profile of your SSH server (ours is 192.168.0.100):

Attach The Private Key To The PuTTY Profile

  • Go to SSH -> Auth and click on Browse:

Putty Auth settings

  • Browse your file system and select your previously created private key

Select key file from filesystem

The key file path is shown in putty

  • Then go to Session again and click on Save

Save the putty session

The private key is attached to the PuTTY profile.

Now we’re ready for our first key-based login to our SSH server.

  • Click on Open

First Key-Based Login

As you can see, the public key is now used for authentication, and you are asked for the passphrase (if you crated one)

public key is now used for authentication

Disable Username/Password Logins

Even without private key the evil hacker will still be able to brute-force the username and password. This makes what we’ve done until now, pointless. so we must disable the username/password logins

(Only when you know that your key-based logins are working, or you’ll lock yourself out – BE CERTAIN ITS PRIVATE KEY AUTHENTICATION IS WORKING)

We modify the sshd configuration file to disable the username/password logins. On Debian/Ubuntu systems it’s /etc/ssh/sshd_config.

Set Protocol to 2 (this is already the default) and PasswordAuthentication to no. 

  • Log in to a SSH session using the PuTTY profile/Key you created earlier.
  • Open sshd_config with Nano – see below

nano /etc/ssh/sshd_config

Find the following part in the file you’ve just opened

[...]
Protocol 2
#PasswordAuthentication yes
UsePAM no
[...]

Remove the comment # from in front of the line: #PasswordAuthentication and change the no to yes so it looks as below:

[...] 
Protocol 2 
PasswordAuthentication no 
UsePAM no 
[...]

 

Then restart sshd. On Debian/Ubuntu, you can do it like this:

$ service ssh restart

On Older versions, use the init script instead of the service command:

$ /etc/init.d ssh restart

Now if you open a PuTTY session without your private key attached, you shouldn’t be able to log in anymore.

Use Pageant to remember the Key Passphrase (if you set one…)

Whenever you use your key-based login now, you still need to specify your key passphrase.

You can tell the passphrase to Pageant which will then provide the passphrase whenever you log in to your SSH server.

  • You can start Pageant.exe by double-clicking it.

Start pageant.exe

You’ll see Pageant in the taskbar running :

Pageant in task bar

Now double-click the Pageant icon in the taskbar. The following window comes up.

  • Click on Add Key:

Add a key in pageant

  • Browse your filesystem and select your private key:

Browse file system

  • Enter the passphrase for the private key:

Enter the passphrase

The key is now listed in Pageant’s key list.

  • Click on Close:

Close the window, when key is listed

You can log in to your server without providing the passphrase while Pageant is running in the background.

Automatic SSH lohin with pageant

When you stop Pageant, it forgets all keys, so the next time you start Pageant you must add the keys again.

 

Christopher Baker