SSH and SFTP Public Key Authentication requires that you create a public/private key pair. In this howto we will look at how to create then use those keys.
SSH (Secure Shell) and SFTP (Secure FTP) support a very strong security model that can be used instead of the normal username and password authentication scheme. It uses public key cryptography to create a different, and more secure approach to authenticating your identity and rights to access a server or resource.
Essentially you will generate a public and private key pair. The public key will be placed on the server by your system administrator, giving you access. You will keep the file containing the private key in a safe place. You’ll login by simply by providing that private key file to your SSH or SFTP supporting client.
The private key is just that – private. You may put a password on it, but you don’t have to. Without a password, all you need is the file in order to login. Or, to put it more clearly, all anyone needs is that file to login as you. Obviously if you password protect the file, then you’ll need both the file, and the password to unlock it. In that case, logging in is very similar to what you do today: specify a user name, and a password to unlock your key file.
Instructions are included here for the following tools, which are known to work with this technique:
| SSH Clients | SFTP Clients |
| PuTTY SecureCRT |
PSFTP Webdrive WS_FTP |
Instructions for these tools are not provided here, but they either claim or have been confirmed to have the appropriate support:
| SSH Clients | SFTP Clients |
| Tera Term Pro | CuteFTP Professional WinSCP |
Other tools may also work. The key terminology to look for is “SSH” or “SFTP” and “Public Key Authentication”.
Generating Your Keys
In general it’s best to create your own key. That way you control what happens to your private key.
PuTTYgen
PuTTY is a free SSH client that includes a tool for generating keys, called PuTTYgen. PuTTY is my preferred SSH client.
Run PuTTYgen and click the “Generate” button.
Follow the directive to move the mouse around to generate randomness, which is a key component of public key cryptography. Once that’s done, you should do the following:
- Specify a passphrase. Technically this is optional, but if you omit the passphrase, then anyone who happens to get ahold of your private key file can login as you. You may have enough security in place where this is not an issue. If you do specify a passphrase, you’ll need to enter it when you login, pretty much as a normal login.
- Press the Save Public Key button to save the public key. I recommend saving as your name “.pub”. For example I would save “powercram.pub”.
- Press the Save Private Key button to save your private key. This saves the private key in PuTTY’s own format, a “.ppk” file. So, “name.ppk” might be appropriate.
- I also recommend hitting the Conversions menu, and then Export Openssh key, and saving that to “name.key”. This format will allow you to use your private key with other applications besides PuTTY.
SecureCRT
SecureCRT is a stand-alone SSH client.
To create a public key with SecureCRT, click the Tools menu, Create Public Key… option to begin the wizard. Select RSA as the key type. Enter (or not) an appropriate passphrase to protect your private key. A default key length of 1024 is sufficient. Allow SecureCRT to save the key, noting the location. It may ask if you want to use this as your global Public Key, and you can safely say “yes”.
WS_FTP
In WS_FTP, click Tools, Options, and then click on SSH, Client Keys:
Press Create, and step through the wizard. The key type should be RSA, and the default size of 1024 is sufficient. Once the key has been created and shows up in the list, click on it, and then click on Export, to export your public key.
Using Your Keys – SSH
Once your keys are generated, and the public key installed on the server, you’ll need to specify the private key to your SSH client in order to log in.
PuTTY
There are at least two approaches to using Public/Private keys with PuTTY. When you launch PuTTY without any arguments, you get its standard configuration dialog, into which you can enter the name of the server you want to connect to:
On the left hand side is a tree view of various options. Underneath Connection, SSH, click on Auth and the dialog will include a field “Private key file for authentication“:
Specify the location of the “.ppk” file that you generated with PuTTYgen. When you connect, if your private key is passphrase protected, you’ll be asked for the passphrase. The other approach is to simply create shortcuts for the various servers I connect to regularly, and specify the location of the private key on the command line. For example:
C:pathPUTTY.EXE -i c:adminpowercram.ppk admin@server.com
That, as a desktop shortcut, or item on a Windows menu, connects to the named server using the specified account name “admin”, and uses the private key found in “c:adminpowercram.ppk” to authenticate.
SecureCRT
SecureCRT has several paths to a connection dialog, but we’ll use “Quick Connect” for our example. Click the Quick Connect Icon:
Make sure that protocol is set to SSH2, and enter your host and username. In Authentication, UNcheck everything except PublicKey. Then click on that, and click Properties.
Typically you don’t need to do anything, but this dialog specifies the location of your identity file (aka Private Key). Assuming that your public key has been placed on the server for your account, you should now be able to connect.
Using Your Keys – SFTP
Secure FTP, or FTP, is really just using SSH technology to provide FTP-like functionality. Since it’s using SSH, the keys you’ve generated and are using for your SSH authentication work with many SFTP applications as well.
WebDrive
Webdrive is an FTP/SFTP service for Windows that allows you to treat an FTP or SFTP connection like another drive mounted on your system. Uploading and downloading then become simple Windows file copy operations. In Webdrive, you’ll need to load your private key, and then specify it in the configuration for a specific SFTP connection. The Certificates tab of Webdrive’s Settings dialog, has a Hostkey Managemet button. Push that, and you’ll get the host key management dialog, and on that you’ll find an Import button. Press that to import your public and private keys:
Specify the “.pub” key for the public key you generated earlier. The private key should also be specified, and would be the “.key” file. If you passphrase protected your key file, you can specify that here as well. Give it a recognizable name. The second step, then, takes us back to the Webdrive main window.
Click on a connection (or create a new one). In the Properties for that connection, on the SFTP tab will be a setting Enable client hostkey support for this site:
Here you’ll find a dropdown list of the keys you imported above, and a place to enter the password, if any, to access that key. Once completed, Webdrive should now be able to connect to your public key authenticated site.
WS_FTP
Having created a key pair already in WS_FTP, using it is simply a matter of defining your connection to use it.
When you create a site, specify its connection type as SFTP/SSH. Specify a user name, but leave your password blank. At the end of the wizard, click on the Advanced button, this will allow you to edit the connection, and is the equivalent to editing an existing connection.
Click on the SSH item on the left, and the dropdown list that results should allow you to select the key pair that you created earlier. Assuming that the public key you exported and sent to your system administrator has been installed on the server, you should now be able to connect.
psftp
PSFTP is command line FTP program that is distributed with PuTTY. More importantly, it supports public key SFTP by using the “.ppk” file that you created for PuTTY above. Connecting using a public key is simply a different set of comment line options:
psftp -l username -2 -i keys.ppk remotehost
-l username specifies your username on the remote host; -2 indicates that PSFTP should use SSH protocol version 2; -i keys.ppk specifies the location of your private key as created with PuTTYgen; remotehost is the name of the remote host you’re connecting to.