Originally posted 2018-02-13 11:37:17.
The purpose of this post is to help you set up a Linux system, maybe a VPS or even just a humble Raspberry Pi so you can connect to it using PuTTY or WinSCP or even a terminal on a Mac PC in a secure way using a private key. There are a lot of how-to’s on the internet showing you how to do this however they often seem to miss that critical step or they assume a level of knowledge. So as much for my own benefit as anything else, here is my complete how-to with a couple of specific examples. Hope it helps you.
Creating a Public/Private Key for a Linux System
First, lets create the public/private key for our system. You will need to download PuTTY from here.
When you install PuTTY it comes with 2 other programs as well. First is Pagent and the second is PuTTYgen.
Pagent is used if you password protect your private keys. The first time in a session you login to the Server, Pagent will prompt for the password and will then remember it for that session and not ask again. If you want to use passwords and pagent to remember them, set pagent so it starts with windows. My VPS has a function in WHM to generate private/public keys to use with PuTTY and it won’t save the key unless you use a password so pagent can be useful to make sure you are not entering passwords all the time.
Just remember that using this public/private key combination is very secure anyway and you can only login using a computer where you have that private key stored so using a password as well so you can use the key seems like overkill to me! Even on my VPS I was able to use PuTTYgen to generate keys that don’t require a password to use in PuTTY.
PuTTYgen is used to generate the public/private keys to use. Running PuTTYgen brings up this screen.
Note that at the bottom, the parameters of the key. The Type of Key to generate is set to RSA the default, the number of bits is set to 2048 (also the default) If you click on Key you will also see it is set to a SSH-2 RSA key – all the defaults and what you want.
Next, click on the Generate button and you need to randomly move your mouse over the blank area underneath the progress bar and when the progress bar is finished, you will have the key generated.
Then you need to save the generated key, saving both the public key and the private key. You will find PuTTYgen will default to a folder like C:\Users\user-name\AppData\Local\VirtualStore\Program Files (x86)\PuTTY as the location to store the keys. You need to note where they are stored as you are going to need the key to configure PuTTY and WinSCP. The public key file by default will be stored with no file extension. You can change the extension to anything you like or pub or leave it with no extension – it’s not important. The Private key will default to having a .ppk extension and you should not change that. When you click on Save private key, PuTTYgen will pop up a warning asking if you are sure you want to save this key without a passphrase to protect it. If you are on a shared computer you should probably enter a passphrase otherwise just click on yes and save the key. It will default to the same location as the public key above.
The top section of that last screenshot shows the text you need to copy and paste into a file called authorized_keys so just right click on it and copy the key to the clipboard. You then need to edit/create the authorized keys file on the server and paste in that key.
Where do I store authorized_keys?
The location varies depending on the system. On my VPS, these are stored in /root/.ssh/ In my Raspberry Pi, they are stored in /home/pi/.ssh/ for the Pi user and /root/.ssh/ for the Root user. For Hassio (the appliance like Home Assistant) they are stored in /root/.ssh but if you want to use the ‘hidden’ debugging docker container, it goes in the root folder of the boot partition on the SD-Card.
With my VPS, this gets around using their inbuilt key generator which requires a password. I have additional security in that it won’t accept a connection from an IP address that is not white-listed in the firewall so an extra password kind of defeats the purpose of using a private key – for my use case anyway. I’m not using a shared computer.
The other thing you may want to change is the ssh configuration file. This is located at /etc/ssh/sshd_config and you look for and change the line that says:
and change it to no (as per below). Then ssh will always require a private key to connect.
Also look for and change these:
PasswordAuthentication no PubkeyAuthentication yes ChallengeResponseAuthentication no
They will not be on contiguous lines.
WARNING: Do not disable password authentication before you verify you can connect using a certificate – otherwise you will end up locked out!
Setting up PuTTY
|First open Putty and specify a host name (usually an IP address or could be a domain name) and also specify a name for the Saved Session. Then you will be able to open the session next time just by double clicking the session name in the list.|
|Next, open the Connection > Data option and enter the username for the session.|
|Last, open the Connection > SSH >Auth menu and specify the PPK file you want to use. Again remember the location will be something like
C:\Users\user-name\AppData\Local\VirtualStore\Program Files (x86)\PuTTY\name-of-key.ppk
Once finished, go back to the session screen and save the session.
Setting up WinSCP
|On this opening screen of WinSCP, Select SCP as the file protocol, enter a host name (either an IP address or a domain name) and enter a username. Click on the advanced button.|
|Click on the SCP/Shell menu. If you don’t see that option it means you didn’t select SCP file protocol above.
Change the Shell to use Sudo su –
If you don’t do that then you won’t be able to edit most files (outside the home folder for the user) and you won’t be able to write to most folders either.
| Select Authentication from the menu and configure your private key file as you did in PuTTY.
Then click OK and click on Save when you return to the main menu and enter a name for the session. You won’t need to specify a password for the session if you are using a PPK file.
How do I connect with a Mac?
With a mac it’s all somewhat more complicated than you might think or hope.
I have a program on my mac called iTerm which you can download for free. It performs the same function as PuTTY. THere is also a downloadable version of PuTTY you can get and install on a Mac.
The main difference on a mac is that to use private keys, they require a different format than the ppk files we created for Windows. It’s a bit beyond the scope of what I am discussing here to go through creating these files on the mac. If you have a Windows computer, the ppk file can be converted to the open ssh format used by the mac. On the Windows computer, run PuTTYgen and select ‘Load private key’ from the File menu and load the ppk file (the private key file). Then from the Conversions menu select the ‘Export OpenSSH key’ and then copy that to the users home folder on the mac. (at least this is the folder it seems to expect on my mac.)
Then from the terminal window enter this command:
ssh -1 filename-with -open-sshkey username@ip-address-of-machine-to-connect-to
A couple of things can then happen.
First, if you have ever connected before, say for example with a raspberry pi you connect and then later you re-image the raspberry pi with a new image. Terminal will throw a fit and you will get a great message that will look something like this:
MacBook-Pro-de-myname:~ myname$ ssh firstname.lastname@example.org @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is bx:fa:bx:b4:51:fe:xe:c7:1f:xx:ff:bf:4a:47:68:4a. Please contact your system administrator. Add correct host key in /Users/myname/.ssh/known_hosts to get rid of this message. Offending RSA key in /Users/myname/.ssh/known_hosts:1 RSA host key for 192.168.xx.xx has changed and you have requested strict checking. Host key verification failed.
That’s a hoot isn’t it! The easiest way to fix this is by issuing the following command from the terminal as follows:
ssh-keygen -R ip-address-you-are-connecting-to
Then you can try the ssh connection again.
What will then happen is the mac will pitch a fit saying that the security settings of the key are too lax:
Permissions 0777 for 'name-of-file' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored.
To correct this, enter the following command:
chmod 400 name-of-file
Fun times! Try and connect again and you’re in!
Alternately, Install PuTTY for Mac
That will give you the following command to enter into the Mac Terminal:
/usr/bin/ruby -e "$(curl -fsSL https:// raw.githubusercontent.com/Homebrew/install/master/install)"
Once Brew is installed, install PuTTY with this command:
brew install putty
NOTE: This currently does not work and installing from source does not work either.
I am only leaving these instructions here in the hope it will be fixed soon.
If you would like a similar interface to WinSCP, try using Cyberduck with the same private key you used in Terminal above. Setup a sftp connection and connect to see a similar view as WinSCP.
Feel free to leave comments below. Hope this helps you.