This guide shows how to setup Putty or MSysGit to use public and private key pairs on Windows to login securely on a Linux Server.
Why? Taken from Ubuntu community doc. If your SSH server is visible over the Internet, you should use public key authentication instead of passwords if at all possible. If you don’t think it’s important, try logging all of the malicious login attempts you get for the next week. My computer – a perfectly ordinary desktop PC – had over 4,000 attempts to guess my password and almost 2,500 break-in attempts in the last week alone. How many thousand random guesses do you think it will take before an attacker stumbles across your password?
With public key authentication, every computer has a public and a private “key” (a large number with particular mathematical properties). The private key is kept on the computer you log in from, while the public key is stored on the .ssh/authorized_keys file on all the computers you want to log in to. When you log in to a computer, the SSH server uses the public key to “lock” messages in a way that can only be “unlocked” by your private key – this means that even the most resourceful attacker can’t snoop on, or interfere with, your session. As an extra security measure, most SSH programs store the private key in a passphrase-protected format, so that if your computer is stolen or broken in to, you should have enough time to disable your old public key before they break the passphrase and start using your key. Wikipedia has a more detailed explanation of how keys work.
Configure OpenSSH on Linux Server:
To enable OpenSSH you have to edit the sshd_config on your server to accept version 2 public key only.
Add or modify the following lines:
# Authentication(NO ROOT LOGIN!):
# Use public keys and where keys are stored
# Don't read the user's ~/.rhosts and ~/.shosts files
# For this to work you will also need host keys in /etc/ssh_known_hosts
# similar for protocol version 2
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
# To enable empty passwords, change to yes (NOT RECOMMENDED)
Save your sshd_config, but wait to load your new settings before you have created your ssh keys and be sure to have a fall-back plan if something should go wrong.
Generate OpenSSH private and public key pair(Server-side):
Login on the server as the user you want to use and generate a pair of private and public keys on the Linux side. Here it is seen for the user “user”
Execute `ssh-keygen -t rsa` to generate a version 2 public and private key pair into directory /home/user/.ssh.
Enter file in which to save the key (/home/user/.ssh/id_rsa)
Created directory '(/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
| . + Eo=. |
| . = . *.+.|
| + o + o..|
| = + + |
| S = o . |
| . + o |
| + . |
Next add the newly created key to a file called “authorized_keys” in your .ssh directory:
cat id_rsa.pub >> authorized_keys
And final and very important. Copy the private key id_rsa to your windows machine. I recommend using winSCP a very handy program.
Using MSysGit to login with SSH keys:
The only thing you have to do to get it working in MSysGit is to add a new directory in your home called .ssh where you place the private key id_rsa downloaded from the server. You are now ready to login. If it doesn’t work, check to see that MSysGit looks for the key in your home/.ssh.
Next: Using Putty to login with SSH keys: