Key Authentication for PuTTY and WinSCP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you're using a windows computer to remotely manage servers how do you configure putty and winscp for example to take advantage of ssh keys for more secure authentication well if that's something you're interested in finding out then stick around and watch this video because that's what we'll be going over [Music] now we'll put a timeline in this video in case there's a particular section you prefer to jump to just be aware that we're actually going to be using this putty client throughout the video so here we are on the actual putty download website because that's the first thing i need to do is to actually download the software in the first place and i do have choices i mean i can download the individual executable files because they're all standalone but the easiest way for me really i think is just to download the entire installation package because it's not just putty itself that we need we also need putty gen so putty is what we'll use to actually connect to the ssh server and putty gen is what we'll use to actually create the ssh keys that putty itself can use so the most popular processor these days is going to be a 64-bit processor anyway so not surprisingly i'm going to click on this 64-bit version of putty so we'll click on that link and then we'll click on save to download the software now that that's downloaded we'll just go to explorer we'll double click on our file not really a great deal to answer here so i'm just going to click on next i'm going to leave the default settings for where the actual folder gets installed as is but you can change this put the actual file somewhere else if you'd prefer in my case i say i'm just going to leave it as is click on next i'm going to leave these settings as is as well and i'll click on install and then that brings up the user account control just to make sure you do actually want to install this software so i do so i'm going to click on yes then that installs the software and that's pretty much it i'm going to deselect that option to view the readme file and instead i'm just going to click on finish now i do want some shortcuts for the actual executable so i'm just going to minimize my browser here then i'm going to go over to the c drive over to program files and over to putty so this is the default location where the software gets installed if you have changed that location then obviously that's where you need to go next then what i'm going to do is i'm going to take a copy of that executable so this is the actual putty software itself and i'm going to paste a shortcut onto my desktop to make my life a bit easier and i'm going to do the same with puttygen so i'll copy that and here's the shortcut so i've now got the actual two shortcuts on my desktop so what i can do is i can actually now start connecting to ssh servers using putty but this video is all about ssh keys so that's the next thing we need to start doing is to actually create ssh keys using puttygen now a little puddi can actually use ssh keys it can't actually create any and that's where putty gen comes in so we need to actually create our public and private key pair so i'm going to double click on puttygen and that launches the software now by default it's going to use the rsa algorithm and it's going to create a key pair 2048 bits but what i'm actually going to do is i'm going to change the algorithm to eddse the reason i'm doing that is it is a more more modern algorithm uses smaller bit sizes and that makes it easier particularly for the public keys i find so entirely up to you you know which keeper algorithm you want to use in this case it just happens to be dsa so the next thing to do is to then click on generate and as it says it wants you to move the mouse around and that's just basically because it needs some randomness some random data from somewhere to actually to then create the actual keys so it didn't take that long to do and next thing i'm going to do in that case is change this comment you can put whatever you like in here you can see that the actual comment comes right at the end of the public key itself what you put in here is up to you but i'm just going to put something in here that makes it easy for me to identify that this is a the windows key for the thread now what i will do then is put an actual key phrase in as well i just need to make sure these match although it won't actually tell me almost admit until i actually uh try to save the actual private key but the reason for doing this is just based on the security model of something you have and something you know it makes it more secure than a username and password for example if i've got the private key but i don't know the passphrase then i can't use it now i could leave that blank but that's not really recommended i mean you could do it if you're doing say like automation for example you're using ssh keys to connect to other computers and you've got some automated tasks in which case you can't use a passphrase against that private key because every time you want to run that actual software you need to put the actual key passphrase in so it doesn't you know make any sense for automation but for user keys where you know you're logging in as an individual manually then you definitely want to be using an actual key certainly something a lot more stronger and more complicated than i'm using i'm just trying to do this for sake of keeping the video simple but use a password manager something that will create a longer more complicated password than this and then the idea is if somebody does get a hold of your private key which you really want to keep safe and secure then that person would actually need to know what the actual passphrase is to be able to use it on the other hand if there's no pass phrase against it yes it makes your life easier for logging in but it's less secure so for that reason i would always always recommend using a passphrase here so the next thing we need to do is to actually save the key pairs so down here we've got an option to save the public key so i'll click on that and when it does it it just remembers the last place that explorer happened to be what you call this is entirely up to you i'm just going to keep things kind of consistent for what i've been doing in a previous video using linux for example where i use urban ssh it tends to put on a dot pub extension to the actual um name of the actual key itself so i'm just keeping that consistent so in my case it's fred key dot pub i'm gonna click on save then i'm gonna click on save private key now in this case the actual password i put in and the confirmation that password matched so it didn't complaints that's good one thing to point out is this it's going to create a file and it has to be end you know with an extension of dot ppk this is the format that gets used by putty over here so i'm just going to call this red key for example and now it doesn't really matter if i put the dot ppk file at the end it's going to put that on anywhere so if i click on save if i go over to my documents folder over here you can see it's already created that file called fredk.ppk so whether i put the extension on or not it was going to save it with that extension so i've now got two files i've got a red key.ppk so this is my private key and you can see windows recognizes it there's a fully private key file whereas this is the private key the public key rather so this is the actual key that we need to get onto the actual server in order that we can actually connect using ssh and using the actual key but we'd also have to configure putty itself to use it so next thing we need to do is to actually connect to our actual ssh server and get this public key uploaded now there are different ways that i can actually get that public key under the server but because i need to actually create a new file for the user account that the server can use to actually then take advantage of ssh keys i may as well just copy and paste the contents of that key into the file while i'm creating it so for that reason i'm going to launch a new putty session put in the actual ip address on our server so this is just a test server that i've set up for the video as you can see it's by default it's using ssh to connect so i can just click on open now because i didn't supply a user it's actually prompting us for a username so in my case it's fred now one thing to point out is this prompt here where it's prompting us for fred's password so bear in mind this is going to be different when we're using the actual ssh keys to authenticate so this is a good way to actually tell whether you're being authenticated against a username and password or against ssh keys but in any case i need to supply the actual password for fred let's see if that's correct yes it is so what i now need to do is to create a new folder so this is a folder where the open ssh server is going to actually look for authorized keys so i'm going to create this new folder and it's called ssh so the dot means it's a hidden folder i'm going to switch over to that folder and the file that it's going to be looking for is called authorized underscore keys i'm just going to double check i've spelled that correctly and hit return now it's called authorized underscore keys i plural because you can actually store multiple public keys in here the idea is you can have key rotation for example and just bear in mind that this file is stored in the user's own folder meaning that this particular file is only of relevance to fred here that we're logged in as every user has their own home folder have their own dell ssh folder their own authorized case file storing public keys and so on so that's just something to bear in mind in any case i need the actual contents okay so i'm just going to minimize either window there and i'm going to actually launch puttygen again because if i open up the public key that we've got here and open that up using notepad you can see the contents are somewhat different what i'd want to put into that actual file so i'm just going to close that so if you don't already have puttygen already open we can just open that private key back up again so we click on load point it to a private key i'll have to supply it with a password or passphrase if you will of that actual private key because that key is now protected which is exactly what we want so i'll click ok and now we've got all of our details back so i'm just going to copy the entire contents of that public key because that's what we want and i'll paste that into our file so you can see that's what we've got so i want to save this so i'm going to exit out say yes just save the changes hit return say we want to save it in that same file and that creates our authorized keys file that stores a public key which means that if we now try to log into this computer and use our private key the server is actually going to come and look into this folder and into this particular file it'll generate some random data and it'll encrypt the actual data using the public key that we've got in here it'll send that back to putty and then it's up to our actual you know putty client to then decrypt that actual encrypted random data and it'll use that to validate that it is the actual you know genuine user who's logging in so the next thing we need to do though is to actually set up putty to actually use ssh keys now when it comes to putty you actually need to tell it which private key that you want to use because by default all it's going to do is well try and log in and you'll get prompted for your username and password you've actually got to configure putty to reference a private key which in turn tells the server you want to use ssh authentication so i'm just going to paste in my ip address for a test server to make my life a bit easier i'm going to expand out the ssh details here then i'm going to go down to this section here auth and then now what we need to do is point it to the actual private key we want to use for this session so i'm going to click on browse we'll point it to the private key that we created and click open and then if i click open it again you can see we're now connecting in i didn't supply you with you know an actual username to log in with so we're being plugged into one so i'll put that in and now you'll notice that the prompt is different so like i was saying in a previous section before we were actually being prompted for an actual password now that's the user account and password authentication now we're being prompted for the passphrase for the key so you can tell now that we're actually going through sshk authentication so it's a good way to tell the difference between the two is based on whatever that prompt is so assuming i can put the proper password in we should be able to authenticate with the actual ssh key now so there you go we're now logged in now practically that's not really good because it's a case if you're going to have to do that for every session and chances are you're going to be saving sessions anyway so if we can put it back up again what i could do is i can actually save the key with the session so i can create a new session for example i can call it test1 for the name of the server but i want to store that private key so that remembers every time we connect in using that session it'll always use the private key so go back down to ssh again go back to oauth point at the private key so i'll go back up to the session again just make sure that's still pointing as save if i exit out open putty again if we go to our test one session and then load that in you can see there's our ip address come back down to our auth section there's our private key so that's one way to actually get it to remember i mean you can make these even easier i mean if you want you can actually store the username in there if you'd prefer it's a bit of an extra security risk in that you're given the actual name of the actual a user away although in my case to be fair the actual name of the key kind of gives it away but that's something to bear in mind is that you may really not want to be storing the actual um the key as part of the session in case that config file because this all gets stored in config files it's something that's going to get um potentially stolen uh for instance in which case somebody's already got now advantage of knowing what your username is they still need to know what the actual key phrase is the steel still need to have the actual key but security is always always about layers it's always about making things as difficult as possible now one thing i want to point out is that if i have to keep doing this for every server and i've got lots of servers it's not going to be all that practical so what i could do for example is well typically i'm going to probably use the same private key that every server that i connect into in which case what i could do is i could save the actual private key as part of the default settings so if i go to default settings and just load those in there's nothing there at the minute but if i go down to the ssh section again go down to oauth point it to the private key and then tell it to use that private key but go back to my session point it to the default settings and click save and it'll come out again just to show you that it's being saved so unload put you back up again if we come down to ssh down to auth it's now stored as part of the default session so that's quite useful that i find so again i you know i'll just have to type the name i'll add the ip address of this server 172.16.17. dot 19 rather not two to nine if i just click open now don't get prompted to log in with our user account hit return put passphrase in nope still get it wrong nope still click wrong maybe i'm just typing it too quick so there you go now if we launch putty again that's part of the default session now so if i actually type in the ip address put in say call that test test number three for example technically the server is called test one but just for the sake of this let me click on that and save it as test three come back out again we'll put it just for testing this we'll go to test three we'll load that session in we'll open that up to log in and spread so you can see because the default session has been configured to use that specific private key every session every new session that i create is always going to be using that same private key so that's that's a way of making your life easier i think um by saving that's part of the private key the uh saving the private key is part of your default session saves you having to do it for every you know individual it's basically it's one less you know bit of information to store uh as part of these individual serve sessions and bear in mind these sessions you can you can use them not just specifically in putty there are other tools like super putty for example it gives you tabbed and ssh sessions for example and all it does it just links in with putty that you've got so any saved sessions in here you'll be pulling that information out of here so it does make life a lot easier by saving that's part of the default settings now obviously if you've got other servers that need different keys then you would have to change the key for that individual search session you got but to me that i think that's probably the easiest way to do it so it's it's relatively easy to actually save that private key and use the authentication uh using ssh keys and it's pretty easy to spot the difference the only thing is we want to be extra secure we actually want to stop people being able to log in with the username and password because if i go to connect from another computer and log in as fred without that private key or without putty set up to use a private key it's going to go through the same username and password authentication but i actually want to enforce ssh keys going forward which means i need to make a change within the server so that it only accepts sshk authentication going forward now although we've uploaded a public key for fred and although we've actually got put it configured to use a private key which means we can now use ssh key authentication the trouble is fred could easily just disable that option within putty or could log in from a different computer in fact anybody who's got an account on this server could just log in and use password authentication which is not a secure so we actually want to disable that feature we want to enforce sshk authentication but that needs a change within the actual server itself which means i've had to log in using an account that's got pseudo rights uh the alternative would be to you know switch over as the root user for example if it was a different linux distro but this is ubuntu and this user's got pseudo right so that's what we're doing so i need to make a change i need to edit up the actual configuration file first and i'm going to use the nano editor entirely up to you what you want to use but the file is in the slash etc ssh folder and it's the config file for the ssh daemon so slash z slash ssh slash sshd underscore config is the following change so i'll hit return put my password in oh nope didn't like that i think it's just because i typed taking things too fast but when it comes to a bundoo uh one thing i've noticed is that if we go down to here uh there it is there there's a this particular line is commented out which is password authentication yes which means allow password authentication whatever reason if you go right to the end you'll actually find that same line but it's not commented out so this is the line that's actually you know needs to be changed so i'm actually going to change that over to say no which means it's going to refuse password authentication going forward we'll save that change now what i need to do is restart the actual uh open ssh service will restart ssh so just double check that that's restarted yep that's back up and running so if we now try to connect into the actual server what i've done is i've these i've actually disabled the default settings so now when we try to connect in we'll go through password authentication so just pasting in the actual ip address to make life a bit easier i'll click on open login is fred and there we go it's refusing access because it's saying public key we need a public key uh authentication process to follow through on here it's just not supported uh to use password authentication so what i'll do is i'll launch putty again we'll load up our test one session because that does have the private key click on open i don't want to log in as fred so now it is prompting us for the key so hopefully i can get the password right this time and there you go so now as you can see because i've changed the actual behavior within the config it's no longer going to allow password authentication so that's something to bear in mind going forward is that anybody who now wants to log into this server does need an actual uh public key uploaded under the server the client that they're using needs to be configured to use a private key that in turn is what prompts the actual server to then use or look for an actual public key as part of the authentication process but this does make things a lot more secure than just a username and password because it all boils down to now it's a case of something you have and something you know somebody needs to know what the actual passphrase is for this private key and they actually need to be in possession of this private key in order to now be able to authenticate and get access into that server remotely using ssh now putty doesn't support open ssh keys that's why we're having to create a a special ppk format file for putty to use so if you've got a server like this one for example and you've already set it up to use open ssh keys then the problem you're going to have is you won't be able to connect unless you make some slight changes so for example what i've got at the mode i've changed the actual authorized key file here this is actually using a public key that was created on a linux computer in a previous video so it's a case of if i now try to connect using that ppk file that i just created from puttygen it's not going to work the private keys and the public keys are completely independent totally different from one another so i've got choices i mean i could edit the authorized keys file and add in the public key that goes with the private key we created using puttygen to create this ppk file that putty itself could use alternatively what we can do is actually convert our already existing private key that was created using open ssh into a ppk format and then that makes it compatible with putty so if i open up puttygen and then we go to conversions and then tell it to import a key if i go to my linux folder here because this is where where i've been storing the actual private key here and the public key from my linux computer i'll point it to the private key because that's what we need to open then i need to provide it with passphrase with a specific private key you can see it does support open ssh so putty gen can actually support open ssh the problem is it's putting itself it doesn't so we've now actually got to convert this over into a ppk file that put you can use now i wouldn't be too concerned about these algorithm settings down here these were just used for actually generating a key uh when we actually go and click the save private key that information is already there anyway so don't be too concerned about the fact that this always the you know defaults to rsa it's not going to have any impact when we save the new private key as a ppk file but anyway now that's all loaded in we need to actually convert it over to ppk so we've just got to click save private key we don't need to do anything with the public key it already exists it's already on the server we just need to click on save private key to convert this into a ppk file that putty can use so i'm going to go over to my conversion folder i'm just going to call this red convert for example i'm going to click on save and then that creates me a ppk file so if i then go into puddy if i yeah i paste my ip address in i need to point this actual session that we're doing over to the actual conversion file that i've just created so i'm going to go over to my converse conversion folder here pointing to the thread conver the ppk file we go back up to the session so we're connecting to the same computer except we're now using an imported key from linux that was created using openssh and we've converted over into a ppk format that you can understand so i'll click on open now again there was no uh information in there about what user account to use so i need to provide that so i'm going to log in it's fred and you'll notice this time around how comments different and that's because this is a comment that i've used in a previous video when i was setting up open ssh keys so i'll put in a password for this particular key hit return and there you go so there is only one actual key created if i just come back to this session and that's the one that was created through linux but as i say i mean this is it's called authorized keys meaning i could have actually just um pasted the public key that we created earlier into this text file and it would have gone through that process and it would use that i suppose it's entirely up to you how you want to deal with it because with this process that i've done by importing it converting it it just means all i need to do is maintain one public key on all of my servers whereas if i've got different windows computers and different linux computers and i'm using um different keys for windows versus linux i'm going to have to maintain multiple keys on multiple servers so to me i think this is the easiest strategy to to to actually use pretty straightforward to do to do you can even actually export an actual key there's an option to export there as well if you want to so if you've actually created a key with windows you can then export that into a format used by linux so that's a another option you can do now if you're using a windows computer to get remote access to a server using ssh then chances are you're also using winscp for file transfers because this can take advantage of ssh for sftp or sap for example now i'm not going to actually go over the download and installation process because that's pretty straightforward i mean just click on the download now button and then we just click on the next download button it just helps to show you which version is available at that moment in time one thing i'll point out though is it needs ppk files because what we want to do is actually set up winscp to actually use ssh case for the authentication because going forward we won't be able to just use a username and password connect to the server anymore we need to actually have an ssh key that's going to be accepted on that server so i've already downloaded and installed the software the installation process is really easy to do the only reason i went over it with putty was just to make sure that you get putty gen software as well as putty itself but any case once you've installed it right at the end it'll ask if you want to import any existing sessions from putty so as long as you've actually installed putty into the default location it'll find it easily enough but in my case i didn't bother with that because my existing session doesn't work anywhere so here we've got winrcp so what i need to do is set up a completely new session so i'm just going to click on the new session option up here and i could still import the actual existing sessions from putty if i wanted to but if i click on tools and then click on import sites there it gives me a list of existing sessions in putty but that session's just not going to work anymore we're now using a different public key and to what that session was set up to to work with so for this particular session we're going to do sftp as the file protocol although other options you can use for doing file transfers i need to give it the name fqdn or ip address of the server so that's this is our test cell that i've got running at the minute now i can put the username in here to make things a bit easier same we have to go through the actual login process um when we connect but what i do need to do is to actually point this to an actual ppk file otherwise it's just not going to be able to connect so i'll click on the advanced button here and then once that comes up we go down to the ssh section down to authentication and this is where we point it to the actual public key now in my case i've got actually pointed to my converted keys so this is a private key that was basically created in open ssh and has now been converted over so that it's in a ppk format that putty and when scp in this case can also use so we'll tell it to use that particular private key and i'll click on ok and then we're going to click on login so if it goes and connects now it's the first time it's connected so it's going through a security check where it wants you to check the actual uh fingerprint so i'm just going to say yes because i know that's the that the server i want to use as you can see here it's asking for the pass phrase for the key thread attempt lab.land so i know it's actually going through the process of ssh key authentication so i'll put the details in for my password uh hopefully i'll be able to put that in correctly and there it goes it's now got a session so the thing to bear in mind is that because we've logged in as a user effectively we've only got really any control over say for example fred's home directory because we've logged in as fred i mean we could go further up the chain if we wanted to but there's going to be areas we can't really touch anyway i mean you can go in certain areas but we can't read them we can't change things anyway so that's just something to bear in mind based on who you're actually connecting as so that's pretty straightforward to to actually connect so what i'm going to do is i'm just going to disconnect that session because well what you can do and although you can actually click on the save button there and save the session details i mean i wouldn't recommend saving the actual username with it what i actually want to do is i actually want to set up a default key so it doesn't matter which server i connect in using winscp i want to just use the same key going forward because i mean i am logged in as a different user i'm not actually logged into windows as fred but as if i were i would be okay so i'd always want to be using this key that belongs to fred anyway to connect to other servers so in order to actually set that key up as the default key for all sessions going forward i need to click on the advanced button here to get access to the settings go back to our ssh and authentication details here i'm going to point it at the private key again for fred and then i'm going to click on ok now i actually want to save this as a default setting so i'm going to go to manage and then i'm going to click set defaults and as it says there do you want to set the current settings as the default so i'm going to click ok so if i close that i'll just come out of windows cp so i'll start with a cp backup again just to show you so if i go well it automatically opens up and assumes that i want to start a new session i'll just put in the details of that specific server again so 172 16. 19. 19.59 i'll put in fred's deals click on login now that's the one thing i wanted to point out was the fact that even though i put a password in that's to do with username and password authentication so it doesn't have any benefit really putting it in there it's still prompting me for the passphrase for the key so i'll put that in and hopefully again i'll put that in properly and there we go we've now got our session set up so it just means every time we create a new session if i go down to the advanced option there and then go down to ssh key authentication you can see this is now going forward the default key so every time i create a new session it's that session is going to be trying to use that ppk file for sshk authentication so i think that does make life a bit easier i mean when you save these sessions i wouldn't recommend serving the username with it if you want to save a new session i mean it's better to use you know the fqdn than what i'm using without p addresses but this is just a test server so you can just click on save it asks you what do you want to save it as you can give it a different name you can set up folders so you can you know organize all this but it just means going forward i've got sessions that i can keep using or again i mean i'm always important from putty for example i mean the two tend to go hand in hand so chances are you've probably connected in using putty in the first place in which case you create the session in putty and then import it in uh and to win scp anyway but it's very easy to set up and it just means that i've now got a means to connect to the server remotely using putty for example to get command line access using my ssh keys for authentication but i've always got this option using with scp as well in to do file transfers as well so the two go hand in hand basically yeah because winscp is dependent on putting so pretty straightforward to do and so do hope that's helped well thanks for making it to the end of this video i really do hope you found it useful if so then do click the like button and share because that encourages youtube's algorithm to suggest it to other people who might find it useful as well if you're new to the channel and you'd like to see more content like this then yeah do subscribe just remember to click the little bell icon though that way you'll get notifications when i send new content out if you've got any comments any suggestions if you want to leave any feedback at all please post that in the comment section below and if you'd like to support the channel i've left links to both patreon and paypal in the description below but above all thanks very much for watching i'll see you in the next video [Music] you

Info

Channel: Tech Tutorials - David McKone

Views: 14,220

Rating: undefined out of 5

Keywords: winscp ssh private key, putty ssh private key, ssh key putty, ssh key winscp, putty ssh key, winscp ssh key, windows generate ssh keys, windows ssh key authentication, winscp, scp, sftp, ssh, public key, private key, putty, puttygen, wincsp, keys, generate keys, ed25519, create windows ssh key, windows ssh keys, key authentication for putty and winscp

Id: OTgnONXDcgg

Channel Id: undefined

Length: 37min 26sec (2246 seconds)

Published: Sun Dec 05 2021