-------------------------------------------------------------------------------- Pageant Before you run Pageant, you need to have a private key in *.PPK format. Currently 1024 bits should be sufficient for most purposes. The PuTTY developers strongly recommend you use RSA. DSA has an intrinsic weakness which makes it very easy to create a signature which contains enough information to give away the private key! Pageant can automatically load one or more private keys when it starts up, if you provide them on the Pageant command line. Your command line might then look like: c:\puttY\pageant.exe d:\main.ppk d:\secondary.ppk If the keys are stored encrypted, Pageant will request the passphrases on startup. You can arrange for Pageant to start another program once it has initialised itself and loaded any keys specified on its command line. This program (perhaps a PuTTY, or a WinCVS making use of Plink, or whatever) will then be able to use the keys Pageant has loaded. You do this by specifying the -c option followed by the command, like this: c:\puttY\pageant.exe d:\main.ppk -c c:\puttY\putty.exe -------------------------------------------------------------------------------- Linux/Unix OpenSSH client$ mkdir ~/.ssh client$ chmod 700 ~/.ssh client$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa The file permissions should be locked down to prevent other users from being able to read the key pair data. OpenSSH may also refuse to support public key authentication if the file permissions are too open. These fixes should be done on all systems involved. $ chmod go-w ~/ $ chmod 700 ~/.ssh $ chmod go-rwx ~/.ssh/* If your server is OpenSSH and is using the SSH-2 protocol, you should follow the same instructions, except that in earlier versions of OpenSSH 2 the file might be called authorized_keys2. (In modern versions the same authorized_keys file is used for both SSH-1 and SSH-2 keys.) Copying to other Servers client$ scp ~/.ssh/id_rsa.pub server.example.edu: server$ mkdir ~/.ssh server$ chmod 700 ~/.ssh server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys server$ chmod 600 ~/.ssh/authorized_keys server$ rm ~/id_rsa.pub If the following test fails, consult the debugging notes. client$ ssh -o PreferredAuthentications=publickey server.example.edu Enter passphrase for key '/…/.ssh/id_rsa': … … server$ Key Access Limits As an optional step to limit usage of the public key for access to any servers, a from statement can be used before public key entries in the ~/.ssh/authorized_keys file on the servers to limit where the client system is permitted to access the server from. Without a from limit, any client system with the appropriate private key data will be able to connect to the server from anywhere. If the key pair should only work when the client system is connecting from a host under example.edu, set from="*.example.edu" before the public key data. server$ cat ~/.ssh/authorized_keys from="*.example.edu" ssh-rsa AAAAB3NzaC1… If a text editor is used to add the from option, ensure the data is saved as a single line; some editors may wrap the public key and thus corrupt the data. Each public key in the ~/.ssh/authorized_keys file must not span multiple lines. Multiple hosts or addresses can be specified as comma separated values. For more information on the syntax of the from option, see the sshd(8) documentation. from="*.example.edu,10.*,external.example.com" … -------------------------------------------------------------------------------- --------------------------------------------------------------------------------