≡ Menu

Public Key Authentication with SSH

I spent some time this week trying to get public key authentication to work with SSH so that when I used TortoiseSVN, I wouldn’t have to keep typing in my password. I generated a key, installed the public key on the repository server – but nothing. SSH connections still asked for a password. These are the problems I had on a Windows 7 machine running PuTTY, Pageant and the aforementioned TortoiseSVN, connecting to both OpenSSH and commercial SSH servers running some flavor of UNIX.

1. Generate a keypair.
If you’re using PuTTY, you can use the utility PuTTYGen to generate a keypair. You want to generate either an SSH-2 RSA or an SSH-2 DSA keypair and definitely use a good passphrase! I would also recommend putting in a descriptive key comment which includes your name and the generation date and even if it’s an RSA or DSA key. Something like userName-rsa-20110512. The keypair consists of a private key and a public key. Save both files and also copy the public key in the box called “Public key for pasting into OpenSSH authorized_keys file.” The private key you should keep safe on your client machine. The public key should be installed on the server in one of three places.

2. Install the public key
Newer versions of OpenSSH want your key to be in a file ~/.ssh/authorized_keys. Older versions had two files, ~/.ssh/authorized_keys for SSH1 connections and ~/.ssh/authorized_keys2 for SSH2 connections. Basically just copy and paste your public key into these files. If you didn’t copy it from Pageant as described in step 1, you can load your private key in Pageant and it will regenerate the public key for you to copy. Only public keys you want to have access should be in the authorized_keys/authorized_keys2 files! Each key in the file looks something like:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBeIywsWQFXXoWsQG7aNKkt4AVyjkt4/c7yCudH5sMUrsnfpBxGJn1SjNaZorCnZm4j7k+gGw2QFJBrJFsWLAqZwceanHQlid9xmKB9wTN45yzfqFuKrYwpByT9npX2MMC7RjOUm7ccPH3gg1KYn2kPIv/EGsSHNwGYG56EKBZaxQ== userName-rsa-20110512

This breaks down to the key type (RSA/DSA), the key itself, and the comment field.

One important thing – newer versions of the OpenSSH server daemon check the permissions of the authorized_keys/authorized_keys2 files to ensure that they are not world or group writable and will quietly fail if it is! I spent a long time trying to figure this out before a sysadmin put me straight.

The commercial version of SSH has a file ~/.ssh2/authorization which lists the accepted key files, each line looking something like:

Key keyFile.pub

where keyFile.pub is a text file containing your public key. This was generated by PuTTYgen when you hit the “Save public key” button and should look like:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "userName-rsa-20110512"
AAAAB3NzaC1yc2EAAAABJQAAAIBeIywsWQFXXoWsQG7aNKkt4AVyjkt4/c7yCudH
5sMUrsnfpBxGJn1SjNaZorCnZm4j7k+gGw2QFJBrJFsWLAqZwceanHQlid9xmKB9
wTN45yzfqFuKrYwpByT9npX2MMC7RjOUm7ccPH3gg1KYn2kPIv/EGsSHNwGYG56E
KBZaxQ==
---- END SSH2 PUBLIC KEY ----

Where I work, my home directory is on a central file server and is automatically linked to by the other servers on the network, so I have my public key in all three locations to handle the different versions of SSH servers on the network.

3. Connect with your key.
In your PuTTY connection settings under Connection > SSH > Auth, you want to specify the location of your private key. If you’re going to be using Pageant, you’ll instead want to check the box “Attempt authentication using Pageant.”

4. Setup Pageant to handle your private keys. (optional)
Pageant is a utility that manages your private keys so you don’t have to specify which key is for what connection. Also, if your private key is protected by a passphrase, you only have to enter it once and Pageant will store the decoded key. This is pretty straight forward – just run Pageant and add your private key(s).

That’s it! At this point you should be able to connect without password authentication! If you’re having problems, you may want to try setting up a connection in PuTTY where you give it the path to your private key directly and see if that works.

Edit (February 17, 2012): Recently installed TortoiseSVN 1.7 and public key authentication broke. Apparently it requires PuTTY/Pageant 0.61 or later.

{ 5 comments… add one }
  • James Smith July 19, 2011, 11:43 am

    Hi,

    I’m encountering this problem with putty and pageant in Windows 7, i.e. still forced to enter passphrase despite all the right stuff server and client side, Windows XP and Vista worked with no problem. Have you encountered a fix?

    Regards,
    James

  • RoboGourmet July 19, 2011, 1:40 pm

    James – I did not have to do anything specific for Windows 7. If it helps, I’m running PuTTY 0.60 on at least two Windows 7 (x64 Enterprise) machines. There was a new release of PuTTY, 0.61, that mentions some Windows 7 fixes – maybe that’ll help?

  • Kenya February 15, 2012, 10:21 pm

    I also have the same problem with Windows 7. It used to work, but now it also asks for password. I do not remember exactly what has changed in my system. I have up-to-datereleases.

  • RoboGourmet February 15, 2012, 10:32 pm

    Kenya – did you just update TortoiseSVN to 1.7 or later? That stopped working with Pageant until I upgraded PuTTY/Pageant to 0.62. See my recent post on this: http://www.robogourmet.com/?p=313

  • Kenya February 21, 2012, 11:18 pm

    Thank you RoboGourmet! I do not use TortoiseSVN but upgrading pageant from 0.60 to 0.62 solved my problem.

Leave a Comment