PuTTY

From Ece

PuTTY is a free SSH client for Windows. It also supports Telnet and Rlogin, though it is strongly advised that you use SSH exclusively, as Telnet and Rlogin are inherently not secure. This page contains some straightforward instructions for using PuTTY, PuTTYgen, Pageant, and Plink. For more thorough help, see the PuTTY User Manual.

Contents 1 Acquiring and Installing PuTTY 1.1 Download Select Binaries 1.2 Windows Installer 2 Basic Use 2.1 Making a One-Time Connection 2.2 Storing Connection Settings in a Saved Session 3 Public-Key Authentication 3.1 Creating a Public-Private Key Pair 3.1.1 Generating the Key Pair with PuTTYgen 3.1.2 Posting the Public Key on the Server 3.1.3 Problems and solutions 3.1.4 Changing the Passphrase for the Private Key 3.2 Configuring a Saved Session to Use a Private Key 4 Automating Authentication with Pageant 4.1 Launching Pageant and Adding Keys 4.2 Configuring a Saved Session for Pageant Use 4.3 Testing Authentication with Pageant 4.4 Using a Shortcut to Automatically Load Keys 4.5 Automatically Loading Pageant Upon Windows Login 5 Plink for Command-Line Connections 5.1 Example Usages 6 See Also 7 External Links

Acquiring and Installing PuTTY

The PuTTY download page offers two ways of getting the PuTTY tools onto your PC.

Download Select Binaries

All of the PuTTY tools are offered as individual executables (.exe) that do not require installation. This may be the best or only option on a public/IT-administered PC that does not already have PuTTY installed. Simply download the executables somewhere on your hard drive, and double-click. For convenience, you might want to make Desktop shortcuts to these programs.

The main program you need is:

• PuTTY

If you intend to use public-key authentication, download these as well:

• Pageant
• PuTTYgen

And lastly, if you intend to use the command-line implementation of Subversion for Windows, you will need:

• Plink

Windows Installer

If you want the familiar Windows feel of having Start Menu entries for your software, as well as having the actual executables stored in an appropriate folder (C:\Program Files\PuTTY\), you will want to use the Windows installer for PuTTY. You can find this on the download page just below the individual binaries and ZIP file.

The file you need is:

• putty-<version>-installer.exe (e.g. putty-0.60-installer.exe)

This installer also gives you the option to associate PuTTY's private key files (.ppk) with Pageant. If you intend to use public-key authentication, then you might wish to select that option.

Note: This will install everything but the standalone program PuTTYtel. That means in addition to PuTTY, PuTTYgen, and Pageant, the programs PSCP, PSFTP, and Plink (as well as an uninstaller) be installed. The total installation is about 3.25 MB, so this should not be a problem for most users.

Basic Use

Making a One-Time Connection

To connect to a remote server over SSH:

1. Open PuTTY by double-clicking the executable putty.exe or a shortcut to putty.exe, or open it from the Start Menu (Start → PuTTY → PuTTY). This will bring up the PuTTY Configuration dialog.
2. In the Host Name (or IP Address) field, type the domain name or IP address of the server you want to connect to. For example, to connect to the ECE Department's server Yavin, type yavin.ece.msstate.edu
3. Make sure the selected Connection Type is SSH.
4. Click Open.
5. A terminal window will open, and you will be prompted for your ECE login and password. For most students, your login name is your NetID, but your ECE password is not the same as your MsState NetPassword unless you have already changed it to be the same.

   Note: You will not see any characters on the screen as you type your password. This is normal.

6. If all went well, your terminal window will be showing a UNIX prompt similar to this:

   netid@yavin:~$

Storing Connection Settings in a Saved Session

If you will be connecting to the same server under the same account very often, you will want to store the host name, and perhaps even your user name, in a saved session.

1. Open PuTTY, and enter your host name, such as yavin.ece.msstate.edu, into the Host Name field.
2. Make sure the selected Connection Type is SSH.
3. If you want to avoid typing your user name as well,
   1. In the left-hand menu, select Connections → Data.
   2. Enter your ECE user name in the Auto-login username field, and
   3. Navigate back to the main screen be selecting Session from the left-hand menu.
4. Type a name for this session, such as Yavin into the Saved Sessions field.
5. Click Save.

To open your connection, select it in the list of saved sessions, and Click Open, or simply double-click on the session's name.

To make changes to your session:

1. Select the session from the Saved Sessions list.
2. Click Load to load that sessions settings into the PuTTY Configuration dialog.
3. Make any desired changes.
4. Ensure the session name is still displayed in the Saved Sessions field, or change the name if you want your changes saved to a new session.
5. Click Save to finalize.

To create a Windows shortcut to a saved session:

1. Create a shortcut by right-clicking on the PuTTY executable or the Start Menu entry, and selecting Create Shortcut. (Context Menu → Create Shortcut)
2. Right-click on the new shortcut, and select properties. (Context Menu → Properties)
3. In the Target field, place your cursor at the end of the text, and add -load "SessionName".

   For example, if your copy of PuTTY is stored in C:\Program Files\PuTTY\, and you want to create a shortcut to a session called Yavin, your Target field should say:

   "C:\PuTTY\putty.exe" -load "Yavin"

4. Click OK.

Public-Key Authentication

Typically, you log in to the server by providing a user name and password. The user name identifies who you are, while the password authenticates, or proves, your claimed identity.

Another approach to authentication—one that does not require sending a password to the server for every connection—is public-key authentication. In short, this involves generating a pair of cryptographic keys, placing the public key on the remote server, and saving the private key to your hard drive, encrypted with a passphrase. For someone to authenticate themselves using that public key, they must also have the private key.

While the details are beyond the scope of this article, suffice it to say that neither key travels across the network. Instead the keys are used to manipulate some extraneous piece of data sent over the network, in order to confirm a matching key-pair. For more information, consult the PuTTY User Manual.

Creating a Public-Private Key Pair

To use public-key authentication, you must first generate the key pair and then save your private key locally, and post your public key to the server.

Note: Generally speaking, you do not need to create a new key pair for every server you use. For example, if you have an account on Ra or the CSE Department's Pluto, just post your public key to each of those servers.

Generating the Key Pair with PuTTYgen

Use PuTTYgen to create a random key pair.

1. Open PuTTYgen.
2. In the bottom area of the screen (Parameters), SSH-2 RSA should be selected. (PuTTY strongly recommends using RSA keys, rather than DSA keys).
3. Just below that option, the field Number of bits in a generated key is currently set to 1024. Many say this is fine for most purposes, but changing it to, say, 2048 is not likely to lead to any performance problems, so feel free to change this field.
4. Click Generate. You will be asked to move your mouse around on the window to "generate some randomness."
5. On the next screen, type a comment if you desire (e.g., netid@yavin.ece.msstate.edu), and then enter a passphrase. This passphrase will be used to encrypt your locally-stored private key. The PuTTY User Manual mentions DiceWare as one method for creating a strong passphrase.
6. Click Save Private Key and save the file in a convenient place with a name you will recognize, such as Yavin.ppk.

Posting the Public Key on the Server

Finally, load the public key into the authorized_keys file on the server, either by the using these instructions, or some other method (Notepad + SFTP or mapped network drive, etc.) to accomplish the same task.

1. Select all of the text in the Public key for pasting into OpenSSH authorized_keys file. Press Ctrl+C to copy this to the clipboard.
2. Open a PuTTY terminal to the remote server.
3. Create the directory .ssh/ under your home directory. The following command will create the directory if it does not exist, but will not return an error if it does exist. Note: '~' can be used to denote your home directory's path.

   mkdir -p ~/.ssh

4. Set restrictive permissions on this directory (read/write/execute for yourself only).

   chmod u+rwx,go-rwx ~/.ssh

5. Use the cat command to put your key in the authorized_keys file. This usage will create the file if it does not exist, but simply append the key to the end of authorized_keys if it does exist.

   cat >> ~/.ssh/authorized_keys

   Just after you press Enter, paste the public-key text by right-clicking the mouse once inside the PuTTY window. Press Enter once more, followed by Ctrl+D to finish the command.

6. Set restrictive permissions on your authorized_keys file (read/write for yourself only).

   chmod u+rw,go-rwx ~/.ssh/authorized_keys

Problems and solutions

• Problem: "Server refused our key" for locally generated key pairs. Solution: generate the keys on the server than on the client.

Changing the Passphrase for the Private Key

If, for some reason, you wish to change the passphrase used to encrypt your locally-stored private key, you can do so with PuTTYgen.

1. Open PuTTYgen.
2. Click Load.
3. You will be prompted to locate the private key (.ppk) file.
4. You will then be prompted to enter the current passphrase.
5. Once you enter the correct passphrase, you should see PuTTYgen just as it appeared when you created your key. Edit the passphrase fields, and click Save private key to save your key with the new passphrase.

Configuring a Saved Session to Use a Private Key

Now that you've created a public-private key pair, you can configure your saved session in PuTTY to authenticate with your private key.

1. Open PuTTY.
2. Select your saved session, and click Load.
3. In the left-hand menu, select Connection → SSH → Auth.
4. Next to the Private key file for authentication field, click Browse.
5. You will be prompted to locate and select your private key (.ppk) file.
6. Navigate back to the main screen (Session in the left-hand menu).
7. Ensure the correct name is still listed in the Saved Sessions field, and click Save.

Now test that you can connect using your private key.

1. Open the saved session in PuTTY.
2. PuTTY will open a new terminal window and prompt you for your username if it is not already stored in your saved session.
3. In lieu of the usual password prompt, PuTTY should prompt with the following (where <key-comment> represents whatever comment you entered in PuTTYgen when you created the keys):

   Authenticating with public key "<key-comment>"

   Passphrase for key "<key-comment>":

4. Enter the passphrase you used when saving your private key in PuTTYgen.

If all goes well, you should be connected to the server.

Automating Authentication with Pageant

PuTTY provides a way to avoid typing your passphrase every time you connect to the server, by using an authentication agent called Pageant. Pageant can prompt you for your passphrase once, and then hold the decrypted private key in memory. (If you're curious about the security of this approach, see Security considerations in the PuTTY User Manual).

By default, when you try to connect with PuTTY, PuTTY will attempt to use Pageant. If no appropriate key is loaded in Pageant, PuTTY will then ask you for your passphrase if you have configured your session to use a specific private key (.ppk) file. If you have not specified a private key file, then the server will just prompt you for a passphrase.

Pageant isn't limited to automating your PuTTY terminal connections. Other software, such as SFTP utilities WinSCP and FileZilla, or Windows Subversion client TortoiseSVN, can connect automatically using Pageant.

Launching Pageant and Adding Keys

1. Open Pageant by double-clicking the executable pageant.exe or a shortcut to pageant.exe, or open it from the Start Menu (Start → PuTTY → Pageant). It may look like nothing has happened, but if you look in the notification area of the Windows Taskbar (i.e. the little icons next to the clock), you should see the Pageant icon (a computer monitor wearing a hat).
2. Right-click on the notification area icon, and select Add Key. (Context Menu → Add Key).
3. You will be prompted to locate your private key (.ppk) file.
4. You will then be prompted to enter the correct passphrase.
5. Once you enter the correct passphrase, it may again appear that nothing has happened. However, if you right-click the Pageant notification area icon, and select View Keys (Context Menu → View Keys), you should see a listing that shows some information about your key. From this window, you can add and remove keys from Pageant. For more information, see The Pageant main window in the PuTTY User Manual.

Configuring a Saved Session for Pageant Use

If you already configured a session to use a private key, this will affect how Pageant is used when you connect with that saved session.

Normally, when you attempt a connection with your saved session, PuTTY will attempt to connect via Pageant. If Pageant is running, every private key loaded into Pageant may be tried until a successful match is found for the server you're connecting to. If you have specified a path to a private key in your saved session's settings, then PuTTY will look only for that key in Pageant, and ignore all others. If the key has not been loaded into Pageant, then PuTTY will prompt you for the passphrase to decrypt the private key (just as it would have if Pageant were not running at all).

Here are some scenarios for which you might wish to specify a private key in the saved session even if you use Pageant:

• You only use one private key for all connections.
• You often work without using Pageant. (This will ensure PuTTY still finds your private key in order to prompt for your passphrase.)
• Advanced users: You have a public-key that is set up on the server to invoke a specific command, and you maintain a separate saved session for such connections. In this case, you would want to specify the appropriate key for all saved sessions on that server, so that your interactive logins do not attempt to invoke the remote command and programs needing the remote command do not use the key meant for interactive logins.

Otherwise, you may benefit from not specifying a private key file in your saved session. For example, if you later relocate your private key file, but you load it into Pageant, PuTTY will still be able to use that key in Pageant.

Testing Authentication with Pageant

Once you have loaded a private key into Pageant, test that everything was set up correctly by attempting a connection with PuTTY.

1. Open the corresponding saved session in PuTTY.
2. PuTTY will open a new terminal window and prompt you for your username if it is not already stored in your saved session.
3. Instead of the password or passphrase prompt, PuTTY should display the following (where <key-comment> represents whatever comment you entered in PuTTYgen when you created the keys):

   Authenticating with public key "<key-comment>" from agent

4. You should now be connected to the server.

Using a Shortcut to Automatically Load Keys

If you would like a shortcut to Pageant that automatically loads the desired key(s),

1. Create a shortcut by right-clicking on the Pageant executable or the Start Menu entry, and selecting Create Shortcut. (Context Menu → Create Shortcut)
2. Right-click on the new shortcut, and select properties. (Context Menu → Properties)
3. In the Target field, place your cursor at the end of the text, and add "PathToKey" for as many keys as desired.

   For example, if you have keys yavin.ppk and pluto.ppk, and you want to load these when you start Pageant, your Target field should contain something like:

   "C:\PuTTY\pageant.exe" "C:\mykeys\yavin.ppk" "C:\mykeys\pluto.ppk"

4. Click OK.

Note: when you use this shortcut, you will, of course, be prompted for your passphrase(s). If your shortcut is opening multiple keys that have the same passphrase, Pageant will not prompt you for each key; instead, it will try your passphrase with the rest of your keys before prompting you again, if necessary. This can be convenient but confusing if you're expecting to be prompted separately for each key.

Automatically Loading Pageant Upon Windows Login

Pageant holds your decrypted passwords only for a single Windows login session (or until you manually close Pageant).

If you would like to start Pageant automatically every time you log in to your personal Windows PC, simply place a shortcut to Pageant in your Startup folder. (For added convenience, use a shortcut that automatically loads your private keys).

• If you do not want Pageant to load for every user, you must place your shortcut in each user's Startup folder. For a user named Joe, this folder would be called:

  C:\Documents and Settings\Joe\Start Menu\Programs\Startup

• If, for some reason, you do want Pageant to load for every user, use this Startup folder:

  C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Plink for Command-Line Connections

Plink is much like PuTTY, except that it is run at a Windows command prompt. Its main purpose is to aid automated connections by other programs, such as the Subversion command-line client for Windows, but it can be used interactively.

Example Usages

To try out Plink, open a Windows command prompt. (Start → Run, type cmd, press Enter)

Change into PuTTY's installation directory. For example:

cd "C:Program Files\PuTTY"

• A simple connection to Yavin by a user named jdoe:

  plink jdoe@yavin.ece.msstate.edu

• Connect using a specific private key file:

  plink -i C:\path\to\myprivatekey.ppk jdoe@yavin.ece.msstate.edu

• Connect using a saved session created in PuTTY, with a saved name of Yavin

  plink Yavin

See Also

• OpenSSH

External Links

• PuTTY (official Web site)
• PuTTY 0.60 User Manual
• Pictoral demonstration of public-key configuration.
• Tutorial for setting up public-key authentication for Subversion use.