ssh_keys_putty.html

<!DOCTYPE html>
<html>
	<head>
<!-- / Page Title -->
		<title>How to Create SSH Keys with PuTTY (on Windows) to Connect to DigitalOcean Cloud Servers | DigitalOcean</title>
<!-- / Content -->
		<meta content='Pablo Carranza' name='Author'>
<!-- / Keywords -->
		<meta content='centos server, cloud server, cloud hosting, debian server, development server, digitalocean, e-mail server, email server, fedora server, free DNS
			Manager, hosting, how to, linux mint server,  linux server, smtp, smtp server, staging server, ubuntu server, vps, vps server, vps server hosting, vps hosting,
			virtual server, virtual private server, web hosting, website hosting, wordpress hosting' name='Keywords'>
	</head>
<body>
<h1>How to Create SSH Keys with PuTTY (on Windows) to Connect to DigitalOcean Cloud Servers</h1>

<h2>Benefits of Public & Private SSH Keys</h2><hr>

<p>If your headless, or remote, server is visible over the Internet, you should use public key authentication instead of passwords, if at all possible; because SSH keys
provide a more secure way of logging in -- compared to using a password alone. While a password can eventually be cracked with a <a title="Wikipedia" href="http://en.wikipedia.org/wiki/Brute-force_attack"
target="_blank">brute-force attack</a>, SSH keys are nearly impossible to decipher by brute force, alone. With public key authentication, every computer has (i) a public
and (ii) a private "key" (two mathematically-linked algorithms that are effectively impossible to crack).<br />
<br />
Today, <a href="http://www.openssh.org" target="_blank">OpenSSH</a> is the default SSH implementaion on Unix-like systems such as Linux and OS X. Key-based
authentication is the most secure of several modes of authentication usable with OpenSSH, such as plain passwords and Kerberos tickets. Other authentication methods
are only used in very specific situations. SSH can use either "RSA" (Rivest-Shamir-Adleman) or "DSA" ("Digital Signature Algorithm") keys. Both of these were
considered state-of-the-art algorithms when SSH was invented, but DSA has come to be seen as less secure in recent years. RSA is the only recommended choice for
new keys, so this tutorial uses "RSA key" and "SSH key" interchangeably.<br />
<br />
When you log in to your DigitalOcean droplet, the SSH server uses the public key to "lock" messages in a way that can only be "unlocked" by your private key -- this
means that even the most resourceful attacker cannot snoop on, or interfere with, your session. As an extra security measure, some users and most SSH programs store
the private key in a passphrase-protected format, to provide a window of time in which you can disable your compromised public key, should your computer be stolen
or broken in to. For these reasons, public key authentication is a much better solution than passwords for most people. In fact, by not employing a passphrase on your
private key, you will have the ability to automate parts of your configuration management with secure, automatic log-ins -- such as incremental, off-site backups;
managing your DigitalOcean assets via the DigitalOcean API; and more.</p>

<h3>Key-Based SSH Logins</h3>

You can save the same public key on as many servers as you'd like, while your private key is saved on a client from which you log in to the server. Then, you can
disable the normal username/ password login procedure, which means that only people with a valid private/ public key pair can log in; making your system more
secure, because it will be impervious to brute-force attacks.

<h3>Automate the Creation of New Droplets</h3>

<p>Another useful purpose that SSH keys can serve is in the creation of DigitalOcean droplets. As you know, when you spin up a droplet, you have to wait for an e-mail
with your password. Although this email is very convenient, there is a more secure (and faster) way of gaining access to your new cloud server without the need for
email. This can be done by saving your public key in the <a href="https://www.digitalocean.com/community/articles/the-digitalocean-control-panel" target="_blank">
DigitalOcean Control Panel</a>. To accomplish this,<br />
<ul>
<li>first complete the section in this tutorial titled <strong>Generating OpenSSH-compatible Keys for Use with PuTTY</strong>;</li>
<li>then, skip to <strong>Step Three</strong> of <a href="https://www.digitalocean.com/community/articles/how-to-use-ssh-keys-with-digitalocean-droplets"
target="_blank">How to Use SSH Keys with DigitalOcean Droplets</a>.</li>
</ul></p>

<h2>Prerequisite</h2>

This tutorial assumes that you are familiar with DigitalOcean's guide on <a href="https://www.digitalocean.com/community/articles/how-to-log-into-your-droplet-with-putty-for-windows-users"
target="_blank">How to Log Into Your Droplet with PuTTY (for windows users)</a>.
<hr>
<h2>PuTTY Key Generator (a.k.a. PuTTYgen)</h2><hr>

<p>While PuTTY is a client program for SSH (in addition to Telnet and Rlogin), it is not a port of or otherwise based on OpenSSH. Consequently, PuTTY does not have
native support for reading OpenSSH's SSH-2 private key files. However, PuTTY does have a companion named PuTTYgen (an RSA and DSA key generation utility), that
can convert OpenSSH private key files into PuTTY's format; allowing you to connect to your cloud server from a Windows machine, with the added security that SSH
keys provide.<br />
<br />
PuTTYgen is a (free) open-source utility and can be downloaded from the <a title="PuTTY Download Page" href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html"
target="_blank">maintainer's website</a>.  PuTTYgen is what you will use to generate your SSH keys for use in PuTTY. To start, all you need to do is download the
exectuable files (.exe) and save them on the computer that you'll use to connect to your server, e.g. on the desktop. You will <i>not</i> need to "install" PuTTYgen,
because it is a standalone application.</p>

<h2>Generating OpenSSH-compatible Keys for Use with PuTTY</h2><hr>

To generate a set of RSA keys with PuTTYgen:
<ol>
<li>Start the PuTTYgen utility, by double-clicking on its .exe file;</li>
<li>For <strong>Type of key to generate</strong>, select <strong>SSH-2 RSA</strong>;</li>
<li>In the <strong>Number of bits in a generated key</strong> field, specify either <strong>2048</strong> or <strong>4096</strong> (increasing the bits makes it harder to
crack the key by brute-force methods);</li>
<li>Click the <strong>Generate</strong> button;</li>
<li>Move your mouse pointer around in the blank area of the <strong>Key</strong> section, below the progress bar (to generate some randomness) until the progress bar
is full;</li>
<li>A private/ public key pair has now been generated;</li>
<li>In the <strong>Key comment</strong> field, enter <i>any</i> comment you'd like, to help you identify this key pair, later (e.g. your e-mail address; home; office; etc.)
-- the key comment is particularly useful in the event you end up creating more than one key pair;</li>
<li><u>Optional</u>: Type a passphrase in the <strong>Key passphrase</strong> field & re-type the same passphrase in the <strong>Confirm passphrase</strong> field (if
you would like to use your keys for automated processes, however, you should <i>not</i> create a passphrase);</li>
<li>Click the <strong>Save public key</strong> button & choose whatever filename you'd like (some users create a folder in their computer named <i>my_keys</i>);</li>
<li>Click the <strong>Save private key</strong> button & choose whatever filename you'd like (you can save it in the same location as the public key, but it should be a
location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/ password logins, you will no longer be able log in!);</li>
<li>Right-click in the text field labeled <strong>Public key for pasting into OpenSSH authorized_keys file</strong> and choose <strong>Select All</strong>;</li>
<li>Right-click again in the same text field and choose <strong>Copy</strong>.</li>
</ol><br />
<strong>NOTE:</strong> PuTTY and OpenSSH use different formats for public SSH keys. If the <strong>SSH Key</strong> you copied starts with "---- BEGIN SSH2 PUBLIC
 KEY ...", it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with "ssh-rsa AAAA ...."

<h2>Save The Public Key On The Server</h2><hr>

Now, you need to paste the copied public key in the file <strong>~/.ssh/authorized_keys</strong> on your server.
<ol>
<li>Log in to your destination server; <i>see</i> <a href="https://www.digitalocean.com/community/articles/how-to-log-into-your-droplet-with-putty-for-windows-users"
target="_blank">How to Log Into Your Droplet with PuTTY (for windows users)</a></li>
<li>If your SSH folder does not yet exist, create it manually:</li>
<pre>mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys</pre><br />
<li>Paste the SSH public key into your <strong>~/.ssh/authorized_keys</strong> file (<i>see</i> <a href="https://www.digitalocean.com/community/articles/installing-and-using-the-vim-text-editor-on-an-cloud-server"
target="">Installing and Using the Vim Text Editor on an Cloud Server</a>):</li>
<pre>sudo vim ~/.ssh/authorized_keys</pre><br />
<li>Tap the <code>i</code> key on your keyboard & right-click your mouse to paste.</li>
<li>To save, tap the following keys on your keyboard (in this order): <code>Esc</code>, <code>:</code>, <code>w</code>, <code>q</code>, <code>Enter</code>.</li>
</ol>
<h2>Create a PuTTY Profile to Save Your Server's Settings</h2><hr>

In PuTTY, you can create (and save) profiles for connections to your various SSH servers, so you don't have to remember, and continually re-type, redundant information.
<ol>
<li>Start PuTTY by double-clicking its executable file;</li>
<li>PuTTY's initial window is the <i>Session</i> Category (navigate PuTTY's various categories, along the left-hand side of the window);</li>
<li>In the <strong>Host Name</strong> field, enter the IP address of your droplet or its fully qualified domain name (FQDN); <i>see</i> <a href="https://www.digitalocean.com/community-articles/how-to-set-up-a-host-name-with-digitalocean"
target="">How to Set Up a Host Name with DigitalOcean</a></li>
<li>Enter the port number in the <strong>Port</strong> field (for added security, consider changing your server's SSH port to a non-standard port. <i>See</i> Step Five of <a
title="Making SSH More Secure by Changing the Port to a Non-Standard Port" href="https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04"
target="_blank">Initial Server Setup with Ubuntu 12.04</a></li>
<li>Select <strong>SSH</strong> under <strong>Protocol</strong>;</li>
<li>Along the left-hand side of the window, select the <i>Data</i> sub-category, under <i>Connection</i>;</li>
<li>Specify the username that you plan on using, when logging in to the SSH server, and whose profile you're saving, in the <strong>Auto-login username</strong> field;</li>
<li>Expand the <i>SSH</i> sub-category, under <i>Connection</i>;</li>
<li>Highlight the <i>Auth</i> sub-category and click the <strong>Browse</strong> button, on the right-hand side of the PuTTY window;</li>
<li>Browse your file system and select your previously-created private key;</li>
<li>Return to the <i>Session</i> Category and enter a name for this profile in the <strong>Saved Sessions</strong> field, e.g. user@123.456.78.9 or user@host.yourdomain.tld;</li>
<li>Click the <strong>Save</strong> button for the <strong>Load, save or delete a stored session</strong> area.</li>
</ol><br />
Now you can go ahead and log in to <i>user</i>@1.2.3.4 and you will <strong>not</strong> be prompted for a password. However, if you had set a passphrase on your
public key, you <i>will</i> be asked to enter the passphrase at that time (and every time you log in, in the future).

<h2>Disable Username/ Password Logins</h2><hr>

Once you have verified that your key-based logins are working, you may elect to disable username/ password logins to achieve better security. To do this, you need to
edit your SSH server's configuration file. On Debian/ Ubuntu systems, this file is located at <strong>/etc/ssh/sshd_config</strong>.
<pre>sudo vim /etc/ssh/sshd_config</pre>
<br />
Tap the <code>i</code> key on your keyboard and edit the lines, referenced below:
<pre>[...]
PasswordAuthentication no
[...]
UsePAM no
[...]</pre>
<br />
To save, tap the following keys on your keyboard (in this order): <code>Esc</code>, <code>:</code>, <code>w</code>, <code>q</code>, <code>Enter</code>. Now, reload
the SSH server's configuration:
<pre>sudo reload ssh</pre>

<h2>Additional Resources</h2><hr>
<ul>
<li><a href="https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2" target="_blank">How to Set Up SSH Keys | DigitalOcean</a>;</li>
<li><a href="https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04" target="_blank">How to Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean</a>;</li>
<li><a href="https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-two-factor-authentication" target="_blank">How to Protect SSH with Two-Factor Authentication | DigitalOcean</a>;</li>
<li><a href="https://www.digitalocean.com/community/articles/how-to-copy-files-with-rsync-over-ssh" target="_blank">How To Copy Files With Rsync Over SSH | DigitalOcean</a>;</li>
<li><a href="http://en.wikipedia.org/wiki/Public-key_cryptography" target="_blank">Public-key cryptography | Wikipedia</a>;</li>
<li><a title="PuTTY: A Free Telnet/SSH Client" href="http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html" target="_blank">PuTTY FAQ | Simon Tatham</a>.</li>
</ul>
<p>As always, if you need help with the steps in this HowTo, look to the DigitalOcean Community for assistance by posing your question(s), below.</p>

<div style="text-align: right; font-size:smaller;">Article Submitted by: <a title="of vDevices, LLC | Wisconsin" href="http://vdevices.com" target="_blank">Pablo Carranza</a>
</div></body></html>