SSH login with a certificate (Windows)

One of the most convenient ways to login to a server with SSH, is with certificates. Although the principle is pretty well documented all over the internet, I still found some issues setting it up myself from my Windows laptop, hence this walk through.

I have tried to make a simple, condensed walk through. It does require that you know what SSH is and how to use PuTTY.

(I also created a Mac OSX walk through)

This example sets up certificates to login to the server stelitzia.net with the userID jeroen. This is not possible. So do not bother to try to hack you way into this system, as I cannot SSH into it at all. It is used as an example for you and myself.

You NEED to change only two things. Every time you read ‘strelitzia.net’ you should replace it with your own server. Every time you read ‘jeroen’ you should use your own userID. Be careful not to change anything else!

This example uses some tools. I have setup everything in C:\tools. I have a directory C:\tools\ssh for the keys and such. I also have C:\tools\putty for all PuTTY software and I have setup Keepass there as well, which I will come to at the end of this post.

Step 1: generate keys

Start up PuttyGen and make sure it generates a 2048 bit SSH2-RSA key. Click generate and use your mouse to generate some randomness. Fill out the key comment so you will recognize the key, and a passphrase (twice). Remember that the passphrase is now replacing your normal password, so choose it wisely and create a proper passphrase.

The public OpenSSH key is inside the PuttyGen window. You need to copy and store it somewhere safe (let’s assume in c:\tools\ssh\authorized_keys.txt. the public key is one long line) and save the private key (c:\tools\ssh\jeroen2048.key.ppk).

Step 2: setup target server

Login to the designated Linux server with PuTTY and your normal password. Go to ~/.ssh and create a file authorized_keys. If the (hidden) .ssh directory does not exist, create it and chmod it to 700. Create authorized_keys in this directory and hmod this file to 600. Copy the OpenSSH public key into this file or, if more keys exist, append it. The public key is all on one line. Your login will break later if this is not correct. If you are done, close your ssh connection and close PuTTY.

Step 3: login with your certificate

The simplest way to test this is from a command line:

c:\tools\putty\putty.exe -i ..\ssh\jeroen-2048.ppk jeroen@strelitzia.net

(again: change the details to your own settings)

Step 4: Setup some extra’s

I use Keepass to store everything. To login to your server with the certificate, use this (all on one) line in the URL entry:

cmd://{appdir}\..\putty.exe -i {appdir}\..\ssh\ ↵
 <filename>.ppk {username}@{title}

Finally I created a little batchfile to start PuTTy’s Pageant, to store my private keys passphrase

C:\tools > copy con c:\tools\runpageant.cmd
@echo off
start %~dp0putty\PAGEANT.exe %~dp0ssh\jeroen-2048.ppk
^Z

(The ^Z, or End-of-File character is done by <F6>, <enter>)

Your done and setup now!


4 responses to “SSH login with a certificate (Windows)”

  1. Berthold Humkamp says:

    Hello,

    sorry, you are wrong: This is not signing in by certificate, it’s signing in by public key, what is not the same!

    Greetings,

    Berthold Humkamp

  2. Bob says:

    Sigh. It’s so hard to search for “SSH certificates”, because articles like this one say they are about that topic when they are NOT.

    Please remove all references to “certificates”, as you are only confusing people and diluting search results.

  3. 86Byron says:

    I have noticed you don’t monetize your site, don’t waste your traffic, you can earn additional
    cash every month because you’ve got hi quality content. If
    you want to know how to make extra bucks, search for: best adsense alternative Wrastain’s
    tools

Leave a Reply

strelitzia.net