SSH Secure Shell Key Authentication with PuTTY

This article will describe how to create keys that will be used to establish secure remote connections to your FreeBSD system. The article describes how to create an Ed25519 key pair, authorize the keys for use by FreeBSD's SSH server, and convert the private key for use with PuTTY.

NOTE: The provided examples detail the creation of keys that will be used for connections to a FreeBSD system as the root user.

At the time of writing putty.exe, puttygen.exe, and pscp.exe are all v0.70.0.0

 

Create a Key Pair

Login to your FreeBSD system as root and create the key pair.

ssh-keygen -t ed25519 -a 100

You will see the following output:

Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:Qds2SqbI0hQYsls1tJTETya2hntFQXN6U4lOEVJogMk root@hostname
The key's randomart image is:
+--[ED25519 256]--+
|...OO+=+*+..     |
| oEo=+**o+.      |
|. .ooO.oB +      |
| o.+o.o=.= .     |
|. .o+.. S        |
|  ...            |
|   .             |
|                 |
|                 |
+----[SHA256]-----+

 

The public and private key pair are now created and saved in /root/.ssh/

id_ed25519 is the private key that is used by client applications to connect to the SSH server. If the file is ever stolen or compromised then a new key pair should be generated and replaced on both server and client.
id_ed25519.pub is the public key and the one that SSH server will use to authenticate client keys against.

 

Authorize the Public Key

To authorize the public key on the SSH server execute the following:
cd /root/.ssh/
cat id_ed25519.pub >> authorized_keys
This creates the file if it doesn't exist and copies the public key to it. If the file already exists then the key is appended to the end of the file.

Edit and change the following in /etc/ssh/sshd_config to allow us to login as root:

PermitRootLogin yes

Restart the SSH server:
service sshd restart

 

Import and Convert the Private Key With PuTTYgen

Display the contents of the private key in your current terminal session:
cat id_ed25519

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDD3ZuZSoppPaV+gSf2g20s2+ctf9gUpuJbd2rXxTmMuAAAAJDECqXExAql
xAAAAAtzc2gtZWQyNTUxOQAAACDD3ZuZSoppPaV+gSf2g20s2+ctf9gUpuJbd2rXxTmMuA
AAAEDeSzrgLFkenCnS0ny8Az2ZrHLUTvvCc3dQ77NV7hgrSMPdm5lKimk9pX6BJ/aDbSzb
5y1/2BSm4lt3atfFOYy4AAAADXJvb3RAaG9zdG5hbWU=
-----END OPENSSH PRIVATE KEY-----

Copy and paste everything including the BEGIN and END OPENSSH lines into notepad etc.
NOTE: Do not copy the above example. Instead copy the text of your own key.
Save the private key file temporarily with any desired name.

NOTE: remember to permanently delete this unconverted private key file afterwards.

Now use PuTTYgen to convert the key to the format that PuTTY uses.
Launch puttygen.exe
In the 'Actions' section click 'Load' and select the unconverted private key file you saved.

You receive the following notification:

Dialog shown when importing a foreign private key into PuTTYgen

Click OK

PuTTYgen will populate the public key, key fingerprint, key comment, and key passphrase fields.
In the 'Actions' section click 'Save private key' and save the PuTTY private key file to an appropriate location. e.g. C:\putty\private_key.ppk

Example of Window displayed when importing a foreign private key into PuTTYgen

 

Configure SSH Connection to Use Private Key File for Authentication

Launch PuTTY and configure your connection to use the key:
Connection -> SSH -> Auth -> Private key file for authentication -> click browse -> select your private_key.ppk file.

Example of PuTTY connection configuration window showing location of setting used to configure the use of a private key

 

Connect to your SSH server with your private key.

 

Once you confirm you can successfully login with your key you can disable password based authentication on the SSH server.
vi /etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

service sshd restart

Lastly remember to permanently delete the unconverted private key file that was saved previously.

You can also use the same key created in this article to securely copy files to and from your FreeBSD system. For command line examples using PuTTY's PSCP refer to this article: SCP Secure File Copy Key Authentication with PSCP