This article will describe how to create keys that will be used to establish secure remote connections to your FreeBSD system. The article describes how to create an Ed25519 key pair, authorize the keys for use by FreeBSD's SSH server, and convert the private key for use with PuTTY.
NOTE: The provided examples detail the creation of keys that will be used for connections to a FreeBSD system as the root user.
At the time of writing putty.exe, puttygen.exe, and pscp.exe are all v0.70.0.0
Create a Key Pair
Login to your FreeBSD system as root and create the key pair.
ssh-keygen -t ed25519 -a 100
You will see the following output:
Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519. Your public key has been saved in /root/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:Qds2SqbI0hQYsls1tJTETya2hntFQXN6U4lOEVJogMk root@hostname The key's randomart image is: +--[ED25519 256]--+ |...OO+=+*+.. | | oEo=+**o+. | |. .ooO.oB + | | o.+o.o=.= . | |. .o+.. S | | ... | | . | | | | | +----[SHA256]-----+
The public and private key pair are now created and saved in
id_ed25519 is the private key that is used by client applications to connect to the SSH server. If the file is ever stolen or compromised then a new key pair should be generated and replaced on both server and client.
id_ed25519.pub is the public key and the one that SSH server will use to authenticate client keys against.
Authorize the Public Key
To authorize the public key on the SSH server execute the following:
cat id_ed25519.pub >> authorized_keys
This creates the file if it doesn't exist and copies the public key to it. If the file already exists then the key is appended to the end of the file.
Edit and change the following in
/etc/ssh/sshd_config to allow us to login as root:
Restart the SSH server:
service sshd restart
Import and Convert the Private Key With PuTTYgen
Display the contents of the private key in your current terminal session:
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACDD3ZuZSoppPaV+gSf2g20s2+ctf9gUpuJbd2rXxTmMuAAAAJDECqXExAql xAAAAAtzc2gtZWQyNTUxOQAAACDD3ZuZSoppPaV+gSf2g20s2+ctf9gUpuJbd2rXxTmMuA AAAEDeSzrgLFkenCnS0ny8Az2ZrHLUTvvCc3dQ77NV7hgrSMPdm5lKimk9pX6BJ/aDbSzb 5y1/2BSm4lt3atfFOYy4AAAADXJvb3RAaG9zdG5hbWU= -----END OPENSSH PRIVATE KEY-----
Copy and paste everything including the BEGIN and END OPENSSH lines into notepad etc.
NOTE: Do not copy the above example. Instead copy the text of your own key.
Save the private key file temporarily with any desired name.
NOTE: remember to permanently delete this unconverted private key file afterwards.
Now use PuTTYgen to convert the key to the format that PuTTY uses.
In the 'Actions' section click 'Load' and select the unconverted private key file you saved.
You receive the following notification:
PuTTYgen will populate the public key, key fingerprint, key comment, and key passphrase fields.
In the 'Actions' section click 'Save private key' and save the PuTTY private key file to an appropriate location. e.g. C:\putty\private_key.ppk
Configure SSH Connection to Use Private Key File for Authentication
Launch PuTTY and configure your connection to use the key:
Connection -> SSH -> Auth -> Private key file for authentication -> click browse -> select your private_key.ppk file.
Connect to your SSH server with your private key.
Once you confirm you can successfully login with your key you can disable password based authentication on the SSH server.
PasswordAuthentication no ChallengeResponseAuthentication no
service sshd restart
Lastly remember to permanently delete the unconverted private key file that was saved previously.
You can also use the same key created in this article to securely copy files to and from your FreeBSD system. For command line examples using PuTTY's PSCP refer to this article: SCP Secure File Copy Key Authentication with PSCP