Pageant - help with windows ssh pass phrase

This page is under development at present, please see the official Putty Documentation

Windows user who use PuTTY (as VPAC recommends) will find Pageant a very useful tool if they frequently connect to VPAC. Users of Matlab will find it absolutely essential!

First you will need to download PuTTY, PSCP, Plink, PuTTYgen and Pageant. These are all available as MS-Windows executable files.

PuTTY is an SSH client that is recommended for all VPAC cluster users who also use an MS-Windows client operating system. PSCP is a command-line secure copy, PuTTYgen is used for creating SSH keys client and Plink as a command-line interface to bring a lot of these applications together.

This system is based around you having two files, your private and public keys. As the names indicate, the private key must be kept very private and the public key must be distributed to where you may want to use it. If you don't already have these keys, use the putty tool, PuTTYgen to create a set. If you have an existing set, use it and don't generate a new pair unless you believe that the existing set is compromised or you have forgotten the pass phrase. Your ssh private key MUST be protected with a pass phrase, of, typically a combination of 10 or more letters, numbers and spaces. Its possible to make one with a "null" pass phrase but that is extremely dangerous, very much against VPAC rules and just plan silly !

With PuTTY, PSCP and Plink installed the next step is to generate public and private keys for SSH authentication. The tool for this is PuTTYgen. Start this program and generate a 1024 bit RSA key for use with the SSH-2 protocol. Enter a comment if you have more than one key and you use them for different purposes. Include a strong passphrase and store the private and private keys. Export the key to OpenSSH format (select from the "Conversions" menu).

Connect to using PuTTY with the SSH protocol and go to the .ssh directory and open the file authorized_keys with an editor. As a single line, add your public key to the authorized_keys file. Emphasis on add the key; do not remove the existing VPAC SSH key!

Ensure that your home directory, your .ssh directory, and any other files involved (such as authorized_keys) are not group-writable or world-writable. You can typically do this by using a command such as:

chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys

Having your private key protected with with a pass phrase can be a bit tedious requiring, as it does, you to type it in each time you make a connection. If you are making lots of connection between a number of machines or using an application like Matlab that wants to make those connections on your behalf, you need to use Pageant to remember your pass phrase for you. When you start up a Windows session, you start Pageant, enter the pass phrase and Pageant will provide it to putty based ssh connections.

Note that using private/public keys is generally more secure than the username/password approach. However, it has some serious security implications, especially when we add Pageant to the equation !

  • Never use Pageant or move your private key on to a desktop computer that is not for your exclusive use.
  • Think very carefully before leaving a machine running Pageant unattended. Someone could walk up to it and use your credentials.

When you run Pageant, it will put an icon of a computer wearing a hat into the System tray. Select the Pagaent with the right-mouse button and choose the 'View Keys' item from the menu. Select the 'Add Key' option and select the private key generated by PuTTYgen; enter the passphrase when requested.

See also:

Top of Page