It is possible to configure some common Windows applications such as PuTTY and WinSCP to access our systems without entering a password at every login. This method uses passphrase protected public-private key pairs, a cryptographic system where the public key is disseminated to the remote system that require secure access. Remote systems authenticate users by encrypting a message using the public key that can only be decrypted with the private key hold by the user. The strength of this system relies on keeping the private key private, using it on systems only accessible by the user (e.g. private laptops, desktops).

Generate Public/Private key pair

To generate a public/private key pair we can use PuTTYgen, an application commonly installed as part of PuTTY.

To create a new key pair, select the type of key to generate from the bottom of the screen, ED25519 is the type of key that we recommended. Then click “Generate”, and start moving the mouse within the Window.

Setting up a passphrase

At this point it is highly recommended to add a passphrase to your private key. This will add an extra layer of protection in case the file is compromised. Without a passphrase an attacker that successfully gains access to your private key, will also obtain access to the remote server. 

Passphrases are typically longer than passwords. An example of a passphrase would be: I,L1k3,C0l0rl355,R41nb0w5!? 

Save the private key 

Save at least the private key by clicking Save private key. At this point you can copy or save the public key by clicking Save public key (but bear in mind that PuTTY saves this file in a format non compatible with SCW systems). You can always regenerate the public key in a compatible format by loading the private key file (by clicking Load).

Not writing your passphrase every time.

The main difference between passwords and passphrases is that while for the former you need to enter them every time you login into the system, passphrases allow you to enter them once per session providing a compromise between improved security and convenience. To do this you can use Windows’ SSH authentication agent Pageant (which is typically installed with PuTTY). Double click on your saved private key file and enter your passphrase on the newly opened window. If successful, Pageant, will put an icon of a computer wearing a hat into the System tray. 

Now you can use your private key with PuTTY without entering your passphrase while Pageant is running (notice that closing Pageant window does not stop the application).

Using more than one private key

Although is possible to use a single private key for multiple servers (e.g. Hawk, Sunbird, Github) this is not recommended as it increases the number of targets put at risk if the key becomes compromised. A better practise instead is to use a different private key for each remote server. Pageant can be used to manage different private keys by opening the application. Click the Pageant icon in the system tray (or search for Pageant in Windows’ start menu) with the right mouse button, you will see a menu. Select ‘View Keys’ from this menu. The Pageant main window will appear.

In this window you can add additional private keys for different servers, if these are passphrase protected Pageant will prompt you for the passphrase.

Installing the public key as an authorized key on SCW systems

The public key needs to be added to the authorized keys file. The public key needs to be added to the authorized keys file on the remote server. WinSCP >= 5.14 allows to automatically add the public key to this file (you must first login using your password), for this use Session -> Install Public Key into Server command on the main window, or Tools -> Install Public Key into Servercommand on SSH -> Authentication page on Advanced Site Settings dialog. 

If you have an older version of WinSCP or prefer to do it manually, login to the system and edit the file located in your home directory in /home/your_username/.ssh/authorized_keys. This can be done in the command line with your preferred text editor (if using WinSCP, make sure to enable “Show hidden files” in Options -> Preferences -> Panels to show the .ssh folder).

Enable access with private key from PuTTY

Open PuTTY and navigate to Connection -> SSH -> Auth on the left hand pane. Browse for the private key file previously generated. Go back to Session and amend your details if needed or click Open. If the private key is passphrase protected (recommended) and is already loaded with Pageant, you should be able to access the system without entering your password, otherwise you will be prompted to enter the passphrase.

Enable access with private keys from WinSCP

Open WinSCP. In the login window click on Edit, Advanced, navigate to SSH -> Authentication, click on the three dots and look for the private key file. Ok and Save. As with PuTTY, If the private key is passphrase protected (recommended) and is already loaded with Pageant, you should be able to access the system without entering your password, otherwise you will be prompted to enter the passphrase.