-\versionid $Id: pubkey.but,v 1.15 2002/05/15 20:07:11 simon Exp $
+\versionid $Id: pubkey.but,v 1.22 2004/05/06 11:27:58 simon Exp $
\C{pubkey} Using public keys for SSH authentication
agent}, a separate program which holds decrypted private keys and
generates signatures on request. PuTTY's authentication agent is
called Pageant. When you begin a Windows session, you start Pageant
-and load your public key into it (typing your passphrase once). For
+and load your private key into it (typing your passphrase once). For
the rest of your session, you can start PuTTY any number of times
and Pageant will automatically generate signatures without you
having to do anything. When you close your Windows session, Pageant
PuTTYgen is a key generator. It generates pairs of public and private
keys to be used with PuTTY, PSCP, and Plink, as well as the PuTTY
authentication agent, Pageant (see \k{pageant}). PuTTYgen generates
-RSA keys.
+RSA and DSA keys.
When you run PuTTYgen you will see a window where you have two
choices: \q{Generate}, to generate a new public/private key pair, or
\cfg{winhelp-topic}{puttygen.keytype}
-Before generating a public key using PuTTYgen, you need to select
+Before generating a key pair using PuTTYgen, you need to select
which type of key you need. PuTTYgen currently supports three types
of key:
Currently 1024 bits should be sufficient for most purposes.
+Note that an RSA key is generated by finding two primes of half the
+length requested, and then multiplying them together. For example,
+if you ask PuTTYgen for a 1024-bit RSA key, it will create two
+512-bit primes and multiply them. The result of this multiplication
+might be 1024 bits long, or it might be only 1023; so you may not
+get the exact length of key you asked for. This is perfectly normal,
+and you do not need to worry. The lengths should only ever differ by
+one, and there is no perceptible drop in security as a result.
+
+DSA keys are not created by multiplying primes together, so they
+should always be exactly the length you asked for.
+
\S{puttygen-generate} The \q{Generate} button
\cfg{winhelp-topic}{puttygen.generate}
box asking you where to save the file. Select a directory, type in a
file name, and press \q{Save}.
-This file is the one you will need to tell PuTTY to use for
-authentication (see \k{config-ssh-privkey}) or tell Pageant to load
-(see \k{pageant-mainwin-addkey}).
+This file is in PuTTY's native format (\c{*.PPK}); it is the one you
+will need to tell PuTTY to use for authentication (see
+\k{config-ssh-privkey}) or tell Pageant to load (see
+\k{pageant-mainwin-addkey}).
\S{puttygen-savepub} Saving your public key to a disk file
for a passphrase (if necessary) and will then display the key
details in the same way as if it had just generated the key.
-PuTTYgen can also load SSH2 private keys in OpenSSH's format and
-\cw{ssh.com}'s format. Once you have loaded one of these key types,
-you can then save it back out as a PuTTY-format key so that you can
-use it with PuTTY. The passphrase will be unchanged by this process.
-You may want to change the key comment before you save the key,
-since OpenSSH's SSH2 key format contains no space for a comment and
-\cw{ssh.com}'s default comment format is long and verbose.
+If you use the Load command to load a foreign key format, it will
+work, but you will see a message box warning you that the key you
+have loaded is not a PuTTY native key. See \k{puttygen-conversions}
+for information about importing foreign key formats.
-\S{puttygen-export} Exporting your private key in an alternative format
+\S{puttygen-conversions} Dealing with private keys in other formats
-\cfg{winhelp-topic}{puttygen.export}
+\cfg{winhelp-topic}{puttygen.conversions}
Most SSH1 clients use a standard format for storing private keys on
disk. PuTTY uses this format as well; so if you have generated an
So a key generated with one client cannot immediately be used with
another.
-PuTTYgen has the ability to export private keys in OpenSSH format,
-or in \cw{ssh.com} format. To do so, select an option from the
-\q{Export} menu at the top of the PuTTYgen window. Exporting a key
-works exactly like saving it (see \k{puttygen-savepriv}) - you need
-to have typed your passphrase in beforehand, and you will be warned
-if you are about to save a key without a passphrase.
-
-Note that the export options are only available if you have
-generated an SSH2 key.
+Using the \q{Import} command from the \q{Conversions} menu, PuTTYgen
+can load SSH2 private keys in OpenSSH's format and \cw{ssh.com}'s
+format. Once you have loaded one of these key types, you can then
+save it back out as a PuTTY-format key (\c{*.PPK}) so that you can use
+it with the PuTTY suite. The passphrase will be unchanged by this
+process (unless you deliberately change it). You may want to change
+the key comment before you save the key, since OpenSSH's SSH2 key
+format contains no space for a comment and \cw{ssh.com}'s default
+comment format is long and verbose.
+
+PuTTYgen can also export private keys in OpenSSH format and in
+\cw{ssh.com} format. To do so, select one of the \q{Export} options
+from the \q{Conversions} menu. Exporting a key works exactly like
+saving it (see \k{puttygen-savepriv}) - you need to have typed your
+passphrase in beforehand, and you will be warned if you are about to
+save a key without a passphrase.
+
+Note that since only SSH2 keys come in different formats, the export
+options are not available if you have generated an SSH1 key.
\H{pubkey-gettingready} Getting ready for public key authentication
You may also need to ensure that your home directory, your \c{.ssh}
directory, and any other files involved (such as
\c{authorized_keys}, \c{authorized_keys2} or \c{authorization}) are
-not group-writable. You can typically do this by using a command
-such as
+not group-writable or world-writable. You can typically do this by
+using a command such as
-\c chmod g-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
+\c chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
Your server should now be configured to accept authentication using
your private key. Now you need to configure PuTTY to \e{attempt}
-authentication using your private key. You can do this in either of
-two ways:
+authentication using your private key. You can do this in any of
+three ways:
\b Select the private key in PuTTY's configuration. See
\k{config-ssh-privkey} for details.
+\b Specify the key file on the command line with the \c{-i} option.
+See \k{using-cmdline-identity} for details.
+
\b Load the private key into Pageant (see \k{pageant}). In this case
PuTTY will automatically try to use it for authentication if it can.
projects / u / mdw / putty / blobdiff