I happen to use public key authentication on several servers I manage. In
fact, I turn off password authentication, so that even with the right password,
you simply cannot login.
There are many tools that support public key authentication, but because the
concepts are a little foreign to most, getting things configured can be a bit
of a challenge.
This video walks through the steps of configuring a popular secure file
transfer client, WinSCP, to use public key authentication.
Become a Patron of Ask Leo! and go ad-free!
Audio Transcript â Video Below
Hi everyone, this is Leo Notenboom with another video tip from askleo.info â
configuring WinSCP to use Public Key Authentication.
We start by running the utility PuttyGen, a separate download from
Putty.nl.
Click the Generate key and move the mouse around â randomness is an
important part of cryptography, and nothingâs more random than how we move the
mouse.
Enter a Key passphrase â this locks your private key and is not related in
any way to the server youâre about to connect to.
Now, save the private key to a location on your machine â weâll need it
again in just a moment. Iâll call mine, âmykeyâ
Select the public key thatâs at the top of the PuttyGen window, copy it, and
now paste it into an email message to your system administrator. Your admin
will install it on the server youâll want to connect to.
Once installed, itâs time to run WinSCP.
For your connection, enter the name of the server you want to connect to,
your User name on that server â note that you do not specify a password.
Instead, youâll enter the location of the private key file we saved from
PuttyGen.
Now weâre ready to login.
The first time you connect to the server youâll get a big scary warning
message. As long as this is the first time youâve connected, you can safely
ignore it, and click âYesâ to connect anyway.
Now youâll need to enter the passphrase you created to unlock your private
key. Click OK, and youâre connected.
See the notes accompanying this video for links to all the tools involved,
as well as a discussion of the passphrase â why itâs optional, and when itâs
safe not to have one.
This video is a presentation of askleo.info, a free on-line technical
question and answer service. Hundreds of questions and answers are online and
ready to help solve your computer problems.
âą
âą
The âpassphraseâ placed on a private key causes many people confusion. To
confuse things even more, itâs optional!
Your private key is just some special data kept in a file on your computer.
The âspecialâ part is that it, and only it, matches the public key youâve given
to the system administrator. âPublic Key Authenticationâ is just you proving
that you have the private key that matches the public key. If you have the
private key, and itâs the only private key that could match the public key,
then you must be who you say you are.
So what if someone steals your computer, or otherwise gets a copy of your
private key file?
Unless the key file is protected, much like the key to your car or house,
anyone who has your private key can authenticate as if they were you.
There are two forms of protection:
-
Encrypt the private key with a passphrase. As in the video example, when you
create the private key, you place a passphrase on it. In order to use the
private key late, you have to provide that passphrase again. This has
nothing to do with the server youâre connecting to â itâs simply your
private key, protected by a passphrase. (We use âpassphraseâ here instead of
âpasswordâ, because a lengthy phrase can be used rather than just a word.
Longer phrases are better security, but perhaps harder to remember.) -
Keep the your private key file secure. If you can keep that file
secure so that it cannot be lost or stolen, then you can create your private
key with no passphrase at all. Merely possessing it is enough to login. This
happens to be what I do, because I keep my private key files, along with other
sensitive data, on an encrypted disk drive.
The nice thing about not having a passphrase on your private key, is that
you need type nothing to login â itâs often a one-double-click operation. And
as long as your private key is secure, itâs fast, convenient and very safe.
Thanks for providing this article.
i have a different problem.
i have a winscp commands batch script to transfer files from remote server to local.
when ever there is a host key change it is exiting the script execution and files are not transfered.
how use commandline to get the host key automatically to winscp.ini file when it is changed.
how to configure StrictHostKeyChecking=no in winscp.ini.
Thank You.