PuTTY Authentication Guide

Master password and SSH key authentication in PuTTY

Introduction: Authentication Options in PuTTY

PuTTY supports multiple authentication methods to connect to remote servers securely. Understanding these options helps you choose the right balance between convenience and security.

Available Authentication Methods:

  • Password Authentication: Traditional username/password login
  • Public Key Authentication: SSH key pairs (most secure)
  • Keyboard-Interactive: Challenge-response authentication
  • GSSAPI: Kerberos-based authentication (enterprise)

Method 1: Using Passwords

Basic Password Authentication

  1. Launch PuTTY and Configure:
    • Enter hostname or IP address
    • Set port (default: 22)
    • Connection type: SSH
  2. Optional - Set Auto-login Username:
    • Navigate to Connection → Data
    • Enter your username in "Auto-login username"
    • This skips the "login as:" prompt
  3. Connect:
    • Click "Open"
    • Enter username (if not pre-configured)
    • Enter password when prompted
    • Password characters won't be displayed (security feature)

Security Note: Passwords can be vulnerable to brute-force attacks. Use strong passwords (12+ characters, mixed case, numbers, symbols) or preferably switch to SSH key authentication.

Password Best Practices

  • Length: Minimum 12 characters, ideally 16+
  • Complexity: Mix uppercase, lowercase, numbers, and symbols
  • Uniqueness: Don't reuse passwords across servers
  • Password Manager: Use tools like KeePass, 1Password, or Bitwarden
  • Regular Changes: Update passwords periodically
  • Two-Factor: Enable 2FA on servers that support it

Saving Passwords in PuTTY

⚠️ Warning: PuTTY does NOT support saving passwords in session configurations. This is by design for security reasons. If a tool claims to save passwords in PuTTY, it may be unsafe. Use SSH keys instead for password-free authentication.

Method 2: Using Private Keys (Recommended)

Why SSH Keys Are Better

  • More Secure: 4096-bit encryption vs password strength
  • Resistant to Brute Force: Virtually impossible to guess
  • Convenient: No need to type password each time
  • Automation-Friendly: Enable scripts and automated deployments
  • Auditable: Track which keys access which servers
  • Revocable: Easily remove access by deleting public key

Step 1: Generate SSH Key Pair

  1. Launch PuTTYgen:
    • Download from the same page as PuTTY
    • Run puttygen.exe
  2. Select Key Type:
    • Recommended: EdDSA with curve Ed25519
    • Alternative: RSA with 4096 bits
    • Avoid DSA (outdated and insecure)
  3. Generate the Key:
    • Click "Generate"
    • Move mouse randomly for entropy
    • Wait for key generation to complete
  4. Add Passphrase (Highly Recommended):
    • Enter a strong passphrase
    • Protects your private key if stolen
    • Re-enter to confirm
  5. Save Keys:
    • Click "Save private key" → Save as mykey.ppk
    • Click "Save public key" → Save as mykey-public.txt
    • Store in secure location (e.g., C:\Users\YourName\.ssh\)

Step 2: Install Public Key on Server

Method A: Manual Installation

  1. Connect to server using password authentication
  2. Create SSH directory (if it doesn't exist):
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
  1. Edit authorized_keys file:
$ nano ~/.ssh/authorized_keys
  1. Paste your public key (from PuTTYgen's text box)
  2. Save and exit (Ctrl+O, Enter, Ctrl+X)
  3. Set correct permissions:
$ chmod 600 ~/.ssh/authorized_keys

Step 3: Configure PuTTY to Use Private Key

  1. Open PuTTY Configuration
  2. Navigate to Auth Settings:
    • Left panel: Connection → SSH → Auth → Credentials
  3. Select Private Key:
    • Click "Browse" next to "Private key file for authentication"
    • Select your .ppk file
  4. Save Session:
    • Return to Session category
    • Enter session name
    • Click "Save"
  5. Connect:
    • Click "Open"
    • Enter passphrase (if you set one)
    • You're now authenticated with your SSH key!

PuTTYgen Integration

Key Management Tips

  • One key per device: Generate separate keys for laptop, desktop, etc.
  • Descriptive comments: Add comments in PuTTYgen (e.g., "John-Laptop-2025")
  • Backup keys: Store encrypted backups in secure cloud storage
  • Regular rotation: Generate new keys annually
  • Revoke old keys: Remove from servers when no longer needed

Converting Key Formats

OpenSSH to PuTTY (.ppk):

  1. Open PuTTYgen
  2. Conversions → Import key
  3. Select OpenSSH private key (e.g., id_rsa)
  4. Enter passphrase if required
  5. Click "Save private key" to save as .ppk

PuTTY to OpenSSH:

  1. Open PuTTYgen
  2. Click "Load" and select .ppk file
  3. Conversions → Export OpenSSH key
  4. Save as id_rsa (no extension)

Using Pageant (SSH Agent)

Pageant caches your decrypted private key in memory, so you only enter the passphrase once:

  1. Run pageant.exe
  2. Right-click Pageant icon in system tray
  3. Select "Add Key"
  4. Choose your .ppk file
  5. Enter passphrase
  6. Key is now loaded - no need to configure in PuTTY
  7. All PuTTY sessions will automatically use loaded keys

Security Tips

Protecting Private Keys

  • NEVER share your private key
  • ❌ Don't store private keys in cloud storage unencrypted
  • ❌ Don't email or message private keys
  • ❌ Don't commit private keys to Git repositories
  • ❌ Don't use keys without passphrases on shared computers

Server-Side Security

Configure SSH server for enhanced security:

# Edit SSH config
$ sudo nano /etc/ssh/sshd_config

# Recommended settings:
PermitRootLogin no                    # Disable root login
PasswordAuthentication no             # Disable password auth (keys only)
PubkeyAuthentication yes              # Enable key auth
AuthorizedKeysFile .ssh/authorized_keys
MaxAuthTries 3                        # Limit login attempts
ClientAliveInterval 300               # Timeout idle connections
ClientAliveCountMax 2

# Restart SSH service
$ sudo systemctl restart sshd

Multi-Factor Authentication

For critical servers, combine SSH keys with additional factors:

  • Google Authenticator: Time-based OTP
  • YubiKey: Hardware security key
  • Duo Security: Push notifications

Troubleshooting Authentication Issues

Server Refused Our Key

Possible causes:

  • Public key not in ~/.ssh/authorized_keys
  • Wrong file permissions
  • Wrong private key selected
  • Server doesn't allow public key authentication

Solutions:

  1. Verify public key is correctly installed on server
  2. Check permissions: ~/.ssh = 700, authorized_keys = 600
  3. Check server logs: sudo tail -f /var/log/auth.log
  4. Verify PubkeyAuthentication is enabled in sshd_config

Access Denied

Common causes:

  • Wrong username
  • Wrong password
  • Account locked
  • IP blocked by fail2ban
  • Too many authentication attempts

Passphrase Prompt Every Time

If you're tired of entering your passphrase repeatedly, use Pageant to cache your key.

Best Practices Summary

  • ✅ Use SSH keys instead of passwords
  • ✅ Always protect private keys with strong passphrases
  • ✅ Use ED25519 or 4096-bit RSA keys
  • ✅ Generate separate keys for different devices
  • ✅ Use Pageant for convenience
  • ✅ Backup keys securely
  • ✅ Rotate keys annually
  • ✅ Disable password authentication on servers
  • ✅ Set proper file permissions on server
  • ✅ Remove old/unused keys from servers
  • ❌ Never share private keys
  • ❌ Don't skip passphrases on important keys
  • ❌ Don't use the same key everywhere

Related Resources

;