ui_pageant » Revisions »

Differences

This shows you the differences between the selected revisions of the page.

2021-05-20 2021-05-20
list anchor (martin) 5.18.5 SSH private key tools (PuTTYgen and Pageant) upgraded to PuTTY 0.75 (Pageant now supports loading a key still encrypted, and decrypting it later by prompting for the passphrase on first use + Upgraded default SSH key fingerprint format to OpenSSH-style SHA-256) (martin)
Line 12: Line 12:
Before you run Pageant, you need to have a [[public_key#private|private key]] in ''.ppk'' format. Before you run Pageant, you need to have a [[public_key#private|private key]] in ''.ppk'' format.
-When you run Pageant, it will put an icon of a computer wearing a hat into the System tray. It will then sit and do nothing, until you load a private key into it.+When you run Pageant, it will put an icon of a computer wearing a hat into the System tray. It will then sit and do nothing, until you load a private key into it. (You may need to use Windows' //Show hidden icons// arrow to see the Pageant icon.)
&screenshotpict(pageant_tray) &screenshotpict(pageant_tray)
Line 29: Line 29:
When you want to shut down Pageant, click the right button on the Pageant icon in the System tray, and select //Exit// from the menu. Closing the Pageant main window does not shut down Pageant. When you want to shut down Pageant, click the right button on the Pageant icon in the System tray, and select //Exit// from the menu. Closing the Pageant main window does not shut down Pageant.
 +
 +If you want Pageant to stay running but forget all the keys it has acquired, select //Remove All Keys// from the System tray menu. //This feature is available only in Pageant 0.75 included in the latest beta release.// &beta
===== The Pageant Main Window ===== ===== The Pageant Main Window =====
Line 40: Line 42:
<code> <code>
-ssh-rsa 2048 22:d6:69:c9:22:51:ac:cb:b9:15:67:47:f7:65:6d:d7 k1 +ssh-ed25519  SHA256:TddlQk20DVs4LRcAsIfDN9pInKpY06D+h4kSHwWAj4w 
-ssh-dss 2048 e4:6c:69:f3:4f:fc:cf:fc:96:c0:88:34:a7:1e:59:d7 k2+ssh-rsa 2048 SHA256:8DFtyHm3kQihgy52nzX96qMcEVOq7/yJmmwQQhBWYFg
</code> </code>
For each key, the list box will tell you: For each key, the list box will tell you:
-  * The type of the key. Currently, this can be ''ssh-rsa'' (an RSA key for use with the SSH-2 protocol), ''ssh-dss'' (a DSA key for use with the %%SSH-2%% protocol), ''ecdsa-sha2-*'' (an ECDSA key for use with the %%SSH-2%% protocol), or ''ssh-ed25519'' (an Ed25519 key for use with the %%SSH-2%% protocol) or ''ssh1'' (an RSA key for use with the SSH-1 protocol). +  * The type of the key. Currently, this can be ''ssh-rsa'' (an RSA key for use with the SSH-2 protocol), ''ssh-dss'' (a DSA key for use with the %%SSH-2%% protocol), ''ecdsa-sha2-*'' (an ECDSA key for use with the %%SSH-2%% protocol), ''ssh-ed25519'' (an Ed25519 key for use with the %%SSH-2%% protocol), ''ssh-ed448'' (an Ed448 key for use with the SSH-2 protocol – //available only in Pageant 0.75 included in the latest beta release.//), &beta or ''ssh1'' (an RSA key for use with the SSH-1 protocol). 
-  * The size (in bits) of the key. +  * The size (in bits) of the key, for key types that come in different sizes
-  * The fingerprint for the public key. This should be the same fingerprint given by [[ui_puttygen|PuTTYgen]], and also the same fingerprint shown by remote utilities such as ''ssh-keygen'' when applied to your ''authorized_keys'' file.+  * The fingerprint for the public key. This should be the same fingerprint given by [[ui_puttygen|PuTTYgen]], and also the same fingerprint shown by remote utilities such as ''ssh-keygen'' when applied to your ''authorized_keys'' file. \\ By default this is shown in the SHA-256 format. You can change to the older MD5 format (which looks like ''aa:bb:cc:...'') with the //Fingerprint type// drop-down, but bear in mind that this format is less secure and should be avoided for comparison purposes where possible. //%%SHA-256%% is available only in Pageant 0.75 included in the latest beta release.// &beta
  * The comment attached to the key.   * The comment attached to the key.
 +  * The state of [[#deferred_decryption|deferred decryption]], if enabled for this key.
==== The Add Key Button ==== ==== The Add Key Button ====
Line 80: Line 83:
If Pageant is already running, this syntax loads keys into the existing Pageant. If Pageant is already running, this syntax loads keys into the existing Pageant.
 +
 +You can specify the ''%%--encrypted%%'' option to [[#deferred_decryption|defer decryption]] of these keys.
==== Making Pageant Run Another Program ==== ==== Making Pageant Run Another Program ====
Line 89: Line 94:
"C:\Program Files\WinSCP\PuTTY\pageant.exe" d:\main.ppk -c C:\PuTTY\putty.exe "C:\Program Files\WinSCP\PuTTY\pageant.exe" d:\main.ppk -c C:\PuTTY\putty.exe
</code> </code>
 +
 +==== Starting with the Key List Visible ====
 +
 +Start Pageant with the ''%%--keylist%%'' option to show the main window as soon as it starts up.
===== Using Agent Forwarding ===== ===== Using Agent Forwarding =====
Line 131: Line 140:
and then it's available to every machine that has agent forwarding available (not just the ones downstream of the place you added it). and then it's available to every machine that has agent forwarding available (not just the ones downstream of the place you added it).
 +
 +===== [[deferred_decryption]] Loading Keys without Decrypting Them =====
 +
 +//This feature is available only in Pageant 0.75 included in the latest beta release.// &beta
 +
 +You can add keys to Pageant without decrypting them. The key file will be held in Pageant's memory still encrypted, and when a client program first tries to use the key, Pageant will display a dialog box prompting for the passphrase so that the key can be decrypted.
 +
 +This works the same way whether the key is used by an instance of PuTTY running locally, or a remote client connecting to Pageant through agent forwarding.
 +
 +To add a key to Pageant in this encrypted form, press the //Add Key (encrypted)// button in the Pageant main window, or alternatively right-click on the Pageant icon in the system tray and select //Add Key (encrypted)// from there. Pageant will bring up a file dialog, in just the same way as it would for the plain //Add Key// button. But it won't ask for a passphrase. Instead, the key will be listed in the main window with //(encrypted)// after it.
 +
 +To start Pageant up in the first place with encrypted keys loaded into it, you can use the ''%%--encrypted%%'' option on the command line. For example:
 +<code>
 +C:\PuTTY\pageant.exe --encrypted d:\main.ppk
 +</code>
 +After a key has been decrypted for the first use, it remains decrypted, so that it can be used again. The main window will list the key with //(re-encryptable)// after it. You can revert it to the previous state, where a passphrase is required, using the //Re-encrypt// button in the Pageant main window.
 +
 +You can also 're-encrypt' all keys that were added encrypted by choosing //Re-encrypt All Keys// from the System tray menu. (Note that this does not discard cleartext keys that were not previously added encrypted!)
 +
 +Caution: When Pageant displays a prompt to decrypt an already-loaded key, it cannot give keyboard focus to the prompt dialog box. As far as we know this is a deliberate defensive measure by Windows, against malicious software. So make sure you click in the prompt window before typing your passphrase, or else the passphrase might be sent to somewhere you didn't want to trust with it!
===== [[security_considerations]] Security Considerations ===== ===== [[security_considerations]] Security Considerations =====

Last modified: by martin

Documentation

Support

Associations

Follow Us