This is an old revision of the document!
Using Pageant for Authentication
Pageant is an SSH authentication agent. It holds your private keys in memory, already decoded, so that you can use them often without needing to type a passphrase.1
- Obtaining and Starting Pageant
- Getting Started with Pageant
- The Pageant Main Window
- The Pageant Command Line
- Security Considerations
Advertisement
Obtaining and Starting Pageant
Pageant is included in WinSCP installation package. You can also download it separately from WinSCP download page.
Pageant originates from PuTTY and is also part of PuTTY installation package. It does not matter if you use Pageant from WinSCP or PuTTY installation package. They are identical.2
To start Pageant, go to Tools > Pageant on Login dialog.
Getting Started with Pageant
Before you run Pageant, you need to have a private key in .ppk
format.
When you run Pageant, it will put an icon of a computer wearing a hat into the System tray. It will then sit and do nothing, until you load a private key into it.
Advertisement
If you click the Pageant icon with the right mouse button, you will see a menu. Select View Keys from this menu. The Pageant main window will appear. (You can also bring this window up by double-clicking on the Pageant icon.)
The Pageant window contains a list box. This shows the private keys Pageant is holding. When you start Pageant, it has no keys, so the list box will be empty. After you add one or more keys, they will show up in the list box.
To add a key to Pageant, press the Add Key button. Pageant will bring up a file dialog, labelled Select Private Key File. Find your private key file in this dialog, and press Open.
Pageant will now load the private key. If the key is protected by a passphrase, Pageant will ask you to type the passphrase. When the key has been loaded, it will appear in the list in the Pageant window.
Now start WinSCP and open an SSH session to a site that accepts your key. WinSCP will notice that Pageant is running, retrieve the key automatically from Pageant, and use it to authenticate. You can now open as many WinSCP sessions as you like without having to type your passphrase again.
WinSCP can be configured not to try to use Pageant, but it will try by default.
When you want to shut down Pageant, click the right button on the Pageant icon in the System tray, and select Exit from the menu. Closing the Pageant main window does not shut down Pageant.
The Pageant Main Window
The Pageant main window appears when you left-click on the Pageant system tray icon, or alternatively right-click and select View Keys from the menu. You can use it to keep track of what keys are currently loaded into Pageant, and to add new ones or remove the existing keys.
The Key List Box
The large list box in the Pageant main window lists the private keys that are currently loaded into Pageant. The list might look something like this:
ssh-dsa 2048 22:c3:68:3b:09:41:36:c3:39:83:91:ae:71:b2:0f:04 k1 ssh-rsa 2048 74:63:08:82:95:75:e1:7c:33:31:bb:cb:00:c0:89:8b k2
Advertisement
For each key, the list box will tell you:
- The type of the key. Currently, this can be
ssh-rsa
(an RSA key for use with the SSH-2 protocol),ssh-dss
(a DSA key for use with the SSH-2 protocol), orssh1
(an RSA key for use with the SSH-1 protocol). - The size (in bits) of the key.
- The fingerprint for the public key. This should be the same fingerprint given by PuTTYgen, and also the same fingerprint shown by remote utilities such as
ssh-keygen
when applied to yourauthorized_keys
file. - The comment attached to the key.
The Pageant Command Line
Pageant can be made to do things automatically when it starts up, by specifying instructions on its command line. If you’re starting Pageant from the Windows GUI, you can arrange this by editing the properties of the Windows shortcut that it was started from.
If Pageant is already running, invoking it again with the options below causes actions to be performed with the existing instance, not a new one.
Making Pageant Automatically Load Keys on Startup
Pageant can automatically load one or more private keys when it starts up, if you provide them on the Pageant command line. Your command line might then look like:
"C:\Program Files\WinSCP\PuTTY\pageant.exe" d:\main.ppk d:\secondary.ppk
If the keys are stored encrypted, Pageant will request the passphrases on startup.
Advertisement
If Pageant is already running, this syntax loads keys into the existing Pageant.
Making Pageant Run Another Program
You can arrange for Pageant to start another program once it has initialized itself and loaded any keys specified on its command line. This program (perhaps a WinSCP, PuTTY, or whatever) will then be able to use the keys Pageant has loaded.
You do this by specifying the -c
option followed by the command, like this:
"C:\Program Files\WinSCP\PuTTY\pageant.exe" d:\main.ppk -c C:\PuTTY\putty.exe
Security Considerations
Using Pageant for public-key authentication gives you the convenience of being able to open multiple SSH sessions without having to type a passphrase every time, but also gives you the security benefit of never storing a decrypted private key on disk. Many people feel this is a good compromise between security and convenience.
It is a compromise, however. Holding your decrypted private keys in Pageant is better than storing them in easy-to-find disk files, but still less secure than not storing them anywhere at all. This is for two reasons:
- Windows unfortunately provides no way to protect pieces of memory from being written to the system swap file. So if Pageant is holding your private keys for a long period of time, it’s possible that decrypted private key data may be written to the system swap file, and an attacker who gained access to your hard disk later on might be able to recover that data. (However, if you stored an unencrypted key in a disk file they would certainly be able to recover it.)
- Although, like most modern operating systems, Windows prevents programs from accidentally accessing one another’s memory space, it does allow programs to access one another’s memory space deliberately, for special purposes such as debugging. This means that if you allow a virus, trojan, or other malicious program on to your Windows system while Pageant is running, it could access the memory of the Pageant process, extract your decrypted authentication keys, and send them back to its master.
Similarly, use of agent forwarding is a security improvement on other methods of one-touch authentication, but not perfect. Holding your keys in Pageant on your Windows box has a security advantage over holding them on the remote server machine itself (either in an agent or just unencrypted on disk), because if the server machine ever sees your unencrypted private key then the sysadmin or anyone who cracks the machine can steal the keys and pretend to be you for as long as they want.
However, the sysadmin of the server machine can always pretend to be you on that machine. So if you forward your agent to a server machine, then the sysadmin of that machine can access the forwarded agent connection and request signatures from your private keys, and can therefore log in to other machines as you. They can only do this to a limited extent - when the agent forwarding disappears they lose the ability - but using Pageant doesn’t actually prevent the sysadmin (or hackers) on the server from doing this.
Therefore, if you don’t trust the sysadmin of a server machine, you should never use agent forwarding to that machine. (Of course you also shouldn’t store private keys on that machine, type passphrases into it, or log into other machines from it in any way at all; Pageant is hardly unique in this respect.)
- The text is copy of PuTTY User Manual or was inspired by it.Back
- The latest versions of WinSCP are compatible with Pageant 0.61 and later.Back