ui_puttygen » Revisions »
Differences
This shows you the differences between the selected revisions of the page.
| ui_puttygen 2023-02-21 | ui_puttygen 2026-04-02 (current) | ||
| Line 9: | Line 9: | ||
| To start PuTTYgen, go to //Tools > PuTTYgen// on [[ui_login|Login dialog]]. | To start PuTTYgen, go to //Tools > PuTTYgen// on [[ui_login|Login dialog]]. | ||
| - | ===== PuTTYgen Window ===== | + | ===== [[window]] PuTTYgen Window ===== |
| &screenshotpict(puttygen) | &screenshotpict(puttygen) | ||
| Line 33: | Line 33: | ||
| The SSH protocol supports several different key types, although specific servers may not support all of them. PuTTYgen can generate: | The SSH protocol supports several different key types, although specific servers may not support all of them. PuTTYgen can generate: | ||
| - | * An RSA key. | + | * An //RSA// key. |
| - | * A DSA key. | + | * A //DSA// key. |
| - | * An ECDSA (elliptic curve %%DSA%%) key. | + | * An //ECDSA// (elliptic curve %%DSA%%) key. |
| - | * An EdDSA key (Edwards-curve DSA, another elliptic curve algorithm). | + | * An //EdDSA// key (Edwards-curve DSA, another elliptic curve algorithm). |
| PuTTYgen can also generate an %%RSA%% key suitable for use with the deprecated %%SSH-1%% protocol (which only supports %%RSA%%). But SSH-1 is no longer supported by WinSCP. | PuTTYgen can also generate an %%RSA%% key suitable for use with the deprecated %%SSH-1%% protocol (which only supports %%RSA%%). But SSH-1 is no longer supported by WinSCP. | ||
| Line 96: | Line 96: | ||
| ===== [[comment]] Setting a Comment for Your Key ===== | ===== [[comment]] Setting a Comment for Your Key ===== | ||
| - | If you have more than one key and use them for different purposes, you don't need to memorize the key fingerprints in order to tell them apart. PuTTYgen allows you to enter a comment for your key, which will be displayed whenever WinSCP or [[ui_pageant|Pageant]] asks you for the passphrase. | + | If you have more than one key and use them for different purposes, you don't need to memorize the key fingerprints in order to tell them apart. PuTTYgen allows you to enter a comment for your key, which will be displayed whenever WinSCP or an authentication agent (such as [[ui_pageant|Pageant]]) asks you for the passphrase. |
| The default comment format, if you don't specify one, contains the key type and the date of generation, such as rsa-key-20011212. Another commonly used approach is to use your name and the name of the computer the key will be used on, such as simon@simons-pc. | The default comment format, if you don't specify one, contains the key type and the date of generation, such as rsa-key-20011212. Another commonly used approach is to use your name and the name of the computer the key will be used on, such as simon@simons-pc. | ||
| Line 108: | Line 108: | ||
| When you save the key, PuTTYgen will check that the //Key passphrase// and //Confirm passphrase// boxes both contain exactly the same passphrase, and will refuse to save the key otherwise. | When you save the key, PuTTYgen will check that the //Key passphrase// and //Confirm passphrase// boxes both contain exactly the same passphrase, and will refuse to save the key otherwise. | ||
| - | If you leave the passphrase fields blank, the key will be saved unencrypted. You should not do this without good reason; if you do, your private key file on disk will be all an attacker needs to gain access to any machine configured to accept that key. If you want to be able to passwordless log in without having to type a passphrase every time, you should consider using [[ui_pageant|Pageant]] so that your decrypted key is only held in memory rather than on disk. | + | If you leave the passphrase fields blank, the key will be saved unencrypted. You should not do this without good reason; if you do, your private key file on disk will be all an attacker needs to gain access to any machine configured to accept that key. If you want to be able to passwordless log in without having to type a passphrase every time, you should consider using an authentication agent (such as [[ui_pageant|Pageant]]) so that your decrypted key is only held in memory rather than on disk. |
| Under special circumstances you may genuinely need to use a key with no passphrase; for example, if you need to run an automated batch script that needs to make an SSH connection, you can't be there to type the passphrase. In this case we recommend you generate a special key for each specific batch script (or whatever) that needs one, and on the server side you should arrange that each key is restricted so that it can only be used for that specific purpose. The documentation for your SSH server should explain how to do this (it will probably vary between servers). | Under special circumstances you may genuinely need to use a key with no passphrase; for example, if you need to run an automated batch script that needs to make an SSH connection, you can't be there to type the passphrase. In this case we recommend you generate a special key for each specific batch script (or whatever) that needs one, and on the server side you should arrange that each key is restricted so that it can only be used for that specific purpose. The documentation for your SSH server should explain how to do this (it will probably vary between servers). | ||
| Line 131: | Line 131: | ||
| When the currently loaded key in PuTTYgen contains a certificate, the large [[#authorized_keys|//Public key for pasting// edit box]] is replaced by a button that brings up an information box telling you about the certificate, such as who it certifies your key as belonging to, when it expires (if ever), and the fingerprint of the CA key that signed it in turn. | When the currently loaded key in PuTTYgen contains a certificate, the large [[#authorized_keys|//Public key for pasting// edit box]] is replaced by a button that brings up an information box telling you about the certificate, such as who it certifies your key as belonging to, when it expires (if ever), and the fingerprint of the CA key that signed it in turn. | ||
| - | |||
| - | //Tis feature is available in PuTTYgen 0.78 included with latest beta version only.// &beta | ||
| ===== [[saving_private]] Saving Your Private Key to a Disk File ===== | ===== [[saving_private]] Saving Your Private Key to a Disk File ===== | ||
| Line 208: | Line 206: | ||
| PuTTYgen can also export private keys in OpenSSH format and in ssh.com format. To do so, select one of the //Export// options from the //Conversions// menu. Exporting a key works exactly like [[#saving_private|saving it]] -- you need to have typed your passphrase in beforehand, and you will be warned if you are about to save a key without a passphrase. | PuTTYgen can also export private keys in OpenSSH format and in ssh.com format. To do so, select one of the //Export// options from the //Conversions// menu. Exporting a key works exactly like [[#saving_private|saving it]] -- you need to have typed your passphrase in beforehand, and you will be warned if you are about to save a key without a passphrase. | ||
| - | For OpenSSH there are two options. Modern OpenSSH actually has two formats it uses for storing private keys. //Export OpenSSH key// will automatically choose the oldest format supported for the key type, for maximum backward compatibility with older versions of OpenSSH; for newer key types like Ed25519, it will use the newer format as that is the only legal option. If you have some specific reason for wanting to use OpenSSH's newer format even for RSA, DSA, or ECDSA keys, you can choose //Export OpenSSH key (force new file format)//. | + | For OpenSSH there are two options. Modern OpenSSH actually has two formats it uses for storing private keys: an older ("PEM-style") format, and a newer "native" format with better resistance to passphrase guessing and support for comments. //Export OpenSSH key// will automatically choose the oldest format supported for the key type, for maximum backward compatibility with older versions of OpenSSH; for newer key types like Ed25519, it will use the newer format as that is the only legal option. If you have some specific reason for wanting to use OpenSSH's newer format even for RSA, DSA, or ECDSA keys – for instance, you know your file will only be used by OpenSSH 6.5 or newer (released in 2014), and want the extra security – you can choose //Export OpenSSH key (force new file format)//. |
| You can also use WinSCP ''[[commandline#keygen|/keygen]]'' command-line switch to convert the private key from other formats. | You can also use WinSCP ''[[commandline#keygen|/keygen]]'' command-line switch to convert the private key from other formats. | ||
| Line 221: | Line 219: | ||
| The options supported on the PuTTYgen command line are: | The options supported on the PuTTYgen command line are: | ||
| - | | ''-t <keytype>'' | [[#type|Type of key]] to generate. You can select ''rsa'', ''dsa'', ''ecdsa'', ''eddsa'', ''ed25519'' or ''ed448'' //(the last three in PuTTYgen 0.78 included with latest beta version only)// &beta | | + | | ''-t <keytype>'' | [[#type|Type of key]] to generate. You can select ''rsa'', ''dsa'', ''ecdsa'', ''eddsa'', ''ed25519'' or ''ed448'' | |
| | ''-b <bits>'' | [[#size|Size of the key]] to generate, in bits. | | | ''-b <bits>'' | [[#size|Size of the key]] to generate, in bits. | | ||
| | ''%%--primes <method>%%'' | [[#method|Method for generating prime numbers]]. You can select ''probable'', ''proven'', and ''proven-even''. | | | ''%%--primes <method>%%'' | [[#method|Method for generating prime numbers]]. You can select ''probable'', ''proven'', and ''proven-even''. | | ||