How can Putty load my public key generated with OpenSSH
Ralph
I have the OpenSSH daemon running on a Linux box. I have Putty on a
Windows machine. I want them to talk securely. I can't figure out
how to make Putty use the public keys I generated with OpenSSH and
copied over from the Linux box. I see an option to convert a private
key file. I don't know why you would want to convert a private key,
but lots of people must need to convert a public key. I tried the
option to load a private key. In Putty, it just beeps. In Puttygen,
it says it is not a valid private key file. No kidding, it is a
public key file. There must be a way to do this or Putty would be
pretty useless for SSH. Could someone point me in the right
direction? (Please don't just say read the manual. I did that and it
did not help)
I have tried the latest stable Putty and the Development version(Oct
10, 2003). I have been reading this newsgroup and googling for an
answer for a couple of days.
Thanks,
Ralph
Jacob Nevins
> I have the OpenSSH daemon running on a Linux box. I have Putty on a
>Windows machine. I want them to talk securely. I can't figure out
>how to make Putty use the public keys I generated with OpenSSH and
>copied over from the Linux box.
Why do you want to load a _public_ key into PuTTY?
To authenticate a user using pubkey auth, you need a _private_ key on
the client (PuTTY) and a _public_ key on the server (OpenSSH).
Ralph
On the OpenSSH server box, I generated two keys. One is private and
stays there. One is public and gets copied to the remote machine I
will connect from. It is that public key I need to load into Putty.
I also generated a set of keys on the Windows system with Putty. I
copied the public key from there to the Linix box and put it into
authorized_keys. I have PasswordAuthentication off on the Linux box
for improved security, so I think I need both sets of keys.
Perhaps my terminology is off. If so, please correct me. I call
the key that stays on the machine that generates it a private
key(because it is not disclosed to anyone). I call the key that gets
copied to the remote machine the public key. I am not trying to come
up with my own definitions. This is my impression from what I have
read.
Even if I had the term wrong, as I said in the original note, I
can't get putty to load the auhorized key file. I tried the
conversions menu choice in puttygen, too. I don't think I mentioned
that in the first note. I suspect the problem is the format of the
key file. OpenSSH generates a single line (for each key) in the key
file. Putty puts a header on the key and breaks the lines up. I
could edit the key file to change its format, but I don't know what
values to put for all the header fields.
Good day,
Ralph
dkol...@attbi.com
> On the OpenSSH server box, I generated two keys. One is private and
> stays there. One is public and gets copied to the remote machine I
> will connect from. It is that public key I need to load into Putty.
> I also generated a set of keys on the Windows system with Putty. I
> copied the public key from there to the Linix box and put it into
> authorized_keys. I have PasswordAuthentication off on the Linux box
> for improved security, so I think I need both sets of keys.
> Perhaps my terminology is off. If so, please correct me. I call
> the key that stays on the machine that generates it a private
> key(because it is not disclosed to anyone). I call the key that gets
> copied to the remote machine the public key. I am not trying to come
> up with my own definitions. This is my impression from what I have
> read.
> Even if I had the term wrong, as I said in the original note, I
> can't get putty to load the auhorized key file. I tried the
> conversions menu choice in puttygen, too. I don't think I mentioned
> that in the first note. I suspect the problem is the format of the
> key file. OpenSSH generates a single line (for each key) in the key
> file. Putty puts a header on the key and breaks the lines up. I
> could edit the key file to change its format, but I don't know what
> values to put for all the header fields.
It's not so much that your terminology is off but that your direction
is off. Clients need to load their public keys to the accounts on
servers not the other way around.
For instance, you need to copy your putty's public key to the linux
box, use ssh-keygen to convert it to openssh format, then add it
to ~/.ssh/authorize_keys2. That will get you into your linux
box using putty.
If you cat out the public keys, you'll notice that putty uses the
standard ssh2 format. Openssh uses it's own format. Forutnately,
openssh is able to convert it. Here's the command line:
ssh-keygen -f ${putty_public_key} -i >> ~/.ssh/authorized_keys2
Make *damned* sure you put 2 (two) greater than signs; otherwise,
you'll have only one key in the authorized_keys file.
HTH;
Doug
--------
Senior UNIX Admin
O'Leary Computer Enterprises
dkol...@attbi.com (w) 630-904-6098 (c) 630-248-2749
resume: http://home.attbi.com/~dkoleary/resume.html
Jacob Nevins
> On the OpenSSH server box, I generated two keys. One is private and
>stays there. One is public and gets copied to the remote machine I
>will connect from. It is that public key I need to load into Putty.
Perhaps you are referring here to the _host_ key(pair)? In OpenSSH, the
private part of this keypair resides on the server in a location similar
to /etc/ssh/ssh_host_rsa_key, and an OpenSSH client looks in
~/.ssh/known_hosts for the corresponding public key.
A script to convert a public key in known_hosts format to a format
suitable for PuTTY can be found at
<http://cvs.tartarus.org/putty/contrib/kh2reg.py>.
Darren Dunham
> On the OpenSSH server box, I generated two keys. One is private and
> stays there. One is public and gets copied to the remote machine I
> will connect from. It is that public key I need to load into Putty.
> I also generated a set of keys on the Windows system with Putty. I
> copied the public key from there to the Linix box and put it into
> authorized_keys. I have PasswordAuthentication off on the Linux box
> for improved security, so I think I need both sets of keys.
> Perhaps my terminology is off. If so, please correct me. I call
> the key that stays on the machine that generates it a private
> key(because it is not disclosed to anyone). I call the key that gets
> copied to the remote machine the public key. I am not trying to come
> up with my own definitions. This is my impression from what I have
> read.
It's a bit off.
You can generate keys wherever you want and move them around, but public
and private keys aren't completely interchangeable.
The client needs the private key, the server needs the public key.
Putty is only a client, so it always needs the private key. If you
generate the keys on another machine, you're free to destroy the private
key on it after the putty program has it.
If you wanted, you could always install openssh locally on your machine
and generate the keys there, so you wouldn't have to move the private
key from one machine to another. (I'm assuming openssh can't use a
puttygen public key?)
> Even if I had the term wrong, as I said in the original note, I
> can't get putty to load the auhorized key file.
Putty as the client doesn't need the authorized_keys file. That's
something the server reads.
--
Darren Dunham ddu...@taos.com
Unix System Administrator Taos - The SysAdmin Company
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >
Albain DE SAINT MARTIN
I have had the same problem, and I haven't found any solution using only
PuTTY. However, you should be able to create a valid key using an OpenSSH
port, import this key using PuTTYgen and then use the imported key.
The following procedure outlines the necessary steps.
Install Cygwin on your computer running windows.
(from http://www.cygwin.com, and do not forget to install the OpenSSH
package)
Using Cygwin, generate a new key pair on this computer.
Upload your public key on your linux box, copy/append it to the ad
hoc file and check the permissions on this file.
On your computer running windows, use PuTTYgen to format your private key
into something PuTTY can use : launch PuTTYgen, open your key pair,
provide the necessary passphrase, click on the 'Save private key' button.
Use the resulting *.PPK file as your private key.
Regards.
ADSM
On Mon, 20 Oct 2003, Ralph wrote:
> Date: 20 Oct 2003 12:45:06 -0700
> From: Ralph <rgr...@preferredstaff.net>
> Newsgroups: comp.security.ssh
> Subject: How can Putty load my public key generated with OpenSSH
--------------------------------------------------------------------
| Albain de Saint Martin |
|--------------------------------------------------------------------|
| The way to win an atomic war is to make certain it never starts. |
| Omar Bradley |
--------------------------------------------------------------------
danielrm26
to the public key at all; all you need to do is go to the *remote*
machine (the server), and do this:
cd /home/remoteuser/.ssh
cat pub_key_file > authorized_keys
rm pub_key_file
*Also remember to remove the private key out of this directory after
securely moving it to the client machine.
Again, to be clear, the *public* key goes on the remote box you want
to access using keys. The *private* key stays on the client (the box
you are connecting *from*).
For Putty authentication from a Windows box to a *nix box, you don't
need to do anything to the public key other than copying it to the
authorized_keys file as above (not authorized_keys2 on OpenSSH). The
private key, on the other hand, needs to be converted using the
PuttyGen tool. Once you have your Putty-translated private key, it
will let you authenticate to the plain ol' OpenSSH public portion on
the server.
Regards,
-danielrm26
Ralph
>
> If you cat out the public keys, you'll notice that putty uses the
> standard ssh2 format. Openssh uses it's own format. Forutnately,
> openssh is able to convert it. Here's the command line:
>
> ssh-keygen -f ${putty_public_key} -i >> ~/.ssh/authorized_keys2
Howdy,
Well maybe you would notice that. I saw the format, but I did not
recognize it as any thing except what Putty uses. If you say that is
a SSH2 standard, that's reasonable.
Your suggestion here would not help, but it gave me a clue to get
closer. I am trying to get the keys I generated with OpenSSH to work
with Putty. Seeing that ssh-keygen has an import option, I looked and
sure enough there is an export option -e. So, I took my id_rsa file,
and exported it to standard SSH2 format. I copied that to the Windows
machine, where I ran puttygen and did a conversion on the key. That
produced a fle that Putty will load as a key file. I tried to connect
and Putty just exits. Looking in the log on the server machine, I see
a message about no authentication methods being able to be negotiated.
I have progressed a bit, but I'll keep looking. Incidentally, I took
this private key to another Linux machine and used it to connect right
away. So, my keys should be OK.
Thanks for the help so far.
Ralph
Ralph
> Hi,
>
> I have had the same problem, and I haven't found any solution using only
> PuTTY. However, you should be able to create a valid key using an OpenSSH
> port, import this key using PuTTYgen and then use the imported key.
> The following procedure outlines the necessary steps.
>
> Install Cygwin on your computer running windows.
tools on the Linux box to manipulatte keys. Just generate the keys,
and do an ssh-keygen with the -e option to generate SSH2 standard
keys.
> Upload your public key on your linux box, copy/append it to the ad
Take the private key(id_rsa and id_dsa) and copy one or both to the
Windows machine with Putty using a secure method.
> On your computer running windows, use PuTTYgen to format your private key
> into something PuTTY can use : launch PuTTYgen, open your key pair,
> provide the necessary passphrase, click on the 'Save private key' button.
> Use the resulting *.PPK file as your private key.
These steps are just what I did.
And the end result is a failure to negotiate an authentication
method. But, Putty did accept the keys and it tried to authenticate.
So, I am closer.
Thanks for the advice.
Ralph
Based on these messages, I believe most people must generate their
keys on the client machines. I did them all on the server machine,
where I generated unique sets of keys for each client(I'll have 3
clients, with two running Windows and my own home machine running
Linux). When I copied the key files, I copied the id_rsa.pub to the
client machines(I copied only the appropriate line for each machine)
Now that I see the clients need the private keys, I changed my
procedure to copy the data from the id_rsa file instead of id_rsa.pub.
I actualy used ssh-keygen with the -e option to process these files
to generate standard SSH2 key files.
This all go me closer, but I'm not there yet. Putty will now load
the keys, but I can't authenticate. Google turns up nothing useful,
but I'll keep looking.
Thanks for your advice.
Albain DE SAINT MARTIN
On Thu, 22 Oct 2003, Ralph wrote:
> Date: 22 Oct 2003 22:06:10 -0700
> From: Ralph <rgr...@preferredstaff.net>
> Newsgroups: comp.security.ssh
> Subject: Re: How can Putty load my public key generated with OpenSSH
> Albain DE SAINT MARTIN <ad...@SDF.LONESTAR.ORG> wrote in message news:<Pine.NEB.4.58.03...@otaku.freeshell.org>...
> > Install Cygwin on your computer running windows.
> I don't see the need for this. I can just run any of the OpenSSH
> tools on the Linux box to manipulatte keys. Just generate the keys,
> and do an ssh-keygen with the -e option to generate SSH2 standard
> keys.
If you generate a keypair on the client, your private key won't have to go
through an unsecured channel.
> And the end result is a failure to negotiate.
Have you checked the access rights ?
I use 755 on .ssh and 644 for everything in it.
Regards
ADSM
dkol...@attbi.com
> Your suggestion here would not help, but it gave me a clue to get
> closer. I am trying to get the keys I generated with OpenSSH to work
> with Putty. Seeing that ssh-keygen has an import option, I looked and
> sure enough there is an export option -e. So, I took my id_rsa file,
> and exported it to standard SSH2 format. I copied that to the Windows
> machine, where I ran puttygen and did a conversion on the key. That
> produced a fle that Putty will load as a key file. I tried to connect
> and Putty just exits. Looking in the log on the server machine, I see
> a message about no authentication methods being able to be negotiated.
> I have progressed a bit, but I'll keep looking. Incidentally, I took
> this private key to another Linux machine and used it to connect right
> away. So, my keys should be OK.
I didn't make myself clear. Let me take a large step back and go over
the basics. Sorry if this is overkill, but it's helpful to be
speaking from the same page.
Taking putty out of the picture, for the moment, let's say you have
two linux boxes: A and B. A is running the sshd daemon and allows
publick key authentication and passwords. B simply has openssh running
but no daemon running.
In order to connect and open a shell on A from B, a user on B can simply
execute "ssh A", enter a password and connect right in. If the user
on B wants to use public key authentication, he must do the following:
1. Create a key pair on B
2. Copy the public key to A
3. Update the A:~/.ssh/authorized_keys2 file
There are a number of failure points that I glossed over, but those
are the configuration steps.
A user on A then attempts to connect to B; the connection fails because
there is no ssh daemon running on B given the scenario above.
Getting back to your situation, putty is a ssh client - not an ssh
server (unless there's something about putty that I'm not aware of -
certainly a possibility). There is no way that I know of for someone
on your linux box to connect to putty on your windows system.
Therefore, there should be no reason to generate the keys on the linux
box to be used in putty.
Putty has its own key generation facility. In fact, it even has
it's own ssh-agent program that can be put in the startup. The
recommended and supported method of generating keys on putty to
be used with an openssh server is as follows:
1. On the putty system, execute puttygen.exe; follow the prompts to
generate the keys.
2. Execute pagent.exe. Right click the icon in the lower right,
select "add key", then navigate to where you stored your key pair.
When you open the key, it will ask for the passphrase that you supplied
above.
3. Copy the public key portion to the openssh server using either
winscp, or ftp.
4. Connect to the openssh server and execute
"ssh-keygen -i -f ${public} >> ~/.ssh/authorized_keys2"
From this point, assuming you have all the permissions set correctly,
you will be able to execute
putty.exe -ssh -2 -X ${user}@${host}
to connect right in w/o supplying a password.
Hope that clears things up.
Doug
--
Simon Tatham
> I tried to connect and Putty just exits. Looking in the log on the
> server machine, I see a message about no authentication methods
> being able to be negotiated.
That sounds interesting, and fairly unusual. Can you set PuTTY into
SSH packet logging mode, and post the contents of the log after the
key exchange? (Find the matched pair of SSH2_MSG_NEWKEYS messages,
and copy everything after that. If authentication is being abandoned
immediately, it shouldn't come to more than a screenful or so.)
--
Simon Tatham "I'm cross. I'm going to have a tantrum.
<ana...@pobox.com> <pause> How do I start?" - my uncle
Ralph
Albain DE SAINT MARTIN <ad...@SDF.LONESTAR.ORG> wrote in message news:<Pine.NEB.4.58.03...@otaku.freeshell.org>...
> > I don't see the need for this. I can just run any of the OpenSSH
> > tools on the Linux box to manipulatte keys. Just generate the keys,
> > and do an ssh-keygen with the -e option to generate SSH2 standard
> > keys.
>
> If you generate a keypair on the client, your private key won't have to go
> through an unsecured channel.
I won't send the private keys through an unsecured channel. I have
two people with Windows machines at home. They will be clients and I
see that they need private keys. I want to be able to send a floppy
disk home with each of them that contains 5 things 1) Putty 2) Their
private Key 3) a command file to run Putty redirecting the Vnc port
and then run VNCviewer 4) Vncviewer.exe 5) an installer. That is why
I am generating the keys on my server. This can't be that an unusual
way to do this.
>
> > And the end result is a failure to negotiate.
>
> Have you checked the access rights ?
> I use 755 on .ssh and 644 for everything in it.
I'll do a test today, but I would be amazed if this worked. I have
connected to the sshd machine numerous times from remote Linux boxes.
Why would a remote Windows box need different permissions? I have
even connected from a remote Linux box using the same private key(in
the OpenSSH format, but the same key none the less)
William Hooper
news:578c68fd.03102...@posting.google.com...
[snip]
> Now that I see the clients need the private keys, I changed my
> procedure to copy the data from the id_rsa file instead of id_rsa.pub.
> I actualy used ssh-keygen with the -e option to process these files
> to generate standard SSH2 key files.
Can you better explain the "copy the data" portion? Could it be an issue of
an error in the copying (for example newlines inserted when they shouldn't
be)? Why not just copy the file itself?
--
William Hooper
If you're not on somebody's shit list, you're not doing anything worthwhile.
Ralph
> > Now that I see the clients need the private keys, I changed my
> > procedure to copy the data from the id_rsa file instead of id_rsa.pub.
> an error in the copying (for example newlines inserted when they shouldn't
> be)? Why not just copy the file itself?
The copy the data part is a manual process. I copied the id_rsa
file to a dummy name that indicated the key I was going to keep(i.e.,
cp id_rsa eliz). Then I used either gedit or vi to edit the file to
leave only the key I wanted. The id_rsa(and id_dsa) files have three
keys and I only want to send one to each client machine.
I think gedit and vi are decent editors. A decent editor doesn't
mess with the files the way you suggest. It is a reasonable
suggestion on your part and if you know otherwise about either editor,
let me know.
Good day,
Ralph
Ralph
> Ralph <rgr...@preferredstaff.net> wrote:
> > I tried to connect and Putty just exits. Looking in the log on the
> SSH packet logging mode, and post the contents of the log after the
Howdy,
Before I send anyone this, could I get a comment or two from someone
else. Is this just a clever ploy to get me to post my private key,
which could be extracted from this log somehow? I don't mean any
offense, but I wondered about this as soon as I read your message.
Ralph
Ralph
> I didn't make myself clear. Let me take a large step back and go over
> the basics. Sorry if this is overkill, but it's helpful to be
> speaking from the same page.
>
> you will be able to execute
>
> putty.exe -ssh -2 -X ${user}@${host}
>
> to connect right in w/o supplying a password.
Doug,
I understood most of what you said before this note. Reading again
is good for reinforcement. But this is all backwards from how I need
to do it. I don't have access to the client machines. I am
generating my keys on the server machine(my Linux box running sshd).
I am copying the appropriate files out to the Windows machine on a
floppy disk. You do have one thing in this message I have not tried.
I did not pass a -2 parameter to Putty when I started it. I am
guessing that forces a type 2 key. I thought Putty would recognize
from my key file that it was a type 2 key. Maybe that is the problem.
I'll test that on Friday.
Thanks,
Ralph
Simon Tatham
> Before I send anyone this, could I get a comment or two from someone
> else. Is this just a clever ploy to get me to post my private key,
> which could be extracted from this log somehow? I don't mean any
> offense, but I wondered about this as soon as I read your message.
*grin* No offence taken. One of the most frustrating things about
being a security developer is most people's tendency to trust things
blindly - you wouldn't _believe_ the number of people who've asked
us to put an `accept all host keys unconditionally' option into
PuTTY. It's refreshing to see someone actually being cautious about
this sort of thing!
I would explain why what I'm asking is not a risk, but you're quite
right that it would be better if someone else did it so you had
independent confirmation :-)
I will say, though, that if you type your _password_ into an SSH
session then you most certainly should _not_ send the SSH packet log
to anybody without first finding the password and editing it out.
(My impression from your previous posts was that you weren't doing
this.)
Cheers,
Simon
--
Simon Tatham "Happiness is having a large, warm, loving,
<ana...@pobox.com> caring, close-knit family in another city."