Press "Enter" to skip to content

Tag: windows

Windows 10 OpenSSH – Creating a new private/public key pair

This article is the fourth of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation
  2. Storing keys using the SSH Agent
  3. Importing existing keys
  4. Creating a new public/private key pair < You are here
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

If you need a new SSH key pair for Github, Bitbucket, AWS, your own SSH server etc, then the easiest way to generate one is from your user’s PowerShell using the command:
ssh-keygen -o
(the -o argument indicates to use the newer OpenSSH format rather than the pre-2014 older PEM format)

This will produce output such as:

ssh-keygen -o
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\userName/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\userName/.ssh/id_rsa.
Your public key has been saved in C:\Users\userName/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9hLEuBRdTBGDmAWxaDXhSwvqYLGVxDVtGiMumz9NUak userName@machineName
The key's randomart image is:
+---[RSA 2048]----+
|  ...oOOo=*o     |
|  .o.*+@o ..     |
| ..o= & o        |
| .++ E =         |
|.o=   = S        |
|.=   . . o       |
|  o o   . .      |
|   o .   .       |
|    .            |
+----[SHA256]-----+

Don’t forget to add it to the ssh-agent: if you generated this in the default location ending .ssh/id_rsa(.pub) you can use just ssh-add without any parameters to add it

You’ll need to add the public key to whichever remote service you are using – this can be found using either ssh-add -L (if you’ve added it to the Windows10 OpenSSH ssh-agent) or by cat ~/.ssh/id_rsa.pub (the .pub files are “safe for distribution” – but keep the ones without the .pub extension safe!)

OpenSSH Key-gen additional settings

There are plenty of of pages on the internet detailing the various settings the normal Linux/Unix/MacOS ssh-keygen command takes (and the Windows10 Open SSH variant will take most of them), but a quick reference is:

ssh-keygen -o -c
To add a comment (helps identify keys
ssh-keygen -o -b 4096
To generate a 4096 bit key in the default format (currently rsa)
ssh-keygen -o -t ed25519 -a 100 – recommended!
To generate with the ed25519 complexity with 100 rounds of key derivations (may not be supported by all servers).
The key will end in .ssh/id_ed25519, but you can just add it with “ssh-add” as above as it takes into account all the endings.
ssh-keygen -o -t rsa -b 4096 -a 100
To generate an rsa (default) key with 4096 bits and 100 rounds of key derivations
Windows does supports key generation types of “dsa” which is insecure and “esdsa” which has known weaknesses )

Windows 10 OpenSSH: Migrating from PuTTy: Importing existing keys

This article is the third of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation
  2. Storing keys using the SSH Agent
  3. Importing existing keys < You are here
  4. Creating a new public/private key pair
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

If you’ve been using SSH for a while, you’ve probably got a variety of private keys in either PuTTy’s own “PPK” format or OpenSSH format. Windows OpenSSH only has support for OpenSSH keys (go figure from the name! 😉 ) and so any PuTTY keys will need converting first.

Converting PuTTy PPK Private Keys to OpenSSH format

  1. Open PuTTyGen
  2. Select “Load an existing private key file” and select your .ppk private key
  3. Select from the menu “Conversions->Export OpenSSH key”
  4. Save the file.
  5. Repeat the previous three steps as necessary for all .ppk files

Adding OpenSSH private keys

In a normal PowerShell window (i.e. not as administrator), just run:
ssh-add C:\Users\userName\.ssh\private_key
Of course, changing the path of the key appropriately!

Windows appears to accept standard private keys and .pem private keys

Windows 10 OpenSSH – Storing keys using the SSH agent

This article is the second of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation
  2. Storing keys using the SSH Agent < You are here
  3. Importing existing keys
  4. Creating a new public/private key pair
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

To manage the OpenSSH keys, you need to add them to the ssh-agent (think of it as PuTTY’s Paegant). These keys will then be added to the user’s “Windows registry” and encrypted to their user profile (so, even if the key has an individual password on it, if somebody logins into your machine as user and has access to the registry, then they can access your private keys – if they log in as somebody else, your keys should be safe). This sounds like a security weakness, but is how MacOS and Linux handles keys anyway!

  1. Continuing in the Administration Powershell, we’re now going to start the SSH-agent which makes key management much easier:
    Start-Service ssh-agent
    If you get an error such as

    Start-Service : Service 'OpenSSH Authentication Agent (ssh-agent)' cannot be started due to the following error:
    Cannot start service ssh-agent on computer '.'.
    At line:1 char:1
    + Start-Service ssh-agent
    + ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

    Then the service is probably disabled: check with: Get-Service ssh-agent | Select StartType
    If it is disabled, you’ll see:

    StartType
    ---------
    Disabled

    Enable it with
    Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
    (you might need to then start the service again using
    Start-Service ssh-agent
    Setting the service to “Automatic” means next time Windows starts and you login, your keys are automatically available to you!

Security

Once you have added the keys to the ssh-agent, it is then “safe” to delete the local key files. HOWEVER, you are NOT able to export the private keys from the ssh-agent (only show the public keys): so make a backup copy on a removable device (such as a USB key) which you keep in a very safe location in case something happens to your machine!

Windows 10 OpenSSH: Migrating from PuTTy: Installation

This article is the first of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation < You are here
  2. Storing keys using the SSH Agent
  3. Importing existing keys
  4. Creating a new public/private key pair
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

I’ve been a very very long time use of the excellent PuTTy SSH tools (since at least version 0.52 in 2002: at the time of writing, release 0.72 came out on the 20th of July 2019), but Windows 10 v1809 (also known as the Windows 10 April 2018 update), Microsoft finally added SSH support directly to Windows.

Whilst Microsoft does have a guide on their website about installing OpenSSH on Windows 10, it mixes setting up the OpenSSH client (which most people will want) with the OpenSSH server (which most people do not want) and it doesn’t give a guide on moving/migrating from PuTTy, so here’s the start of my guide!

Installation via PowerShell

  1. Open PowerShell as administrator:
  2. Install openSSH client:
    Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
    You should get output such as:

    Path          :
    Online        : True
    RestartNeeded : False
    

You will now have ssh, ssh-keygen, ssh-agent, ssh-add, ssh-keyscan, sftp and scp available!

The next step is setting up the ssh agent to store the keys