• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1434
  • Last Modified:

ssh with putty and pagent - does not work

I am trying to configure putty for use with public key authentication. After I load my private key into pagent, then try to connect using putty, I still get prompted for login/password.

I have adjusted sshd_config to allow for public key authentication, but it still does not work.

How to fix?
  • 9
  • 8
  • 7
  • +1
2 Solutions
putty is picky about keys, did you have your own key generated with puttygen?
Dushan De SilvaCommented:
You can try with SSH.

BR Dushan
jasimon9Author Commented:
ahoffman: yes, generated the key with puttygen

Dushan: "try with SSH" --> does this mean you are suggesting creating the key with ssh-keygen ? That might work. I believe that there is a way to convert the key to the format that pagent needs, and go from there. Is that what you are suggesting?
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Dushan De SilvaCommented:
Yes jasimon9. You can try in that manner. If you need more info don't hesitate to reply.

BR Dushan
did you probably use a ssh2 key and connect to a ssh1 server?
jasimon9Author Commented:
man sshd says that sshd supports both versions 1 and 2
the question is not what the man-page tells you, but how sshd is configured
AFAIK putty is too stupid to communicate with servers which support both version (in either oder) and putty trys using the wrong one first.
If you get an username/password prompt in Putty, something went wrong with the keys. As Putty automatically obtains the keys from Pagent as soon as pagent is running. Check the putty-eventlog for more information. (You can find it by right-clicking on the window-title and select Eventlog).

Nevertheless a small step-by-step list to successfully setup Putty & openSSHd with public&private keys.
<-- for each user, unix / linux -->
1 - Genereate a key with ssh-keygen. Make it an key for SSH2. I used RSA in this example, but DSA should also work. Ensure they are written to ~/.ssh/ and don't forget to protect it with a password
2 - Copy (or make a symlink) ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys
3 - Copy (or make a symlink) ~/.ssh/id_rsa to ~./ssh/identity

<-- for each user, windows -->
4 - Obtain the privatekey (~/.ssh/id_rsa) file from the *nix machine
5 - Load it in PuttyGen and save it as an putty-key (preferrably protect it with a password)
6 - Load the putty-key in Pagent

<-- systemadmin, linux -->
1 - Ensure the hostkeys exist in /etc/ssh (they are normally created while installing SSH)
2 - Edit /etc/ssh/sshd_config and ensure that the following lines are correct (ignore the comments behind the hash):
Protocol 2   # unless you have a very good reason to support SSH 1, you should disable it.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
3 - Once you've get the keys working, you might want to set the following options to tighten security:
PermitRootLogin no #It isn't smart to permit root to logon remotely. It's better to logon to an ordinary user, then su(do).
PasswordAuthentication no #this disables the login-prompt. No correct key? no access!
PermitEmptyPasswords no #Good practice to have this one set to no at all times! Eventhough password auth is disabled.
4 - Restart the ssh-daemon for the changes to take effect.

That should get you up and running....
"man sshd says that sshd supports both versions 1 and 2"

Yes, SSHD supports both versions 1 and 2, so does putty. But you cannot use an DSA key for an SSH1 connection.
So if you have an DSA key, ensure you connect with SSH version 2. (Although Putty will try to connect with SSH2 first by default.)
RiDo78, that's what I already said: putty is tooooo stupid for identifying something it was told to do
use ssh which has no such problems ;-)
jasimon9Author Commented:
Very helpful information. I will have to check it out.
jasimon9Author Commented:
btw, here is the putty event log -- looks like it thinks it is working!

2006-05-04 23:29:07      Looking up host "barebones"
2006-05-04 23:29:07      Connecting to port 22
2006-05-04 23:29:07      Server version: SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903
2006-05-04 23:29:07      We claim version: SSH-2.0-PuTTY-Release-0.53b
2006-05-04 23:29:07      Using SSH protocol version 2
2006-05-04 23:29:07      Doing Diffie-Hellman group exchange
2006-05-04 23:29:07      Doing Diffie-Hellman key exchange
2006-05-04 23:29:08      Host key fingerprint is:
2006-05-04 23:29:08      ssh-dss 2048 67:80:53:8b:5e:66:3a:39:9e:72:00:a0:17:b6:ec:e4
2006-05-04 23:29:08      Initialised AES-256 client->server encryption
2006-05-04 23:29:08      Initialised AES-256 server->client encryption
2006-05-04 23:29:12      Access granted
2006-05-04 23:29:12      Opened channel for session
2006-05-04 23:29:12      Allocated pty
2006-05-04 23:29:12      Started a shell/command

However, the first thing in the window is the login/password dialog.
> However, the first thing in the window is the login/password dialog.
is your sshd configured for keys
  RSAAuthentication yes
Nope, it is not working. This is my puttylog, with the key provided in Putty (Pageant not running):
2006-05-01 11:23:56      Looking up host ""
2006-05-01 11:23:56      Connecting to port 22
2006-05-01 11:23:56      Server version: SSH-2.0-OpenSSH_4.1
2006-05-01 11:23:56      We claim version: SSH-2.0-PuTTY-Release-0.56
2006-05-01 11:23:56      Using SSH protocol version 2
2006-05-01 11:23:57      Doing Diffie-Hellman group exchange
2006-05-01 11:23:57      Doing Diffie-Hellman key exchange
2006-05-01 11:23:57      Host key fingerprint is:
2006-05-01 11:23:57      ssh-rsa 1024 41:cf:e5:71:19:58:b3:64:b7:10:1e:e6:88:28:a5:af
2006-05-01 11:23:57      Initialised AES-256 client->server encryption
2006-05-01 11:23:57      Initialised AES-256 server->client encryption
2006-05-01 11:23:57      Initialised HMAC-SHA1 client->server MAC algorithm
2006-05-01 11:23:57      Initialised HMAC-SHA1 server->client MAC algorithm

2006-05-01 11:23:59      Reading private key file "C:\Documents and Settings\RiDo\intercom.ppk"
2006-05-01 11:23:59      Offered public key
2006-05-01 11:23:59      Offer of public key accepted

2006-05-01 11:24:04      Access granted
2006-05-01 11:24:04      Opened channel for session
2006-05-01 11:24:04      Local port 25 forwarding to smtp:25
2006-05-01 11:24:04      Local port 3128 forwarding to
2006-05-01 11:24:04      Allocated pty (ospeed 38400bps, ispeed 38400bps)
2006-05-01 11:24:04      Started a shell/command
And this is the log with Pageant running:
2006-05-05 10:55:18      Looking up host ""
2006-05-05 10:55:18      Connecting to port 22
2006-05-05 10:55:19      Server version: SSH-2.0-OpenSSH_4.1
2006-05-05 10:55:19      We claim version: SSH-2.0-PuTTY-Release-0.56
2006-05-05 10:55:19      Using SSH protocol version 2
2006-05-05 10:55:19      Doing Diffie-Hellman group exchange
2006-05-05 10:55:19      Doing Diffie-Hellman key exchange
2006-05-05 10:55:20      Host key fingerprint is:
2006-05-05 10:55:20      ssh-rsa 1024 41:cf:e5:71:19:58:b3:64:b7:10:1e:e6:88:28:a5:af
2006-05-05 10:55:20      Initialised AES-256 client->server encryption
2006-05-05 10:55:20      Initialised AES-256 server->client encryption
2006-05-05 10:55:20      Initialised HMAC-SHA1 client->server MAC algorithm
2006-05-05 10:55:20      Initialised HMAC-SHA1 server->client MAC algorithm

2006-05-05 10:55:21      Pageant is running. Requesting keys.
2006-05-05 10:55:21      Pageant has 1 SSH2 keys
2006-05-05 10:55:21      Trying Pageant key #0
2006-05-05 10:55:23      Sending Pageant's response

2006-05-05 10:55:23      Access granted
2006-05-05 10:55:23      Opened channel for session
2006-05-05 10:55:23      Local port 25 forwarding to smtp:25
2006-05-05 10:55:23      Local port 3128 forwarding to
2006-05-05 10:55:23      Requesting OpenSSH-style agent forwarding
2006-05-05 10:55:23      Agent forwarding enabled
2006-05-05 10:55:23      Allocated pty (ospeed 38400bps, ispeed 38400bps)
2006-05-05 10:55:23      Started a shell/command
So according to your putty-log there is no key defined in putty (connection -> SSH -> Auth) nor is pageant running and providing any keys.

If pageant is running, make sure it has some keys ready. If it is not running, make sure the key is defined in Putty itself before opening the connection (don't forget to save before pressing 'Open').

Good luck!

PS: I've got two port-forwarding running (25 and 3128), so it's normal for these not to show up in your log.
hmm, I'd start sshd in debug mode and try again to see what sshd reports
I disabled the private-key auth and enabled password-login. If I load the key in Putty, I got a log like this:
2006-05-05 14:05:53      Looking up host ""
2006-05-05 14:05:53      Connecting to port 22
2006-05-05 14:05:53      Server version: SSH-2.0-OpenSSH_4.1
2006-05-05 14:05:53      We claim version: SSH-2.0-PuTTY-Release-0.56
2006-05-05 14:05:53      Using SSH protocol version 2
2006-05-05 14:05:53      Doing Diffie-Hellman group exchange
2006-05-05 14:05:53      Doing Diffie-Hellman key exchange
2006-05-05 14:05:53      Host key fingerprint is:
2006-05-05 14:05:53      ssh-rsa 1024 41:cf:e5:71:19:58:b3:64:b7:10:1e:e6:88:28:a5:af
2006-05-05 14:05:53      Initialised AES-256 client->server encryption
2006-05-05 14:05:53      Initialised AES-256 server->client encryption
2006-05-05 14:05:53      Initialised HMAC-SHA1 client->server MAC algorithm
2006-05-05 14:05:53      Initialised HMAC-SHA1 server->client MAC algorithm

2006-05-05 14:05:57      Reading private key file "C:\Documents and Settings\RiDo\intercom.ppk"

2006-05-05 14:06:00      Sent password
2006-05-05 14:06:00      Access granted
2006-05-05 14:06:00      Opened channel for session
2006-05-05 14:06:00      Local port 25 forwarding to smtp.demon.nl:25
2006-05-05 14:06:00      Local port 3128 forwarding to
2006-05-05 14:06:00      Allocated pty (ospeed 38400bps, ispeed 38400bps)
2006-05-05 14:06:00      Started a shell/command
Mind the "Reading private key..." line, Putty reads the key but it is refused.

However, if I load the key in Pageant, Putty does not mention anything about Pageant or keys.

So could you load the key in Putty to see if that works and what the logfile says about that?

PS: I just noticed that  you are running an rather old version of Putty. I run 0.56, and that is already old (0.58 is the newest release). But you run 0.53, so you might want to try a newer version. You can get it here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
jasimon9Author Commented:
To ahoffman: here is extract from /etc/ssh/sshd_config:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

to RiDo78: I upgraded putty to 0.58 some time during the lifetime of this question.

also "load key in putty" -- in general I have found the putty interface EXTREMELY counter intuitive and hard to use. So in trying to load the key, what I think to do is to enter it into the SSH > Auth > private key file. When I do this, then load my session, of course it is gone. So what I have to do is (1) load a session; (2) make changes; (3) save the session. While this seems straightforward, I find I am always violating this pattern. Thus "hard to use."

In any case, after doing this, I get "server refused our key" which seems to point to the fact that there is some mismatch between the public and private keys. So at this point, I would just try to reload them.

I am having someone take a look at this and will report back.

True, the load & save options in Putty are a bit strange and hard to get used to. I use Putty on daily base and even I keep making the mistake not to save any changes to a profile. Also Puttygen isn't very clear either.

Therefore I prefer using the SSH-way (as Dushan calls it). And it's pretty easy:
ssh-keygen -b 2048 -t rsa
The ssh-keygen will now generate an 2048 bit key and asks for a filename to save it to. By default ~/.ssh/id_rsa (just press enter to confirm or type another name). Then it will ask you twice to enter a password (for RSA keys, you may press enter to leave it blank). You can even skip the number of bits, and you'll get an 1024 bits key. The only mandatory option is the -t, that should be rsa1 (for SSH version 1), rsa or dsa (for SSH version 2).

The name of the public key is the same as the private key, appended with .pub. So id_rsa.pub by default.

Now copy the id_rsa file to your Windows machine and open it with puttygen (conversions -> import key). It will ask for the password and once you've entered it correctly it will open and show the fingerprint and some more info. Now press 'save private key' to save the converted key as an 'Putty Private Key' file.

From this moment on, you can use the key in putty. However, Unix / Linux is still not aware of the new key. Therefore you need to copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys (or make a symlink).

The authorized keys file is used for access-control and restrictions (you can restrict certain keys to a certain shell or something).  It can contain multiple keys, each with their own set of restrictions. By default, no restrictions are set. Only the keys in this file are permitted to logon with this username. So if you have only one key, you can setup a symbolic link to the id_rsa keyfile, but if you have more keys, you need to copy the keys to it.
jasimon9Author Commented:
Rido78: Thank you for the detailed instructions. Unfortunately, after following them to the letter, I get the same result:

1. Login as: prompt is displayed.
2. I enter my login.
3. "Server refused our key"
4. I enter password and am logged in.

The strange thing is, I believe putty should ask for the passphrase at some point. It does not.

If I load pagent and enter the key into it, it does ask for the passphrase when loading the key. Then when using putty, I no longer get the "Server refused our key", but I still get the login and password prompts, as though no keys were being used.

Seems weird.
Are you ABSOLUTELY CERTAIN that you DID NOT press the 'GENERATE' button in the Putty Keygen?
Just  Conversions -> Import  followed by 'Save Private Key'.

>"The strange thing is, I believe putty should ask for the passphrase at some point. It does not."

That's correct.

Pageant needs the password to decrypt and load the key as the key can be used more than once. For example if you logon from your Linux or Unix machine to another one using SSH and have Agent-forwarding enabled. SSH will forward the challenge to your Windows machine and Pageant has to decrypt the challenge and send it back. This way you can login to other systems without having to logon everytime. Just 'ssh <systemname>' will do, for as long as Pageant is running and Agent forwarding is enabled and allowed.

Putty on the other hand, uses the key only once. Therefore it asks for the password no sooner than needed.

And as you have to enter the desired-username before the challenge takes place, you get an username question first. After the username-question the challenge begins and now is the time that Putty needs to decrypt the key. So it asks for a password. So it looks the same whether or not you use keys or password authentication. You only notice the difference when the password on the key differs from the account-password.
jasimon9Author Commented:
Yes I am absolutely sure. Using Conversion > Import, I had to specify the file that the key should be imported from.

I have run through this sequence several times now and always my password is requested. I remember using Putty several years ago with the keys instead of passwords. Just don't know why it is not working now.
please start sshd in debug mode (probably on another port), then try to connect with putty and post result from sshd
Did you start sshd in debugmode already as ahoffmann suggested a couple of times?
jasimon9Author Commented:
I have had to back burner this question for a bit. I will be a few days before I can get back to it. It still is an issue that I would like to solve however.
Well, the issue is still not solved. However, both ahofmann and I have put quite some effort in this question.

To be honest, I'd rather had this issue solved, but unfortunately jasimon9 does not feel the urge to solve it. Which is a pity as we have tried so much already so we bound to find the problem any moment now.
jasimon9Author Commented:
I do feel that we need to solve this issue. I have hired a consultant to take a look at my system at this time. Because of the effort put into it by RiDo78 and ahoffmann, I am going to split points for effort expended.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 9
  • 8
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now