Key Generation

You should only generate keys for protocol version 2. You may be offered the choice of generating RSA and DSA keys. Either will do, but I believe RSA is preferred (the Linux client certainly looks for and uses an RSA key ahead of a DSA one).

During generation you will be asked for an optional passphrase. It is not considered good practice to generate keys without a passphrase. If you do, and you don't keep the key secure, then anyone obtaining it will be able to gain access to wherever it gains you access. In most cases using the authentication agent obviates any perceived need for passphraseless keys.


Generate a key pair as follows

; ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/staff4/njkw/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/staff4/njkw/.ssh/id_rsa.
Your public key has been saved in /home/staff4/njkw/.ssh/
The key fingerprint is:

The private key .ssh/id_rsa can be used on other machines with OpenSSH clients. Store it in the same location, and ensure that is readable only by yourself.



You need to use PuTTYgen, the PuTTY Key Generator program. If your system has the CS Portable Apps (as do all CS Common Desktop Systems and central NUIT clusters) then PuTTYgen is in its Communications-> SSH - Putty and Friends section. If you installed PuTTY yourself then you will have PuTTYgen if you downloaded the bundle of PuTTY clients.

Window 1 shows the initial screen after startup of PuTTYgen. The defaults are OK, so click Generate.

Window 2 shows the situation after generation of a key; a passphrase was entered and confirmed. The Key comment line shows a generated comment. It is best to change it to something that means something to you, e.g. a mnemonic that reminds you of the passphrase, since it is displayed when the passphrase is prompted for. You at least need to save the private key. If you have access to your Linux home directory you can, as indicated in the Key panel, cut and paste the public key directly into your authorized_keys file (see install above), otherwise save it too.


The Unix version of PuTTY does not provide a graphical key generator program. The command for the command line equivalent is puttygen.

Start up the client, and, if possible, log in to a School Linux machine, e.g. linux.cs, as it enables progressing straight to installation of the key after generation. Now select Edit -> Settings and then Global Settings -> User Authentication -> Keys to arrive at the window shown below

Select Generate New..., which, after an explanatory window, leads to this one

The Key Type has been changed form DSA to RSA. After key generation you will be presented with the following window, but with empty fields.

After completing it, select Next>, which leads to this window

The text is self-explanatory. If you are in a position to upload the key, click Upload Public key, otherwise click Finish, and proceed to installation.

Public Key Installation

The aim here is to get the public key generated on your client machine added to the file .ssh/authorized_keys in your Linux home directory in the correct format. The obvious way is to use Secure Shell copy or Secure FTP, using some other authentication method, to transfer it to a Linux machine, log in using your Secure Shell client, and append the file to authorized_keys. If no transformation of the key is required then this can be achieved as follows, for example, from another Linux machine

scp $HOME/.ssh/ linux.cs:/tmp/id_rsa.n1234567
# ssh linux.cs
cat /tmp/id_rsa.n1234567 >>.ssh/authorized_keys
rm /tmp/id_rsa.n1234567


An OpenSSH-generated key will automatically be in the correct format.

If you generated the keys on a School Linux machine you can simply move the public key to your authorized_keys file

cat .ssh/ >>.ssh/authorized_keys

Otherwise, follow the instructions above.


Windows If you have access to your Linux home directory you can, as indicated in the top panel of Puttygen's window after key generation, cut and paste the public key directly into your .ssh/authorized_keys file.

Otherwise, save it, upload it to a Linux machine, e.g. by using WinSCP, and then append it to your authorized_keys file using the instructions above.

Linux Uploading keys is as for OpenSSH.

If you didn't arrive here immediately after generating keys, connect to a School Linux machine, e.g. linux.cs, select Edit -> Settings... and then Upload... from the window obtained by selecting Global Settings -> User Authentication -> Keys. You should be presented with a window like the following

The Public Key file field will contain the name of your key, not wxp. The directory named opposite Destination folder must exist on the remote machine. .ssh2 (in your home directory) probably doesn't, but even if it does, don't use it. If .ssh exists, though, specify it, otherwise nominate a temporary directory, e.g. /tmp.

Authorization file can be left as authorization; although information is copied there, it is not needed, and the file will be removed.

Once the key has been uploaded, switch to the console window and install the key

cd .ssh
ssh-keygen -i -f >>authorized_keys

replacing wxp by the filename of your key, and specifying the full pathname to it if you didn't upload to .ssh in your home directory. Both the public key file and authorization can be deleted from the directory you downloaded them to.

Log out and check that you can log in using public key authentication by selecting Public Key from the Authentication Method dropdown. You may wish to create a profile that has Public Key as the default authentication method.

Authentication Agent


The authentication agent program is ssh-agent. The Linux man page describes it as follows

 ssh-agent is a program to hold private keys used for public key authen-
 tication (RSA, DSA).  The idea is that ssh-agent is started in the
 beginning of an X-session or a login session, and all other windows or
 programs are started as clients to the ssh-agent program.  Through use
 of environment variables the agent can be located and automatically used
 for authentication when logging in to other machines using ssh(1).

Keys are added (and deleted) using ssh-add. By default, i.e. with no options, the command will look for private key files in standard places with standard names, e.g.

; ssh-add
Enter passphrase for /home/staff4/njkw/.ssh/id_rsa:
Identity added: /home/staff4/njkw/.ssh/id_rsa (/home/staff4/njkw/.ssh/id_rsa)
Identity added: /home/staff4/njkw/.ssh/id_dsa (/home/staff4/njkw/.ssh/id_dsa)

I was only prompted once for a passphrase as both keys use the same one.

With key(s) added, and with the corresponding public key(s) available in .ssh/authorized_keys in your home directory, connection to the School's Linux machines should happen without prompting for a passphrase.

[!] The School's Linux workstations follow the practice of starting ssh-agent during X session startup, so it is automatically available to console users for outward use.


Windows PuTTY's agent program is called pageant.

It is one of the CS Portable Apps or if you downloaded the bundle of clients when you downloaded PuTTY then you will already have it. Executing pageant simply installs in the system tray, from where keys can be manipulated. If you find yourself using the agent a lot, it may be worthwhile arranging for pageant to install itself in the system tray and to add keys at startup. There are instructions on how to do this in PuTTY's own help.

Linux The Unix version of PuTTY does not provide an agent program. However, if an OpenSSH agent is running, the client makes use of that.

A further convenience is to set Auto-login username to your campus user name under Connection on the PuTTY Configuration screen - the initial screen when starting PuTTY - and store it and any other settings you wish to make, e.g. linux.cs as the host name, in a saved session so that logging in in future reduces to double-clicking on the session's name in the list of saved sessions.

In the Unix version, the Auto-login username setting is made in the Data sub-section of Connection.

There isn't a free authentication agent program for the Secure Shell client from (at one time the only ssh client available on Campus Managed Desktop systems).