Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I configure WinSCP for Public Key authentication?

I happen to use public key authentication on several servers I manage. In
fact, I turn off password authentication, so that even with the right password,
you simply cannot login.

There are many tools that support public key authentication, but because the
concepts are a little foreign to most, getting things configured can be a bit
of a challenge.

This video walks through the steps of configuring a popular secure file
transfer client, WinSCP, to use public key authentication.

Become a Patron of Ask Leo! and go ad-free!

Audio Transcript – Video Below

Hi everyone, this is Leo Notenboom with another video tip from askleo.info –
configuring WinSCP to use Public Key Authentication.

We start by running the utility PuttyGen, a separate download from
Putty.nl.

Click the Generate key and move the mouse around – randomness is an
important part of cryptography, and nothing’s more random than how we move the
mouse.

Enter a Key passphrase – this locks your private key and is not related in
any way to the server you’re about to connect to.

Now, save the private key to a location on your machine – we’ll need it
again in just a moment. I’ll call mine, “mykey”

Select the public key that’s at the top of the PuttyGen window, copy it, and
now paste it into an email message to your system administrator. Your admin
will install it on the server you’ll want to connect to.

Once installed, it’s time to run WinSCP.

For your connection, enter the name of the server you want to connect to,
your User name on that server – note that you do not specify a password.

Instead, you’ll enter the location of the private key file we saved from
PuttyGen.

Now we’re ready to login.

The first time you connect to the server you’ll get a big scary warning
message. As long as this is the first time you’ve connected, you can safely
ignore it, and click “Yes” to connect anyway.

Now you’ll need to enter the passphrase you created to unlock your private
key. Click OK, and you’re connected.

See the notes accompanying this video for links to all the tools involved,
as well as a discussion of the passphrase – why it’s optional, and when it’s
safe not to have one.

This video is a presentation of askleo.info, a free on-line technical
question and answer service. Hundreds of questions and answers are online and
ready to help solve your computer problems.

View in HD (1280×720)

The ‘passphrase’ placed on a private key causes many people confusion. To
confuse things even more, it’s optional!

Your private key is just some special data kept in a file on your computer.
The ‘special’ part is that it, and only it, matches the public key you’ve given
to the system administrator. “Public Key Authentication” is just you proving
that you have the private key that matches the public key. If you have the
private key, and it’s the only private key that could match the public key,
then you must be who you say you are.

So what if someone steals your computer, or otherwise gets a copy of your
private key file?

Unless the key file is protected, much like the key to your car or house,
anyone who has your private key can authenticate as if they were you.

There are two forms of protection:

  • Encrypt the private key with a passphrase. As in the video example, when you
    create the private key, you place a passphrase on it. In order to use the
    private key late, you have to provide that passphrase again. This has
    nothing to do with the server you’re connecting to – it’s simply your
    private key, protected by a passphrase. (We use “passphrase” here instead of
    “password”, because a lengthy phrase can be used rather than just a word.
    Longer phrases are better security, but perhaps harder to remember.)

  • Keep the your private key file secure. If you can keep that file
    secure so that it cannot be lost or stolen, then you can create your private
    key with no passphrase at all. Merely possessing it is enough to login. This
    happens to be what I do, because I keep my private key files, along with other
    sensitive data, on an encrypted disk drive.

The nice thing about not having a passphrase on your private key, is that
you need type nothing to login – it’s often a one-double-click operation. And
as long as your private key is secure, it’s fast, convenient and very safe.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

1 thought on “How do I configure WinSCP for Public Key authentication?”

  1. Thanks for providing this article.
    i have a different problem.
    i have a winscp commands batch script to transfer files from remote server to local.
    when ever there is a host key change it is exiting the script execution and files are not transfered.
    how use commandline to get the host key automatically to winscp.ini file when it is changed.
    how to configure StrictHostKeyChecking=no in winscp.ini.

    Thank You.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.