Helping people with computers... one answer at a time.

Public Key Authentication is a powerful and secure way to manage server access. This video demonstrates configuring WinSCP for Public Key Authentication.

I happen to use public key authentication on several servers I manage. In fact, I turn off password authentication, so that even with the right password, you simply cannot login.

There are many tools that support public key authentication, but because the concepts are a little foreign to most, getting things configured can be a bit of a challenge.

This video walks through the steps of configuring a popular secure file transfer client, WinSCP, to use public key authentication.

Audio Transcript - Video Below

Hi everyone, this is Leo Notenboom with another video tip from askleo.info - configuring WinSCP to use Public Key Authentication.

We start by running the utility PuttyGen, a separate download from Putty.nl.

Click the Generate key and move the mouse around - randomness is an important part of cryptography, and nothing's more random than how we move the mouse.

Enter a Key passphrase - this locks your private key and is not related in any way to the server you're about to connect to.

Now, save the private key to a location on your machine - we'll need it again in just a moment. I'll call mine, "mykey"

Select the public key that's at the top of the PuttyGen window, copy it, and now paste it into an email message to your system administrator. Your admin will install it on the server you'll want to connect to.

Once installed, it's time to run WinSCP.

For your connection, enter the name of the server you want to connect to, your User name on that server - note that you do not specify a password.

Instead, you'll enter the location of the private key file we saved from PuttyGen.

Now we're ready to login.

The first time you connect to the server you'll get a big scary warning message. As long as this is the first time you've connected, you can safely ignore it, and click "Yes" to connect anyway.

Now you'll need to enter the passphrase you created to unlock your private key. Click OK, and you're connected.

See the notes accompanying this video for links to all the tools involved, as well as a discussion of the passphrase - why it's optional, and when it's safe not to have one.

This video is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.

Download the video: winscppkauth.mp4 (3M).

View in HD (1280x720)

The 'passphrase' placed on a private key causes many people confusion. To confuse things even more, it's optional!

Your private key is just some special data kept in a file on your computer. The 'special' part is that it, and only it, matches the public key you've given to the system administrator. "Public Key Authentication" is just you proving that you have the private key that matches the public key. If you have the private key, and it's the only private key that could match the public key, then you must be who you say you are.

So what if someone steals your computer, or otherwise gets a copy of your private key file?

Unless the key file is protected, much like the key to your car or house, anyone who has your private key can authenticate as if they were you.

There are two forms of protection:

  • Encrypt the private key with a passphrase. As in the video example, when you create the private key, you place a passphrase on it. In order to use the private key late, you have to provide that passphrase again. This has nothing to do with the server you're connecting to - it's simply your private key, protected by a passphrase. (We use "passphrase" here instead of "password", because a lengthy phrase can be used rather than just a word. Longer phrases are better security, but perhaps harder to remember.)

  • Keep the your private key file secure. If you can keep that file secure so that it cannot be lost or stolen, then you can create your private key with no passphrase at all. Merely possessing it is enough to login. This happens to be what I do, because I keep my private key files, along with other sensitive data, on an encrypted disk drive.

The nice thing about not having a passphrase on your private key, is that you need type nothing to login - it's often a one-double-click operation. And as long as your private key is secure, it's fast, convenient and very safe.

Article C2737 - July 30, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
nagarjuna
November 2, 2011 2:17 AM

Thanks for providing this article.
i have a different problem.
i have a winscp commands batch script to transfer files from remote server to local.
when ever there is a host key change it is exiting the script execution and files are not transfered.
how use commandline to get the host key automatically to winscp.ini file when it is changed.
how to configure StrictHostKeyChecking=no in winscp.ini.

Thank You.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.