Puttygen on Linux - SSH Key Generator
This page is about PuTTYgen on Linux. For the Windows version, see the PuTTYgen on Windows page.
The basic function is to create public and private key pairs. PuTTY stores keys in its own format in
.ppk files. However, the tool can also convert key formats.
In some Linux distributions, the
puttygen tool needs to be installed separately from the Putty client. For example, in Debian Linux, the following command will install it:
sudo aptitude install putty-tools
Creating a New Key Pair for Authentication
To create a new key pair for authentication from the command line, use something like:
puttygen -t rsa -b 2048 -C "user@host" -o keyfile.ppk
It is strongly recommended that a passphrase be used for key files intended for interactive use. Key files used for automation (e.g., with WinSCP should generally have an empty passphrase.
Installing the Public Key as an Authorized Key on a Server
With both Tectia SSH and OpenSSH servers, access to an account is configured by generating a public key, copying the public key to the server, and adding the public key to a ~/.ssh/authorized_keys file.
To extract the public key, use:
puttygen -L keyfile.ppk
Then log into the server, edit the
authorized_keys file with your favorite editor, and cut-and-paste the public key output by the above command to the
authorized_keys file. Save the file. Configure PuTTY to use your private key file (here
keyfile.ppk). Then test if login works. See configuring public key authentication for PuTTY.
Changing the Passphase of a Key
It is recommended that all SSH keys be regenerated and changed periodically. The Universal SSH Key Manager can automate this. Just changing the passphrase is no substitute, but it is better than nothing. These instructions can also be used to add a passphrase to a key that was created without one.
Use the following command to change the passphrase:
puttygen keyfile.ppk -P
This will prompt for the new passphrase, and write the result back to
keyfile.ppk with the new passphrase.
Exporting a Private Key to Tectia SSH or OpenSSH
It is rarely necessary to export a private key from PuTTY to Tectia SSH or OpenSSH. However, the process is described here, as it can sometimes be necessary when, for example, an application is moved to Linux in the cloud and the destination server of a file transfer cannot easily be reconfigured to change an authorized key.
Tectia SSH and OpenSSH both support the OpenSSH private key file format, so using that key file format is described here. Tectia SSH also supports certain other formats.
To convert an existing PuTTY private key for Tectia or OpenSSH, use the command:
puttygen keyfile.ppk -O private-openssh -o keyfile
keyfile to the
.ssh directory on the host where Tectia or OpenSSH will be run.
Command Line Options
The basic command line of PuTTYgen:
- Specifies a key file to read or a key type and size to generate.
- Optional action to perform (e.g., change passphrase)
- Optional output type and output file.
The basic command line is:
puttygen [-t keytype [-b bits] [-q] | keyfile] [-C new-comment] [-P] [-O output-type | -p | -l | -L] [-o output-file]
The options are:
keyfile Name of existing key file to read, when modifying an existing key.
-t keytype Specifies to the type of a new key to generate. Acceptable values include
rsa1 is also supported to generate legacy SSH-1 keys, but they should never be needed any more.
-b bits Specifies the number of bits in the key. For DSA keys, 1024 is a decent size. For RSA keys, 2048 or even 4096 bits are recommended.
-q Suppresses messages about progress during key generation.
-C new-comment Specifies comment to describe the key. The comment does not impact the operation of the key. The comment can be specified for new keys or for existing keys to change their comment. Typically the comment would be used to identify the key owner, but since any value can be specified, it cannot really be relied upon.
-P Requests to change the key's passphrase. The tool will prompt for a new passphrase. It is not possible to specify a passphrase on the command line. The passphrase will be used to encrypt the private key. See more details on passphrases and how to generate good ones.
--old-passphrase-file file Specifies a file from which to read the old passphrase of the key. This is only needed if manipulating an existing key that is protected by a passphrase.
--new-passphrase file Specifies new passphrase for the key. This can be used when creating a new key, or with the -P option to change the passphrase.
-O output-type Specifies what to output. By default, the private key is output. The following values can be specified:
- private Save the private key in the proprietary PuTTY key format as a
- fingerprint Outputs the fingerprint of the key. The fingerprint uniquely identifies the key and can, for example, be read over the phone to ensure the key is the intended one.
public Save the public key corresponding to the private key. For SSH2 keys, the public key will be output in the format specified by RFC 4716. This format is supported by, e.g., Tectia SSH. Keys in that format look like this:
---- BEGIN SSH2 PUBLIC KEY ---- Comment:
firstname.lastname@example.orgAAAAB3NzaC1yc2EAAAABIwAAAIEA1on8gxCGJJWSRT4uOrR13mUaUk0hRf4RzxSZ1zRb YYFw8pfGesIFoEuVth4HKyF8k1y4mRUnYHP1XNMNMJl1JcEArC2asV8sHf6zSPVffozZ 5TT4SfsUu/iKy9lUcCfXzwre4WWZSXXcPff+EHtWshahu3WzBdnGxm5Xoi89zcE= ---- END SSH2 PUBLIC KEY ----
public-openssh Save the public key ony, in OpenSSH's proprietary format. The format is also supported by Tectia SSH. like this:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= email@example.com
private-openssh Converts the private key to OpenSSH's format. This can only be used for SSH2 keys.
private-sshcom Converts the private key to the format used by Tectia SSH.
private-openssh Coverts the private key to the format used by OpenSSH. This format is also supported by Tectia SSH.
-l Same as -O fingerprint.
-L Same as -O public-openssh.
-p Same as -O public.
-o output-file Specifies the output file. This option is mandatory when generating a new key. Otherwise, when changing the passphrase or comment, the default is to overwrite the original file. When outputting a public key or fingerprint, the default is standard output.
-h or --help Outputs help text and usage summary.
-V or --version Outputs version number of the tool.
--pgpfp Outputs the fingerprints of the PGP Master keys used for signing new versions of PuTTY.