Key-Based SSH Logins With PuTTY

This guide describes how to generate and use a private/public key pair to log in to a remote system with SSH using PuTTY. PuTTY is an SSH client that is available for Windows and Linux (although it is more common on Windows systems). Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.

1 Preliminary Note

In this tutorial, I use a Windows desktop to connect to a Linux SSH server (Debian with IP address:

2 Install PuTTY, PuTTYgen, And Pageant On The Windows System

First, we need to install PuTTY, PuTTYgen, and Pageant on our Windows system. All we need to do is download the executable files (.exe) and save them somewhere, e.g. on the desktop. We don't need to install them as they are standalone applications. To start them, we only need to double-click them.

Download the following files from the PuTTY download page and save them on your Windows system, e.g. on the desktop:


3 Create A Profile With Settings For Our Server

In PuTTY, you can create profiles for connections to your various SSH servers, so you don't have to type in the settings again when you want to connect to a certain server again.

Let's create a profile for our server. Start PuTTY by double-clicking its executable file. You are now in the category Session (see the tree on the left side of the screenshot). Enter under Host Name (or IP address), enter 22 under Port and select SSH under Protocol:

Putty program started

Then go to Connection -> Data and specify the username with that you want to log in to your SSH server under Auto-login username. In this article I use root:

Set the SSH connection data

Then go to Session again. Under Saved Sessions enter a name for the profile, e.g. or any other string that lets you remember for which server the profile is. Then click on Save:

Saved sessions

The next time you use PuTTY, you can simply select the appropriate profile from the Saved Sessions textarea, click on Load and then Open.

Share this page:

Suggested articles

42 Comment(s)

Add comment


By: FalconsMaze

Thank you for the detailed screen shots and hand holding.  I was able to set this up in five minutes.  On other blogs there are a lot of steps omitted or :"your just suppose to know that setup."

Awesome job!


By: dcb

This is well explained thank you. Putty does it's job well, but there are few instructions around that explain how to use it. The messages from failed login attempts rarely give any clues about how PuTTY should be set up. Many thanks for taking the time to document these settings and explain them so clearly. It is much appreciated.


By: DizzyBum

Thanks for this article!  I use Putty non-stop at work and this is going to cut out a lot of the time I spend copying and pasting long passwords.  Very clear and simple instructions.

By: Brian

Thanks for explaining the whole process! I had stumbled through the key generation but couldn't figure out how to get the public key to the server in the right spot. I've bookmarked this page for future reference, because at my new job I've got a lot of servers to ssh to.

By: thatsimonguy

This post really helped me and I was able to successfully setup a private/public keypair between my Win7 machine and my Ubuntu box for login.  Thanks.

By: alex_rsku

What if I want to create few pub keys? Should I append these keystrings to authorized_keys2 , what separators are ?

By: M. Gy.

Authorized keys are checked in both ~/.ssh/authorized_keys and authorized_keys2 by default. openSUSE (and maybe other) distros do not use authorized_keys2, so if you cannot login with your brand nem key pair, try to rename the file to authorized_keys.

Rgrds - M. Gy.

By: M. Gy.

Switching off PAM (usePAM no) in /etc/ssh/sshd_config has some side effects. It is safer to write:

ChallengeResponseAuthentication no

instead. It still disables keyboard-interactive login, but leaves PAM to be used.

By: M. Gy.

A 2048 bits long key can be used, it is safer and it is now the default in PuTTYGEN.

By: abhishek

thank you.

By: Markus


By: Jameel Isaacs

Hi there,

I am struggling to do step 6, could you please advise a more detailed step process

Kind regards


By: Zdenek

Thank you very much. Excellent job!

By: steffen

how to do this with cacert .org client certificates instead of putty "self-signed" certs?

By: Kotzaak

Thanks for this very clear document! Helped me out in 20 minutes :)

By: john

Excellent instructions, but for me on Ubuntu 14 and windows 8.1, it does not work. I followed every step to the letter, but when I try to login with putty (with the ppk file set), it just prompts for the username and password as usual - doesnt do anything with the cert. The permissions on ~/.ssh and the keys file are correct, as is the thing which I pasted in (same format as yours, on one line).  The problem with ssh is it never works for me, and its hard to debug where the problem might be.

By: Makoto

An excellent tutorial. Thanks a lot.

I have one more question: can I change the passphrase of my private key without creating a new one?

By: Kevin Burns

This isn't a good idea by any means. This ranks up there with saving your credentials to a secure server in a RDP file. If you save your login name as a profile and your Windoze machine becomes compromised, you are giving an attacker half the setup to compromise another machine. This is just a bad and lazy idea. 

By: informatica training

ssh key based logins putty nice posts...


By: Søren


Nice and well written tutorial.

Have tried to put the authorized_keys in many locations on my box without success - I'm trying to ssh from Putty to a Popcorn Hour c-200 where dropbear is installed. However, I keep getting the message "Server refused our key".

I'm almost certain that I did the keys correctly. I'm just not sure where to put the authorized_keys when it comes to Dropbear on a PCH-C200.

I'm logging in as root and $HOME is usr/ltu/home so one location for the keys would be ~/.ssh - but still I get the error.

If someone knows how to solve that case - logging in as root from Putty to PCH-C200 I'm all ears...


By: Kai

works perfekt! Thank you! 

By: AndyR

Great write up.Don't forget to indicate the path to the public key in sshd config and restart the service:sudo nano /etc/ssh/sshd_configfind the line for the path to Authenitcation keys and remove the # and add a "2":AuthorizedKeysFile      %h/.ssh/authorized_keys2 and then:sudo service ssh restart

By: charlie

Very Well explained, I've been struggling for quite some time to set up SSH Key Authentication using putty on a windows client, connecting to a debian8 server. I've had many failures until i read & followed the above post.


By: B

 Very clear and concise - thank you.

An issue I had: after executing the steps from start to finish, my first attempt at logging in with keys was successful, however all consequent login attempts returned "Server does not like our key" and reverted to password prompt (I had not disabled password login access yet.) 

To fix this, I logged into the server normally (user name and pass) and re-ran:

chmod 600 ~/.ssh/authorized_keys2

If anyone gets this issue it might be worth doing this as the permissions are needed for this to work.

By: senseless

The PuTTY Key Generator window changed in PuTTY 0.68, released 2017/02/21, with the addition of the ECDSA and ED25519 cryptosystem options. I'm prety sure what was listed as "SSH-2 RSA" in previous versions of PuTTY is just listed as "RSA", now.

By: Maciej

Than you!  :-)

By: Dima

Well , there was no option to insert the key i got from hosting provider. :) I don't understand why this tutorial doesn't explain this step. I have hash. where i can import it ? since both ends have it , and i should provide it for putty. Meh. I'm trying acces my gator hosted http://goodmovie.toay host , hich is external public host, with only way to connect.

By: anonymous

Thank you for the detailed tutorial.  It helped me a lot.

By: James

Great article, just thats not key based SSH login, thats just saving the login credentials, not saving an SSH key!

By: till

I guess you missed to read pages 2 - 4 of the article which describe how to create a key with putty keygen and how to install the public key on the target server.

By: Ron C

Excellent article.  Just the amount of help needed.  Thank!

By: Steve trump

Well Done! This is what I wanted to know.



By: Richard

Twelve years after writing, it's still helpful!

Thanks a lot dude, it was exactly what I needed.

By: Hi

bro,were is my password??

By: Bajser Bajsersson

I failed to see the part where I choose my key to login. Back to google.

By: till

The tutorial has 4 pages and you seem to have read just the first one. The information on how to attach a key to a putty session is on page 3:

By: jraju

Hi, Quite interesting article.

please kindly clarify, if ssh session with router is risky in any way.

Next, i could not understand Point No. 6, as i do not know how to copy the public key to my server. i am having a just pc. The remote login deice is my router. How to access the server in my case. Where to issue commands told in point no. 6

Very nice article indeed Hi,  Falco, but after copying the public key contents to clipboard, how to go around. please expecting your reply

By: jraju

hi, i fail to mention that my operating system is windows 7 ultimate 32 bit. please also telll me if i save pub and pri key and login i could also execute the remote command box in putty available in SSH menu , in Remote command Box

By: jamrnat

Excellent tutorial, thanks a hundred times !

By: ardi kota

how you can give a pssword

By: ardi kota

where to sign up

By: Adrian Wiik

I also had this problem. The difference is that when you copy the key directly from the field in PuTTY, you get "ssh-rsa <key>", but when you use "Save public key", "ssh-rsa" is omitted, which makes the key invalid. When I added "ssh-rsa" in front of my key in "~/.ssh/authorized_keys" (and put all key lines in a single line, not sure if that did anything), it was working.