Puttygen is the SSH key generation tool for the Linux version of PuTTY. It works similarly to the ssh-keygen tool in OpenSSH.
The basic function is to create public and private key pairs. PuTTY stores keys in their own format in .ppk files. However, the tool can also convert key formats.
On some Linux distributions, the puttygen tool must be installed separately from the PuTTY client. For example, on Debian Linux, the following command will install it
: sudo aptitude install putty-tools Creating a new key pair for authentication
To create a new key pair for authentication from the command line, use something like:
puttygen -t rsa -b 2048 -C “user@host” -o keyfile.ppk
It is strongly recommended that you use a passphrase for key files intended for interactive use. Key files used for automation (for example, with WinSCP should usually have an empty passphrase.
Installing the public key as an authorized key on a server With the
Tectia SSH and OpenSSH servers, access to an account is configured by generating
a public key, copying the public key to the server, and adding the public key to a ~/.ssh/authorized_keys file.
the public key, use: puttygen -L keyfile.ppk
Then log in to the server, edit the authorized_keys file with your favorite editor and cut and paste the public key output using the above command into the authorized_keys file. Save the file. Configure PuTTY to use your private key file (here keyfile.ppk). Then test if the login works. See Configuring public key authentication for PuTTY.
Change the password for a key
It is recommended that all SSH keys be regenerated and changed periodically. Universal SSH Key Manager can automate this. Simply changing the passphrase is not a substitute, but it is better than nothing. These instructions can also be used to add a passphrase to a key that was created without one.
Use the following command to change
the passphrase: puttygen keyfile.ppk -P This will prompt for the new passphrase
and retype the result to keyfile.ppk with the new passphrase.
Exporting a private key to Tectia SSH or OpenSSH It is rarely necessary to export a private key from PuTTY
to Tectia SSH or OpenSSH.
However, the process is described here, as it can sometimes be necessary when, for example, an application is moved to Linux in the cloud and the destination server of a file transfer cannot be easily reconfigured to change an authorized key.
Tectia SSH and OpenSSH support the OpenSSH private key file format, so using that key file format is described here. Tectia SSH is also compatible with other formats.
To convert an existing PuTTY
private key to Tectia or OpenSSH, use the command: puttygen keyfile.ppk -O private-openssh -o keyfile
Then copy the key file to the .ssh directory on the host where Tectia or OpenSSH will run.
command line: Specifies a key file to
read or a key type and size to generate
action to perform (for example, changing passphrase) Optional
type and output file.
The basic command line is
: puttygen [-t keytype [-b bits] [-q] | keyfile] [-C new-comment] [-P] [-O output-type | -p | -l | -L] [-o output-file] The
keyfile The name of the
existing key file to read, when modifying an existing key.
-t keytype Specifies the type of a new key to generate. Acceptable values include rsa and dsa. rsa1 is also supported for generating legacy SSH-1 keys, but they should never be needed again.
-b bits Specifies the number of bits in the key. For DSA keys, 1024 is a decent size. For RSA keys, 2048 or even 4096 bits are recommended.
-q Suppresses messages about progress during key generation.
-C new-comment Specifies the comment to describe the key. The comment does not affect how the key works. The comment can be specified for new keys or for existing keys to change their comment. Normally, the comment would be used to identify the owner of the key, but because any value can be specified, it cannot really be trusted.
-P Requests to change the key passphrase. The tool will prompt for a new passphrase. You cannot specify a passphrase on the command line. The passphrase will be used to encrypt the private key. See more details about passphrases and how to generate passphrases.
old-passphrase-file file Specifies a file from which to read the old key passphrase. This is only necessary if an existing key that is protected by a passphrase is being tampered with.
new-passphrase file Specifies a new passphrase for the key. This can be used when creating a new key or with the -P option to change the passphrase.
-O output-type Specifies what to generate. By default, the private key is generated. You can specify the following values:
private Save the
private key in the proprietary PuTTY key format as a .ppk file
Displays the fingerprint of the key. The fingerprint uniquely identifies the key and, for example, can be read over the phone to ensure that the key is the desired one.
public key corresponding to the private key. For SSH2 keys, the public key will be issued in the format specified by RFC 4716. This format is supported by, for example, Tectia SSH. The keys in that format look like this
: – BEGIN SSH2 PUBLIC KEY –
Comment: “firstname.lastname@example.org” AAAAB3NzaC1yc2EAAAABIwAAAIEA1on8gxCGJJWSRT4uOrR13mUaUk0hRf4RzxSZ1zRb YYFw8pfGesIFoEuVth4HKyF8k1y4mRUnYHP1XNMNMJl1JcEArC2asV8sHf6zSPVffozZ 5TT4SfsUu/iKy9lUcCfXzwre4WWZSXXcPff+EHtWshahu3WzBdnGxm5Xoi89zcE= – END SSH2 PUBLIC KEY – public-openssh
Save the ony public key, in OpenSSH’s proprietary format. The format is also supported by Tectia SSH. Like this:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= email@example.com
private-openssh Converts the private key to OpenSSH’s format. This can only be used for SSH2 keys.
private-openssh Converts the private key to the format used by OpenSSH. This format is also supported by Tectia SSH.
public Save the
Converts the private key to the format used by Tectia SSH.
-l Same as -O fingerprint. -L Same as -O
public-openssh. -p Same as -O public. – o output-file
This option is required when generating a new key. Otherwise, when you change the passphrase or comment, the default is to overwrite the original file. When issuing a public key or fingerprint, the default is standard output.
-h or –help Output help text and usage summary.
-V or –version Generates the version number of the tool.
-pgpfp Generates the fingerprints of PGP master keys used to sign new versions of PuTTY.