How to use WinSCP with public key authentication

Public key authentication with SSH is possible with WinSCP, but it requires some work to set up. Chad Perrin details the steps.

WinSCP is an open source tool for Windows that allows files to be safely copied between local and remote computers (SFTP and FTP). Installing WinSCP is a simple process. It begins with visiting the WinSCP site, clicking the Download link at the top of the page, and doing what comes naturally. Accepting default options during installation should suit most users' needs. Anyone generally familiar with both GUI FTP clients and SSH tools should be able to manage basic functionality of WinSCP using password authentication; the use of the login screen is fairly self-evident.

Using public key authentication with WinSCP is a bit less obvious. In fact, it cannot be done with WinSCP alone: it requires the use of an external tool, such as the PuTTYgen application, to generate a keypair that WinSCP will use to negotiate authentication with the SSH server. "Installing" PuTTYgen is even easier than doing so with WinSCP, however. It consists solely of opening the PuTTY site in a browser, clicking the Download link at the top of the page, and clicking the puttygen.exe link to download the file. Instead of an installer, this download will be the program. When finished downloading, running the program is just a double-click away.

Opening PuTTYgen presents a key generation dialog. It should be set to a default of SSH-2 RSA for the type of key to be generated, using a 1024 bit key. Check with system administrators or policy makers, if applicable, to find out whether there are key type and size requirements before generating a key. When a key type and size has been selected, click the Generate button.

A progress bar will appear at the top of the dialog, with the words, "Please generate some randomness by moving the mouse over the blank area." The space just below the progress bar is the "blank area" indicated, and the progress bar will move as the user moves the mouse cursor in that area enough to contribute some randomness for the key generation process to use.

When that step is finished, a public key will be shown at the top of the dialog, and blank fields for choosing a passphrase for a private key. If the user loses the selected passphrase — which must be entered into both of the passphrase fields so the key generator will have some kind of confirmation that a key was not entered incorrectly — access to the private key will be lost as well, rendering that keypair useless. To fix that problem, this entire process will have to be undertaken again, including the placement of the public key on the target server (described below). A password manager, such as Password Safe, can help out here.

The public key text shown at the top of the key generator dialog is labeled "Public key for pasting into OpenSSH authorized_keys file:", and describes in general what must be done with it. The remote server to which the user needs access should have a ~/.ssh directory within the home directory of the user account that will be used for server login, and if that directory does not yet exist, it may need to be created. Within that directory, there may be an authorized_keys file; if not, it too should be created. The entirety of the public key text provided in the key generator dialog should be copied into that authorized_keys file as a single line (not counting editor linewrap).

Finally, after copying the public key text where it needs to be and entering a private key passphrase (twice), both the Save public key and Save private key buttons should be clicked. The public key can be saved under any filename and in any location at all. Its purpose, as suggested by the term "public key", is to be publicly shared. The private key, however, will come with a special .ppk filename extension, and should be protected from accidental sharing with others. Once someone else has a copy of a private key, the usefulness of the keypair for ensuring the user's privacy has been compromised.

When this is all done, the user can create and save a public key authenticated session configuration in WinSCP. From the WinSCP Login dialog, the user should enter the correct information for the Host name: and User name: fields, and set the correct port number if the default SSH port (number 22) is not used. Instead of using password authentication, however, the user should click the ... button in the Private key file: field to browse the filesystem and select the .ppk file created when the private key was saved. The default protocol selection (SFTP, with the Allow SCP fallback checkbox checked) is most likely appropriate. With that all done, the user should save the session to make it easier to establish a new connection at a later date by clicking the Save... button.

After saving the session configuration, WinSCP will open the stored sessions dialog. Double-clicking the saved session's name will open the session, subject to entering the passphrase for the private key. This is the same passphrase as was entered for the private key in PuTTYgen's key generation dialog, which the user may have saved in a password manager. Once the correct passphrase for the private key has been entered, WinSCP should complete the authentication process, and the file management window will open, allowing the user to move files between the local and remote systems across an encrypted connection.

Of course, when contemplating connecting to a secure Unix system using an SSH client on MS Windows, it is probably a good idea to protect yourself from closed source SSH environments.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks