How to use Public Key Authentication with PuTTY SSH Client

PuTTY is an open source SSH and telnet client, originally developed for Microsoft Windows by a British programmer Simon Tatham.

In addition to the SSH client, the development program includes the PuTTY Key Generator, which is a utility for generating RSA and DSA key pairs to enable more secure communication and passwordless authentication when accessing Linux and Unit systems, including Docker containers.

The mechanism behind Public Key Authentication is that instead of entering a classic password, the authentication is instead performed by comparing a public key hosted on the SSH server with a corresponding secret key safely registered within your SSH client, and when these immutable key pair match, the access can be authenticated without the use of an insecure password.

Get both the PuTTY SSH Client and the PuTTY Key Generator at the official site:

Configuring the Public Key Authentication (PKA) for PuTTY require three general steps:

  1. Create a RSA key pair on the client computer
  2. Transfer the public key to the SSH server that you want to authenticate with using PKA
  3. Register the private key with the PuTTY SSH client

Creating a RSA key pair on the client computer

Start the puttygen application

Ensure the RSA and 2048 options are selected

Click Generate

Move the mouse randomly around inside the PuTTY Key Generator window until the Key bar fills up.

Once the key generation is complete, enter a Key passphrase of your choice.

Although entering a passphrase is optional when generating the SSH key pair, protecting the private key with a passphrase is highly recommended.

Click Save public key and store the key file in an accessible location on your computer.

Click Save private key and save the key file in a safe location.

Right-click the public key textbox, and click Select All

Right-click the textbox again, and click Copy


If the private key must be exported in a non-standard format, for use with Linux, Unix, or MacOS systems, then choose the Key menu option and set the required format options.

Export the private key by selecting Export OpenSSH key under the Conversions menu option.

During the next step the content of the public key textbox is required, so either leave the PuTTY Key Generator window open, or ensure that you have the content copied to the computer clipboard.

Transfer the public key to the SSH server

Start the PuTTY SSH Client

Connect to the SSH Server and login using the regular username and password.

Enter these two commands, to remove any existing key information, and open the VI editor:

rm ~/.ssh/authorized_keys
vi ~/.ssh/authorized_keys

Press Enter

Within the VI editor, press a (lowercase “a”) to enter insert mode.

Right-click the mouse cursor inside the PuTTY window, to paste the copied ssh-rsa information.

Press ESC to terminate insert mode

Hold the SHIFT key and press z twice, to save the content and quit the VI editor

The prompt returns to the regular command prompt.

You may now close the Putty Key Generator program.

Register the private key with the PuTTY SSH client

For enabling the PuTTY SSH client to participate in key exchange and validation, we now need to register the private key with the PuTTY client.

In the PuTTY SSH client, open the New Session menu.

Open the Connection -> SSH -> Auth option, and here click Browse

Choose the private key file saved earlier from the PuTTY Key Generator.

Scroll up to the Session branch, and enter either a DNS hostname or the IP address of the SSH Server.

In the Saved Sessions field, enter an descriptive name and click Save.
This saves the changes to new session, so it can be used later for connecting to the SSH Server.


Now when accessing the SSH Server using PuTTY, open the saved session for the SSH Server.

In the sign-in prompt, enter the regular username followed by the private key passphrase.

Press Enter to perform the secure sign-in.

If you like to avoid entering the passphrase during each sign-in, you can use the Pageant authentication agent for PuTTY.

Pageant enables a seamless sign-in experience for PuTTY, where you load the private key(s) and enter the passphrase once.

For the rest of the Windows session, you can start the PuTTY SSH client multiple times, and Pageant will automatically perform the key exchange without additional passphrase prompts.

Due to missing support of openSSH certificates in PuTTY, the use of Azure AD openSSH certificate-based authentication is currently not supported with PuTTY. Instead use Azure CLI or Azure Cloud Shell for seamless management of Azure VMs with SSH, or use a system-assigned managed identity.


PuTTY Documentation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.