Managing SSH private key authentication with putty pageant and Keepass

Because the majority of servers I administer are running some flavour of linux (mostly Ubuntu server),  I spend a good deal of my time in a terminal window and am very at home running linux commands.

Infact, if I need to do any diagnostic work, I will always open up my SSH client and start running commands from a remote linux box.

My client of choice is the ubiquitous Putty which is a small, easy installed, cross platform set of tools for opening and running telnet and SSH sessions.

When enabling SSHD on a server, it is important that we make it as secure as possible, but at the same time, I don’t want the security restrictions to get in my way and make me want to disable anything.

My security setup

The servers I look after now all make use of public-key cryptography to authenticate remote users (i.e. me).

The keys I generate (Using the Putty tool PuttyGen)  will have a passphrase consisting of 20 random characters. Each server has a different set of keys associated with it, so if one were ever compromised, the others would in theory require further effort to compromise, but also to make management easier.

To  hold private keys in memory, I use Pagaent, which is another tool from Putty. This tool can load a private key in to memory, prompt for the passphrase, and then handle any requests for that private key from applications such as Putty or WinSCP without you having to re-enter the passphrase.

Adding a stored session in to Putty and WinSCP means you only need to hit one button to then have a new session pop up, and you haven’t had to enter a single piece of information.

This works amazingly well until you come to reboot windows, at which point you have to reload all of your keys in to Pagaent along with the rigmarole all of the Passphrases.


It isn’t possible to remember passwords with a decent complexity so you will have to use some sort of password database. This will generally be an encrypted database which can only be accessed by entering a password you can remember.

I use KeePass which allows you to keep all of your passwords organised, store files (such as private keys for ssh..)  It also has a really cool AutoType feature which allows you to use details from your password entry, and have them automatically entered in to other applications by sending key strokes. There is also a global autotype key command which will automatically match a password to the currently active window.

This works great for most things but because it relies on the title of the window, if the application you are trying to send passwords to doesn’t change the window title, you get a popup giving you a list of different matches for the autotype.

Pageant – a problem for KeePass

When loading a private key in to Pageant, it prompts for the key’s passphrase. By pressing CTRL + ALT + A, KeePass will automatically try and find a matching passphrase. It does this by looking at the window title. In this case, “Pageant: Enter Passphrase”. But what if you have more than one  private key? We can’t automatically differentiate. KeePass will give you a list of passwords to choose from before entering it in to the dialog for you.

We can make this easier though. Because Putty is open source, it is perfectly possible to tweak it slightly so that KeePass can automatically decide which one password to enter.

By adding the private key’s comment to the dialog box title, we can set up autotypes which are specific to individual private keys.

In my custom version of Pageant, the dialog box now reads “Pageant: Enter Passphrase for {key-comment}”

I intend to write a separate blog post on how I made the change and went about re-compiling Putty.

If you would also like to set this up, please download my updated version of Pageant

Alternatively, here is an svn patch so you can build it against the latest version of Pageant.

Leave a Reply