-\define{versionidpubkey} \versionid $Id$
-
\C{pubkey} Using public keys for SSH authentication
\H{pubkey-intro} \ii{Public key authentication} - an introduction
and convenience. See \k{pageant} for further details.
There is more than one \i{public-key algorithm} available. The most
-common is \i{RSA}, but others exist, notably \i{DSA} (otherwise known as
-DSS), the USA's federal Digital Signature Standard. The key types
-supported by PuTTY are described in \k{puttygen-keytype}.
+common are \i{RSA} and \i{ECDSA}, but others exist, notably \i{DSA}
+(otherwise known as DSS), the USA's federal Digital Signature Standard.
+The key types supported by PuTTY are described in \k{puttygen-keytype}.
\H{pubkey-puttygen} Using \i{PuTTYgen}, the PuTTY key generator
PuTTYgen is a key generator. It \I{generating keys}generates pairs of
public and private keys to be used with PuTTY, PSCP, and Plink, as well
as the PuTTY authentication agent, Pageant (see \k{pageant}). PuTTYgen
-generates RSA and DSA keys.
+generates RSA, DSA, ECDSA, and Ed25519 keys.
When you run PuTTYgen you will see a window where you have two
choices: \q{Generate}, to generate a new public/private key pair, or
\cfg{winhelp-topic}{puttygen.keytype}
Before generating a key pair using PuTTYgen, you need to select
-which type of key you need. PuTTYgen currently supports three types
+which type of key you need. PuTTYgen currently supports these types
of key:
\b An \i{RSA} key for use with the SSH-1 protocol.
\b A \i{DSA} key for use with the SSH-2 protocol.
+\b An \i{ECDSA} (\i{elliptic curve} DSA) key for use with the
+SSH-2 protocol.
+
+\b An \i{Ed25519} key (another elliptic curve algorithm) for use
+with the SSH-2 protocol.
+
The SSH-1 protocol only supports RSA keys; if you will be connecting
using the SSH-1 protocol, you must select the first key type or your
key will be completely useless.
-The SSH-2 protocol supports more than one key type. The two types
-supported by PuTTY are RSA and DSA.
-
-The PuTTY developers \e{strongly} recommend you use RSA.
-\I{security risk}\i{DSA} has an intrinsic weakness which makes it very
-easy to create a signature which contains enough information to give
-away the \e{private} key!
-This would allow an attacker to pretend to be you for any number of
-future sessions. PuTTY's implementation has taken very careful
-precautions to avoid this weakness, but we cannot be 100% certain we
-have managed it, and if you have the choice we strongly recommend
-using RSA keys instead.
-
-If you really need to connect to an SSH server which only supports
-DSA, then you probably have no choice but to use DSA. If you do use
-DSA, we recommend you do not use the same key to authenticate with
-more than one server.
+The SSH-2 protocol supports more than one key type. The types
+supported by PuTTY are RSA, DSA, ECDSA, and Ed25519.
\S{puttygen-strength} Selecting the size (strength) of the key
The \q{Number of bits} input box allows you to choose the strength
of the key PuTTYgen will generate.
-Currently 1024 bits should be sufficient for most purposes.
+\b For RSA, 2048 bits should currently be sufficient for most purposes.
+
+\#{FIXME: advice for DSA?}
-Note that an RSA key is generated by finding two primes of half the
-length requested, and then multiplying them together. For example,
-if you ask PuTTYgen for a 1024-bit RSA key, it will create two
-512-bit primes and multiply them. The result of this multiplication
-might be 1024 bits long, or it might be only 1023; so you may not
-get the exact length of key you asked for. This is perfectly normal,
-and you do not need to worry. The lengths should only ever differ by
-one, and there is no perceptible drop in security as a result.
+\b For ECDSA, only 256, 384, and 521 bits are supported. (ECDSA offers
+equivalent security to RSA with smaller key sizes.)
-DSA keys are not created by multiplying primes together, so they
-should always be exactly the length you asked for.
+\b For Ed25519, the only valid size is 256 bits.
\S{puttygen-generate} The \q{Generate} button
The \q{Key fingerprint} box shows you a fingerprint value for the
generated key. This is derived cryptographically from the \e{public}
-key value, so it doesn't need to be kept secret.
+key value, so it doesn't need to be kept secret; it is supposed to
+be more manageable for human beings than the public key itself.
The fingerprint value is intended to be cryptographically secure, in
the sense that it is computationally infeasible for someone to
If you have more than one key and use them for different purposes,
you don't need to memorise the key fingerprints in order to tell
-them apart. PuTTY allows you to enter a \e{comment} for your key,
+them apart. PuTTYgen allows you to enter a \e{comment} for your key,
which will be displayed whenever PuTTY or Pageant asks you for the
passphrase.
\i{encrypt} the key on disk, so you will not be able to use the key
without first entering the passphrase.
-When you save the key, PuTTY will check that the \q{Key passphrase}
+When you save the key, PuTTYgen will check that the \q{Key passphrase}
and \q{Confirm passphrase} boxes both contain exactly the same
passphrase, and will refuse to save the key otherwise.
unencrypted. You should \e{not} do this without good reason; if you
do, your private key file on disk will be all an attacker needs to
gain access to any machine configured to accept that key. If you
-want to be able to \i{passwordless login}log in without having to
+want to be able to \I{passwordless login}log in without having to
type a passphrase every time, you should consider using Pageant
(\k{pageant}) so that your decrypted key is only held in memory
rather than on disk.
\cfg{winhelp-topic}{puttygen.savepub}
-The SSH-2 protocol drafts specify a \I{SSH-2 public key format}standard
-format for storing public keys on disk. Some SSH servers (such as
+RFC 4716 specifies a \I{SSH-2 public key format}standard format for
+storing SSH-2 public keys on disk. Some SSH servers (such as
\i\cw{ssh.com}'s) require a public key in this format in order to accept
authentication with the corresponding private key. (Others, such as
OpenSSH, use a different format; see \k{puttygen-pastekey}.)
passphrase in beforehand, and you will be warned if you are about to
save a key without a passphrase.
+For OpenSSH there are two options. Modern OpenSSH actually has two
+formats it uses for storing private keys. \q{Export OpenSSH key}
+will automatically choose the oldest format supported for the key
+type, for maximum backward compatibility with older versions of
+OpenSSH; for newer key types like Ed25519, it will use the newer
+format as that is the only legal option. If you have some specific
+reason for wanting to use OpenSSH's newer format even for RSA, DSA,
+or ECDSA keys, you can choose \q{Export OpenSSH key (force new file
+format)}.
+
Note that since only SSH-2 keys come in different formats, the export
options are not available if you have generated an SSH-1 key.
projects / PuTTY.git / blobdiff