Linux servers are typically accessed remotely using the SSH protocol, protected by a username and a password. If a suitably strong password is selected then this authentication method is relatively secure, but it can be improved upon through the use of public key authentication. And as a bonus, after the initial setup is completed SSH keys are actually a more convenient way to access your server than using a password!

In this article we will walk through the process of generating an SSH keypair with the PuTTY SSH client, providing your public key to Binary Lane, and finally making your first SSH connection.

1. Create an SSH keypair

To create an SSH keypair when using PuTTY, we will use the "PuTTYgen" application. On initial launch it looks like this:

At the very bottom you can see a textbox controlling the number of bits to use in the generated key, for improved security you should change this from 1024 to 2048. Next, click the "Generate" button:

Move your mouse around the blank area - the small variations in your mouse movement are used to increase the randomness (and hence, strength) of the generated key. Once you hit 100%, a key will be generated and this final screen is shown:

In the "Key passphrase" and "Confirm passphrase" box, enter a passphrase to protect your private key. (A passphrase is generally, a longer password - often made up of multiple words rather than individual characters: this passphrase generator can help with ideas). You can also choose to not enter a passphrase, in which case simply having a copy of your private key file is enough to authenticate.  This can be convenient - and almost mandatory for automated deployment situations - but does mean you must protect your private key more rigorously.

After entering your passphrase, click the "Save private key" button and place the resulting .ppk file somewhere convenient.

Finally, make a copy of your OpenSSH public key - it is displayed in the textbox labelled "Public key for pasting into OpenSSH authorized_keys file" - the long string of characters starting with ssh-rsa. This is the public key you will supply to Binary Lane during provisioning.

2. Get your Binary Lane cloud server

Head over to the signup page, the first step is to select an operating system - select your preferred Linux distribution. In the second step when selecting a plan, select the resources you require. In the third step when configuring your server's settings, click the "View All" button:

In the "SSH Keys" section, click "Add New Key...", give your key a name (for display purposes, "My key" is suitable) and paste in the long string starting with ssh-rsa that PuTTYgen provided:

Proceed through the account and billing details setup, and in thirty seconds your VPS will be ready for use.

3. Connect with your SSH private key

Start PuTTY and enter the IP address assigned to your Binary Lane server into the Hostname box as normal, but do not click "Open" yet - we first need need to tell PuTTY about your private key. To do so, in the left-hand tree expand out "Connection", "SSH", and finally select "Auth". At the bottom of this screen, click the "Browse..." button and select your private key - the .ppk file that PuTTYgen created earlier:

We can also save a little time by telling PuTTY the username to login with. To do so, select "Connection" then "Data". Next to "Auto-login username", enter root.

To avoid having to repeat these changes every time you want to use PuTTY, go back to "Session". In the textbox under named "Saved Sessions" enter a name and click Save:

You are now ready to connect to your server: click Open and Putty should start as normal. However, instead of being prompted for the root password you will need to enter the passphrase you entered into PuTTYgen earlier:

That's it! Now, every time you create a new Binary Lane server (or reinstall an existing one) instead of dealing with a new root password on each deployment, you can simply memorise just your SSH passphrase and authenticate with the same value for every server you use.

If you only intend to run a single server, then this might seem like a lot of work just to improve your server's security. Fortunately, SSH passphrases do have one additional benefit that in my opinion, definitely make them more convenient than passwords even if you only run a single server:

4. Session authentication with Pageant

PuTTY includes an auxillary program called Pageant. With Pageant you can enter your SSH passphrase just once, and it will "unlock" your SSH private key for the duration of your login session - until you either logout of Windows, or reboot.

To use session authentication, start Pageant. You will not see a new window, as Pageant lives in the notification area. Right click its icon (shown to the right at full-size) and select "Add Key". Select your .ppk file we created earlier, and you will be prompted to enter your SSH passphrase:

Enter your passphrase and hit Enter; if you entered it correctly the Window will close indicating success (as you may have noticed, Pageant has very minimal UI).  Pageant will now make your private key available to PuTTY for the duration of your session.

To make use of this, start your saved "binarylane" PutTTY session. This can be done through the main PuTTY program, but Pageant also has a handy shortcut on its right-click menu called "Saved Sessions". Select the session name you created earlier, and Pageant will launch straight into PuTTY console using the connection details from that session. If everything is working correctly, you will land straight in a shell without any required typing:

As you can see, "root" username was pre-selected from our saved session and authentication was completed from agent (Pageant).

Any time you need to SSH to your server, just right-click Pageant and select your saved session again - with SSH public key authentication and Pageant, your server's shell is always just two clicks away.