SSH Keys Setup – Complete Guide for Windows Users
SSH key-based authentication replaces passwords with cryptographic key pairs stored in the .ssh directory. This guide covers generating keys with PuTTYgen (PuTTY’s built-in putty key generator), placing the public key in the server’s authorized_keys file, setting correct .ssh folder permissions, and troubleshooting common key rejection errors on Windows clients.
Quick Overview: You generate a key pair — a private key (stays on your Windows machine) and a public key (placed on the server's
authorized_keys file). The server authenticates you by verifying a cryptographic challenge signed with your private key.Step 1 – Generate Your SSH Key Pair
Generate a key pair using PuTTYgen (GUI) or the built-in OpenSSH client (CLI).
Using PuTTYgen (GUI)
- Open
puttygen.exe, select Ed25519 or RSA 4096, click Generate. - Set a strong passphrase. Click Save private key as
id_ed25519.ppk. - Copy the text in the Public key for pasting into OpenSSH authorized_keys file box — you'll need this in Step 3.
Using OpenSSH (CMD / PowerShell)
# Generate an Ed25519 key pair
ssh-keygen -t ed25519 -C "your@email.com"
# Or generate a 4096-bit RSA key
ssh-keygen -t rsa -b 4096 -C "your@email.com"
# Keys are saved by default to:
# Private: C:UsersYourName.sshid_ed25519
# Public: C:UsersYourName.sshid_ed25519.pubStep 2 – Understand the .ssh Directory
The .ssh directory stores SSH configuration and key files for your user account. On Windows with OpenSSH, it is located at C:\Users\YourName\.ssh\. On Linux/Unix servers, it is at ~/.ssh/.
| File | Location | Purpose |
|---|---|---|
id_ed25519 | Client machine | Your Ed25519 private key. Never share this file. |
id_ed25519.pub | Client machine | Your Ed25519 public key. This is what you add to servers. |
id_rsa.ppk | Client machine (PuTTY) | PPK format private key used by PuTTY, Pageant, Plink. |
authorized_keys | Server (~/.ssh/) | Lists public keys permitted to authenticate as this user. |
known_hosts | Client machine | Stores verified server host key fingerprints. |
config | Client machine | SSH client configuration shortcuts and per-host settings. |
Step 3 – Add Your Public Key to the Server
Using ssh-copy-id (Linux/WSL)
# Fastest method if you have WSL or a Linux client
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server.comManual Method (Windows)
- Log in to the server using password authentication via PuTTY.
- Create the
.sshdirectory if it does not exist. - Append your public key to
authorized_keys. - Set the correct file and directory permissions.
# On the remote Linux/Unix server:
# Create .ssh directory with correct permissions
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Append your public key (paste the content from PuTTYgen's text box)
echo "ssh-ed25519 AAAAC3NzaC1lZDI1... your@email.com" >> ~/.ssh/authorized_keys
# Set correct permissions on authorized_keys
chmod 600 ~/.ssh/authorized_keysCritical: SSH will silently refuse key authentication if file permissions are too permissive. The
.ssh directory must be 700 and authorized_keys must be 600. No exceptions.Step 4 – Configure PuTTY to Use Your Key
- Open PuTTY and load or create your server session.
- Navigate to Connection → SSH → Auth → Credentials.
- Browse to your
.ppkprivate key file. - Return to Session and Save the session.
- Click Open — you will be prompted for the key passphrase (not the server password).
Using SSH Config for Shortcuts (OpenSSH)
Create or edit C:\Users\YourName\.ssh\config to define per-host settings:
# ~/.ssh/config example
Host prod-web
HostName 203.0.113.45
User ubuntu
IdentityFile ~/.ssh/id_ed25519
Port 22
Host dev-server
HostName 10.0.1.15
User admin
IdentityFile ~/.ssh/id_rsa
Port 2222
# Now connect with just:
# ssh prod-web
# ssh dev-serverTroubleshooting Key-Based Authentication
| Problem | Likely Cause | Fix |
|---|---|---|
| Server still asks for password | Key not in authorized_keys or wrong public key | Verify the exact public key text is present in authorized_keys. |
| Permission denied (publickey) | File permissions too open | Run: chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys |
| Server refuses key silently | SELinux or apparmor context wrong | Run: restorecon -Rv ~/.ssh on RHEL/CentOS systems. |
| PuTTY 'No supported authentication methods' | PuTTY key path not set or wrong PPK version | Re-check Connection > SSH > Auth > Credentials in PuTTY config. |
| Wrong key loaded by Pageant | Multiple keys in Pageant | Remove other keys via Pageant View Keys, test with specific -i flag. |
Enable Verbose SSH Output for Debugging
# OpenSSH verbose debugging (shows exactly why authentication fails)
ssh -vvv user@example.com
# Plink verbose mode
plink -ssh -v user@example.com