Pageant is an SSH authentication agent that can be used with PuTTY or WinSCP for holding your decrypted keys in memory, so that you don’t need to enter your passphrase to decrypt your key every time you are authenticating to a server using a key pair (Chapter 4 discusses key-based authentication in detail). If you are using multiple key pairs to authenticate to multiple servers, Pageant is even more useful. You can use Pageant to hold all your decrypted keys in memory, meaning you need to enter the respective passphrases only once when you start your Windows session. When you log off your Windows session, Pageant exits without saving the decrypted keys on disk, which is the reason you need to enter your passphrase again when you start your Windows session.

Because Pageant is part of PuTTY installation package, you can download it from the same URL (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). When you run the executable file Pageant.exe to start Pageant, an icon that looks like a computer wearing a hat will appear in your system tray. Right-click the icon to invoke the Pageant menu, and then select the menu option you need: New Session, Saved Sessions, View Keys, Add Key, About, or Exit. If you select View Keys before adding keys, however, you will just see an empty list box.

Using Pageant

To use Pageant, you need first to generate a key pair and copy the public key to the server to which you need to connect. For example, I generated a key pair and saved the keys as keytest.ppk (private key) and keytest.pub (public key). I then encrypted the private key using a passphrase. Because I wanted to connect to the host pract_hdp_sec, I pasted my public key in the authorized_keys file in .ssh directory (as discussed in Chapter 4). Next, I will store the decrypted private key in Pageant. Figure A-1 illustrates selecting and adding the key.

When you select a key (here, testkey.ppk), you are prompted for the passphrase (Figure A-2).

After you enter the right passphrase, Pageant decrypts your private key and holds it in memory until you log off your Windows session. You can see your key listed within Pageant, as shown in Figure A-3.

Now, you just need to specify your private key as means of authorization within PuTTY (Figure A-4).

Next time you want to connect to the server pract_hdp_sec, just open a PuTTY session, and it will prompt you for login name. Once you enter the login name, PuTTY directly connects you to the server, as you can see in Figure A-5.

PuTTY recognizes that Pageant is running, retrieves the decrypted key automatically, and uses it to authenticate. You can open as many PuTTY sessions for the same server as you need without typing your passphrase again.

In addition, Pageant can load multiple private keys automatically when it starts up. For example, suppose you need to connect to ten servers on a daily basis. Manually adding the keys every day to Pageant is difficult as well as error-prone. To automatically load multiple keys, use a Pageant command line similar to the following; the directory path, of course, depends on where your Pageant.exe or your private key file (.ppk file) is located:

C:UsersAdministratorDesktop>pageant.exe c:hushankeytest.ppk c:hushanhushan.ppk

You can add multiple keys separated by space. If the keys are encrypted, Pageant will prompt for passphrases at startup. If Pageant is already running and you execute this command, it will load keys into the existing Pageant.

You can also create a shortcut and specify the command line there, as shown in Figure A-6.

If you have just one private key, specify its full path within the Target field:

C:UsersAdministratorDesktop>pageant.exe c:hushankeytest.ppk

If you have multiple keys and the path is long, instead of specifying path for each key, you can just specify a starting directory. For example, to specify a starting point for my previous multi-key example, in the Target field enter C:UsersAdministratorDesktop>pageant.exe keytest.ppk and in the Start in field enter C:Bhushan.

After Pageant initializes and loads the keys specified on its command line, you can direct Pageant to start another program. This program (for e.g. WinSCP or PuTTY etc.) can then use the keys that Pageant loaded. The syntax is as follows:

C:UsersAdministratorDesktop>pageant.exe c:hushankeytest.ppk -c C:PuTTYputty.exe

Security Considerations

Holding your decrypted private keys in Pageant is more secure than storing key files on your local disk drive, but still has some known security issues.

For example, Windows doesn’t protect “swapped” data (memory data written to a system swap file) in any way. So, if you using Pageant for a long time, the decrypted key data could likely be swapped and written to disk. A malicious attacker who gains access to your hard disk could also gain access to your keys. This is, of course, much more secure than storing an unencrypted file on your local disk drive, but still has vulnerabilities.

Windows only has safeguards to prevent excutable code writing into another excutable program’s memory space; but still provides Read access to it. In other words, programs can access each other’s memory space, which is intended as a way to assist in debugging. Unfortunately, malicious programs can exploit this feature and can access Pageant’s memory to extract the decrypted keys and use them for unlawful purposes.

These risks can easily be mitigated, however, by making sure that your network infrastructure is secure and firewalls in place.