Git SSH Key Management with OpenSSH and Putty

February 10th 2017 Git SSH Putty

In Windows, there are two approaches to accessing Git repositories using SSH. Command line Git distribution and posh-git are preconfigured for OpenSSH, while SourceTree by default relies on PuTTY. Using the same keys with both stacks is a bit tricky because they use different formats for storing both private and public keys.

While you could always generate two different keys and configure the servers to accept both, there is also a way to convert between the two formats using PuTTY's key generation utility puttygen.exe. You only need to worry about the private key, since it also includes the public key information.

PuTTY private key files usually have .ppk extension and are in the following format:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: test-key-do-not-use
Public-Lines: 6
AAAAB3NzaC1yc2EAAAABJQAAAQEApaX/JlD0UMsR7rBknrPcnu12OW0KbTjxR8KE
C6qSBbWTM3whee+T9OkdyaaiDEcc5SNRBzKDtoHBX0ESY2Pm9XI529lqWu81fbnT
8zJxMbkr4jHfdbniEACgpeuik7AjLjxDeM+B5e36VeDdkrp9D5R32RCbN1Pf8e6q
888L/JPd5o7A30+wnEqks/X6LWRIqICAXQPJirv69LHz3yFXyKJFCkxyTfiTxQQ1
CLFt+QiQ6ipNC5QE0xZm20Q9pl0a+4HEthoS0XP8xQEev+Td/pFAMbSRroTvSldj
xcNUjAq013mW7+rACUc/FOsIIKYn7SVx9N77wSDArYqlTcP+Gw==
Private-Lines: 14
AAABACPQ3Ti3jsVcVueAFcFy/0T1EqSh9GqkhzIcODnfsN6jzMzckZ3S747mS6E4
yRdpUlsOjg9k3jVMfNZTQj8A1/231SidtiF/1DbcEia+zF3HLBU7NzwMg+fIyMnt
wklyMR7A6/5yDj+NZo8b3OF0bhE026SN+Av2dZwX7Zx/yz2HZ1fYQYhVWnro/V5f
MH/tk2lxINavt5W8DcwTrH5SBZvvwE9hmmDOkZmcGO+6z4GJzctOaE8PheZdsq/Q
1TlAX/WMNOKHi1lYhLRZBqheTgNLU7dfFMsTxN/d88wx8VquSB/w/PJrcyUy2P9I
bpX70rDygoPUsodQsc5CcWpHsC0AAACBAO0KxuoeuJmD64hlGYw94cJZkylu1qme
DRQqukc/Dr0NXLv31WjbYhaVDW6wjWh275SlRMNzp3SUW0VQ73MJ/mYMCgzBaGwH
6KDyAd4n1cEaA2zGo6mj7dbBLJwAvFC944Vn82etU4Wx//A+59h30uTFw4Kn6zbW
G81HKQ168W9jAAAAgQCy5X+nqgxUn+mIemQtn9e8h0IfDUBu2Ckm+hyu19dAyhCv
o1OfctsbyYTTA2QFyvukeJrnKkTE9UnHHS7wc5T5H89DXP7CTFH2EOOBzVr0FVFw
Ovkn31up/chANKAHisEh28udYWZFyzwjOVQwMyaUtQBTqzwLOS+9DG5LR0b/6QAA
AIEApDMax3VGPWuwy/6fKPcRdCcPzYh8SLE+IpsitcW6QnibHdIcrjuymNlRAa9V
pHJDD4zS3gwuG2BHiy7A3kGpbukq5qTZCvnHMhAJrNN/0QDmBNThQwnxSmEq/70/
CyGS9Imw4VnSREaHGLKUP4ajLgb1TTVP0fwIiwAxGYND/NE=
Private-MAC: df060f880c374af1a40ea2b48fa41291103436ea

To use one with Putty, you should load it in PuTTY's authentication agent pageant.exe:

Pageant Key List

To use the same key with OpenSSH, you need to save it to .ssh\id_rsa inside your home directory (e.g. C:\Users\Username\.ssh\id_rsa), but also convert it to OpenSSH's format prior to that:

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEApaX/JlD0UMsR7rBknrPcnu12OW0KbTjxR8KEC6qSBbWTM3wh
ee+T9OkdyaaiDEcc5SNRBzKDtoHBX0ESY2Pm9XI529lqWu81fbnT8zJxMbkr4jHf
dbniEACgpeuik7AjLjxDeM+B5e36VeDdkrp9D5R32RCbN1Pf8e6q888L/JPd5o7A
30+wnEqks/X6LWRIqICAXQPJirv69LHz3yFXyKJFCkxyTfiTxQQ1CLFt+QiQ6ipN
C5QE0xZm20Q9pl0a+4HEthoS0XP8xQEev+Td/pFAMbSRroTvSldjxcNUjAq013mW
7+rACUc/FOsIIKYn7SVx9N77wSDArYqlTcP+GwIBJQKCAQAj0N04t47FXFbngBXB
cv9E9RKkofRqpIcyHDg537Deo8zM3JGd0u+O5kuhOMkXaVJbDo4PZN41THzWU0I/
ANf9t9UonbYhf9Q23BImvsxdxywVOzc8DIPnyMjJ7cJJcjEewOv+cg4/jWaPG9zh
dG4RNNukjfgL9nWcF+2cf8s9h2dX2EGIVVp66P1eXzB/7ZNpcSDWr7eVvA3ME6x+
UgWb78BPYZpgzpGZnBjvus+Bic3LTmhPD4XmXbKv0NU5QF/1jDTih4tZWIS0WQao
Xk4DS1O3XxTLE8Tf3fPMMfFarkgf8Pzya3MlMtj/SG6V+9Kw8oKD1LKHULHOQnFq
R7AtAoGBAO0KxuoeuJmD64hlGYw94cJZkylu1qmeDRQqukc/Dr0NXLv31WjbYhaV
DW6wjWh275SlRMNzp3SUW0VQ73MJ/mYMCgzBaGwH6KDyAd4n1cEaA2zGo6mj7dbB
LJwAvFC944Vn82etU4Wx//A+59h30uTFw4Kn6zbWG81HKQ168W9jAoGBALLlf6eq
DFSf6Yh6ZC2f17yHQh8NQG7YKSb6HK7X10DKEK+jU59y2xvJhNMDZAXK+6R4mucq
RMT1SccdLvBzlPkfz0Nc/sJMUfYQ44HNWvQVUXA6+SffW6n9yEA0oAeKwSHby51h
ZkXLPCM5VDAzJpS1AFOrPAs5L70MbktHRv/pAoGAYBkgNWZmg2zVG56bp461eE3T
4F1d8bydhLdgRmWsB3QerRFyMW2yJNSklKhwrc9aNVfB7l9RuaPtpnrB8F3/Wc2H
iKFvhb4EXOx9TDmpryY4vWVJRMXqzK8twrQwqxyMq7SFRbT4WMufHDUtjxvSCbf1
UKTwp4c7tBXuDGJGNBMCgYEApGQwHYeA89E3dn5ON8NQn2eI3kOHURmpRmlKyi4f
vv7e5pYVfcN9PCD2mGP7DD37/utd6S3CpyaW0qUyDWNKn7xdl9jqGlP4SeYBfjJT
lC9D6pcOd6qnQkMmt4pN3Wq/T4u0L8FJOTdMBLE4mv6SJ8jriye6ooeTps0nFL4J
5D0CgYEApDMax3VGPWuwy/6fKPcRdCcPzYh8SLE+IpsitcW6QnibHdIcrjuymNlR
Aa9VpHJDD4zS3gwuG2BHiy7A3kGpbukq5qTZCvnHMhAJrNN/0QDmBNThQwnxSmEq
/70/CyGS9Imw4VnSREaHGLKUP4ajLgb1TTVP0fwIiwAxGYND/NE=
-----END RSA PRIVATE KEY-----

To do the conversion, load the key in .ppk format in puttygen.exe (using File > Load private key menu item) and save it again in OpenSSH format (using Conversions > Export OpenSSH key menu item).

You can also use puttygen.exe to convert the key in the opposite direction: import the key in OpenSSH format (using Conversions > Import key menu item) and save it in .ppk format (using File > Save private key menu item).

When adding a public key to the list of authorized keys on the server (stored in ~/.ssh/authorized_keys) or to an equivalent list in a service like BitBucket or GitHub, you will again notice a difference between PuTTY's public key file format:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "test-key-do-not-use"
AAAAB3NzaC1yc2EAAAABJQAAAQEApaX/JlD0UMsR7rBknrPcnu12OW0KbTjxR8KE
C6qSBbWTM3whee+T9OkdyaaiDEcc5SNRBzKDtoHBX0ESY2Pm9XI529lqWu81fbnT
8zJxMbkr4jHfdbniEACgpeuik7AjLjxDeM+B5e36VeDdkrp9D5R32RCbN1Pf8e6q
888L/JPd5o7A30+wnEqks/X6LWRIqICAXQPJirv69LHz3yFXyKJFCkxyTfiTxQQ1
CLFt+QiQ6ipNC5QE0xZm20Q9pl0a+4HEthoS0XP8xQEev+Td/pFAMbSRroTvSldj
xcNUjAq013mW7+rACUc/FOsIIKYn7SVx9N77wSDArYqlTcP+Gw==
---- END SSH2 PUBLIC KEY ----

And the file format that the server's expect:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApaX/JlD0UMsR7rBknrPcnu12OW0KbTjxR8KEC6qSBbWTM3whee+T9OkdyaaiDEcc5SNRBzKDtoHBX0ESY2Pm9XI529lqWu81fbnT8zJxMbkr4jHfdbniEACgpeuik7AjLjxDeM+B5e36VeDdkrp9D5R32RCbN1Pf8e6q888L/JPd5o7A30+wnEqks/X6LWRIqICAXQPJirv69LHz3yFXyKJFCkxyTfiTxQQ1CLFt+QiQ6ipNC5QE0xZm20Q9pl0a+4HEthoS0XP8xQEev+Td/pFAMbSRroTvSldjxcNUjAq013mW7+rACUc/FOsIIKYn7SVx9N77wSDArYqlTcP+Gw== test-key-do-not-use

To get the latter, again load the private key in puttygen.exe and copy the text from the text box at the top of the window, appropriately labeled with _Public key for pasting into OpenSSH authorizedkeys file.

Putty Key Generator

There's one more thing worth mentioning in regard to using OpenSSH. Although it will by default use your private key in .ssh\id_rsa to establish the SSH connection to any server, you can change that with a configuration file (named config in the same .ssh folder). For example, to use a different key for GitHub, these could be the contents of your config file:

Host GitHub
    HostName github.com
    IdentityFile ~/.ssh/github
    User git

Get notified when a new blog post is published (usually every Friday):

Copyright
Creative Commons License