-
-
Save chunter/3ec25dd802c2163265eacfcb6f53cb7d to your computer and use it in GitHub Desktop.
| To make Pageant automatically run and load keys at startup: | |
| - Find the location of pageant.exe | |
| - Windows key + R to open the 'run' dialog box | |
| - Type: 'shell:startup' in the dialog box | |
| - Create a shortcut to the pageant.exe and put into this startup folder. | |
| - Right click on the shortcut and open 'Properties' | |
| - In 'Target' add: "<route to>/pageant.exe" myprivatekeyname.ppk | |
| - In 'Start in' add: "<route to myprivatekeyname.ppk>" | |
| - Click on the shortcut link and check that Pageant has started and has loaded your keys |
Hi, I am Krishna trying to follow what's explained above. In that I have doubts. One is that, is the path where the Putty resides? Also, this one is where the PPK is available or how does that be. Could you provide examples for that?
- In 'Target' add: "/pageant.exe" myprivatekeyname.ppk - Eg. required.
- In 'Start in' add: "" - Eg. required.
example for 1:
"C:\Program Files\TortoiseGit\bin\pageant.exe" myprivatekeyname.ppk
example for 2:
C:\Users\foo\Documents
Why so complicated? Just create a shortcut to your ppk file (assuming ppk is linked to pageant; that's default using the putty installer)
Shorcut only works with an single ppk key. It you make more than 1 shortcut, there will be more than 1 instance of pageant, and putty does not seems to know how to deal with. It that case, editing a shortcut to pageant to add complete pathes of multiple keys seems to be the best solution:
"C:\Program Files\PuTTY\pageant.exe" "C:\my complete path to private key1.ppk" "C:\my complete path to private key2.ppk" ... "C:\my complete path to private keyX.ppk"
Password will be prompted for each key requiring it.
Makes sense.
On a wider scope I wonder - on a personal and case by case basis - if multiple keys are meaningful. Ideally one has one key per device and when the device is lost/compromised the key is removed from the list.
That said, of course it might make sense to have multiple keys per "trust level" (private, work, work-critical-infrastructure) - yet again that does not make sense when all of them are automatically loaded during startup :)
I have key files associated with pageant, this allows me to put the keys in startup directly.
Thanks!
Works like a charm. If you have multiple keys add a path in "Run in" to the directory where the keys are
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Pageant"="cmd /c \"for %i in (\"%USERPROFILE%\\*.ppk\") do start \"%ProgramFiles%\\PuTTY\\pageant.exe\" \"%i\"\""
Would it be possible to link to some kind of file (maybe a .bat file or something) that containts a list of the keys to load?
Since version 0.75 pageant supports loading a key still encrypted, and decrypting it later by prompting for the passphrase on first use.
In the command line, load it with "--encrypted <path_to_key>"
See documentation:
https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter9.html#pageant-deferred-decryption
Please update HELP to Pagent as well. Since there is no mention of this parameter or/and option.
This (git page) is the first place when I found an answer to this feature mentioned at changelog
help:
9.3.1 Making Pageant automatically load keys on startup
If the keys are stored encrypted, Pageant will request the passphrases on startup.
Hi you can add in shortcut something like this
C:\PuTTY\pageant.exe --encrypted d:\main.ppk
And it promt key request at firs use
A variation of @xkolk approach above, but with support for loading multiple keys:
Use this on the command line, as a startup command in your registry, or from the command line (just the stuff between the first and last quotes):
cmd /V:ON /c "set keys= && (for %i in ("%PATH_TO_YOUR_PPK_FILES%\*.ppk") do (set keys=!keys! %i)) && start "" "C:\Program Files\PuTTY\pageant.exe" --encrypted !keys!"
The use of --encrypted will cause pageant to load without asking for any passwords. Then, on first use, it will ask for the password(s) and keep the keys decrypted in memory.
@brunokc thank you, I love this idea. I couldn't get your command working in my command line (everything between the quotes) but this is working for me as a batch file:
for %%i in ("C:\dir\*.ppk") do start /B "" "%ProgramFiles(x86)%"\PuTTY\pageant.exe --encrypted "%%i"
(obviously change "dir" to whatever the path is - and whether you're using 32 bit or 64 bit PuTTY/pageant)
Cool, @hausmanconsulting. Glad to hear at least some variation of it worked for you.
The key thing for my example to work is having "delayed variable expansion" enabled in the shell. That's done via the /v:on option when invoking cmd.exe, or calling setlocal enabledelayedexpansion in batch files (setlocal doesn't work in the command line)
Also, note that in your case, it looks like you're (attempting to) starting multiple instances of pageant.exe (one per key), while in my case I start a single instance passing all keys as arguments.
@brunokc Thank you for the info - I will experiment with delayed variable expansion.
After my batch file I'm left with only one running instance of pageant.exe with multiple keys, so pageant seems able to handle doing things this way, though I've always launched it your way (with all keys as arguments to a single instance) until now. Thanks again for the tips.
@xsoft The --encrypted command line argument is already mentioned in the putty/pageant help manual. See section 9.5, entitled "Loading keys without decrypting them." The help manual can be found in the installation directory.
I have added this to my setup batch file to create the startup shortcut using NirCmd's shortcut subcommand.
https://nircmd.nirsoft.net/shortcut.html
:: Make startup shortcut for pageant
if not exist "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\pageant.lnk" (
nircmd shortcut %USERPROFILE%\winfiles\bin\pageant.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" pageant "--encrypted %USERPROFILE%\.ssh\id_ed25519.ppk"
echo pageant startup shortcut created
)
Hello! You do not need nircmd or other 3rd party tools. Windows has everything on board. The below batch file creates a temporary vbs script, executes it to create the startup entry for pageant, and it cleanly deletes the temporary vbs file afterwards. As shown in the example, you can add multiple keys in Arguments. Replace them by your key file name(s). You might also need to adjust the TargetPath to your pageant.exe file.
@echo off
cls
set SCRIPT="%TEMP%\%RANDOM%-%RANDOM%-%RANDOM%-%RANDOM%.vbs"
echo Set oWS = WScript.CreateObject("WScript.Shell") >> %SCRIPT%
echo sLinkFile = "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pageant.lnk" >> %SCRIPT%
echo Set oLink = oWS.CreateShortcut(sLinkFile) >> %SCRIPT%
echo oLink.TargetPath = "%PROGRAMFILES%\PuTTY\pageant.exe" >> %SCRIPT%
echo oLink.Arguments = "--encrypted %USERPROFILE%\.ssh\id_rsa.ppk %USERPROFILE%\.ssh\id_nistp256.ppk" >> %SCRIPT%
echo oLink.Save >> %SCRIPT%
cscript /nologo %SCRIPT%
del %SCRIPT%
Please note that pagent with --encrypted still does not work for multiple connections/windows.
When you load your key (one) as encrypted, it waits for first usage. So far so good.
Next you open two putty window, for two different server.
One popup window would appear and it would wait for input pass for the key.
Both putty windows are waiting at this point.
If you enter pass, key is loaded (unlocked), and used. But just for the first window.
The second window with putty would get stuck, and it would wait for an answer from pagent, which will never come.
Fix would be to send key to BOTH windows that are waiting for a key input.
Sure, if you close both putty windows and reopen then, then key would be used to both them as you open them.
Thanks for sharing! 👍
Then one key to rule them all is better? 😉 Kidding aside - I wanted to have a separate key for one server, but maybe I can live with just one key for all servers (except one, all are inside my private network anyway).
If you use the same passphrase for all the keys, they should all be unencrpyted with the first passphrase input, from my experience.
Yes, I have the same passphrase for both keys. As the passphrase is partially stored in my mind and the other part on a hardware token, that should be ok, security-wise. Any objections? Sorry that this question might getting a bit OT here.
BTW, where could one ask for a solution of the problem described before (i.e. in case of different passphrases)?
I don't use PuTTY. Instead I use WSL and Windows Terminal. With BlackReloaded/wsl2-ssh-pageant I had no problem using multiple keys. They did use the same passphrase, but I expect it would work fine with different passprases too. I could use multiple tmux panes and windows with the keys too, once I use a ~/.ssh/rc script to automatically symlink the socket for use within tmux too. Since then I have stopped using pageant and use Windows built-in OpenSSH instead, where it stores the SSH key in an encrypted state in the registry and is automatically unencrypted when you logon, so it's seemless in the same way as it would be using a keychain in Linux or macOS.
Since the project is no longer maintained (1), do you use one of the many forks and can recommend one, or do you use the original? I use WSL2 (Debian), which indeed offers many possibilities.
(1) https://github.com/BlackReloaded/wsl2-ssh-pageant
Again, thanks for sharing! 👍
There are quite a few different things like that including ones that are based on npiperelay, but I use BlackReloaded/wsl2-ssh-pageant as it specifically supports GPG for Windows too, which I will still be using it for. It's only no longer maintained as the guy who wrote it doesn't use Windows anymore, but it still works perfectly fine. Eventually Microsoft will probably add something native that allows this.
Got it - indeed very promising. Meanwhile, I looked into this fork, which has several updates (not yet tested):
https://github.com/KerickHowlett/wsl2-ssh-bridge
EDIT1: I like Pageant, because it supports WinSCP, too, and I was not aware if there are alternatives for this, too.
EDIT2: Might be helpful, too:
https://gist.github.com/dinvlad/a62d44325fa2b989a046fe984a06e140
You may also find this guide for setting up KeePass + KeeAgent for WSL 2 SSH interesting:
https://gist.github.com/strarsis/e533f4bca5ae158481bbe53185848d49
awesome thanks