Published at LXer:

This guide describes how to generate and use a private/public key pair to log in to a remote system with SSH using PuTTY. PuTTY is an SSH client that is available for Windows and Linux (although it is more common on Windows systems). Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.

Read More...

This is an excellent and important fact. When you use ssh as "an ordinary shell," it still represents a gaping hole in your system .. it's a way for an outsider to get to a username/password prompt. The fact that the traffic is encrypted from point-A to point-You is irrelevant, because "the guy at point-A" is a bad guy.

The best way to provide security for your computer is to insist on using the same techniques that your employer does: you are issued a badge. No one asks you to "say the magic word" as a precondition for getting to your cubicle; they demand that you show your badge.

A digital certificate is like a badge. You can generate one yourself (a so-called "self-signed certificate") if it's only for your own [company's] use. It's non-forgeable (unless you're the NSA... which you're not...) and it uniquely identifies its bearer. And it can be individually revoked: if that laptop is stolen at the airport, in a few minutes it's useless for getting into the company's systems.

Whether you use SSH or IPSEC (VPN) or some other system, you want the initial exchange to be something like this:

• "Hello, this is an unidentifiable company. Your badge, please?"
• (The visitor holds her badge up for inspection.)
• "Thank you, Ms. Bond. What is your user-id?"
• "007"
• "And your password?"
• "***********"
• Good morning, Ms. Bond. You have new 2,037 spam e-mails and two appointments for today... And, oh yes, you won that eBay auction."

All of the facilities needed to do this are at your disposal now and they're absolutely free. Learn how to use them! Notice that most of these are simply electronic counterparts to the same "real world" security techniques that even the smallest mom-n-pop shops take for granted and use every day (with regard to, inexplicably, everything but their computers!). They're not hard to understand and not hard to use. In fact, they are often more convenient.

(And you can get rid of those spam messages, too, by using the same techniques.)

Incidentally: these techniques are common to all of the security implementations, not just PuTTY.