Leon Steenkamp
Building small satellites on the tip of Africa. My other ride is a CubeSat.
SSH and key-based authentication notes
Here follows a few quick notes on creating and copying authentication keys from a GNU/Linux host to another.
Introduction
Key-based authentication makes use of a cryptographic key pair for authentication and can be used instead of a password to authenticate a user. Key-based authentication is more secure than using a password and you do not have to enter your password each time to authenticate.
Private keys should be kept private and public keys are for handing out. These notes asume you are generating keys on a MS Windows host under WSL and exporting to a Raspberry Pi.
Create keys
To generate a key use one of the commands below. From a quick Google the Ed25519 option might be quicker and more secure. If you have keys already you could just use those.
On local WSL machine:
$ ssh-keygen -t ed25519
or
$ ssh-keygen -t rsa -b 4096
You might need to update the ssh config file and add the new keys there so
they are used when you ssh to the remote host:
$ sudo nano /etc/ssh/ssh_config
add the line below (change the name to your actual key):
IdentityFile ~/.ssh/keyname_rsa
This can be added under wildcard host (Host *) entry.
Copy public key to remote
To copy the public key from your WSL host to the remote Raspberry Pi host use the following three commands. You could probably roll these into one line.
$ export USER_AT_HOST="your-user-name-on-host@hostnameOrIp"
$ export PUBKEYPATH="$HOME/.ssh/keyname_rsa.pub"
$ ssh-copy-id -i "$PUBKEYPATH" "$USER_AT_HOST"
This command might be useful if you ever run into permission issues with the
authorised keys file, but should not really be needed:
$ chmod 600 ~/.ssh/authorized_keys
Connect to remote host
To connect to the remote machine, you should be able to just issue:
$ ssh username@address
You can specify a key using:
$ ssh username@address -i $HOME/.ssh/keyname_rsa
Disable password login on remote host
To disable password login on the remote host you can edit the sshd config file. Before doing this, make sure you have key-based authentication up and running and test it.
Edit the config file:
$ sudo nano /etc/ssh/sshd_config
Add these to the bottom of the file:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
Restart service with: $ sudo service ssh reload
Closing thoughts
This should be a bit more convenient than typing in long passwords and with the benefit of being more secure. Also useful when using Ansible. Yes, I use nano.
This and other tips in:
https://www.raspberrypi.org/documentation/configuration/security.md