Leon Steenkamp

Building small satellites on the tip of Africa. My other ride is a CubeSat.

SSH and key-based authentication notes

Here follows a few quick notes on creating and copying authentication keys from a GNU/Linux host to another.

Introduction

Key-based authentication makes use of a cryptographic key pair for authentication and can be used instead of a password to authenticate a user. Key-based authentication is more secure than using a password and you do not have to enter your password each time to authenticate.

Private keys should be kept private and public keys are for handing out. These notes asume you are generating keys on a MS Windows host under WSL and exporting to a Raspberry Pi.

Create keys

To generate a key use one of the commands below. From a quick Google the Ed25519 option might be quicker and more secure. If you have keys already you could just use those.

On local WSL machine:
$ ssh-keygen -t ed25519
or
$ ssh-keygen -t rsa -b 4096

You might need to update the ssh config file and add the new keys there so they are used when you ssh to the remote host:
$ sudo nano /etc/ssh/ssh_config
add the line below (change the name to your actual key):
IdentityFile ~/.ssh/keyname_rsa
This can be added under wildcard host (Host *) entry.

Copy public key to remote

To copy the public key from your WSL host to the remote Raspberry Pi host use the following three commands. You could probably roll these into one line.

$ export USER_AT_HOST="your-user-name-on-host@hostnameOrIp"  
$ export PUBKEYPATH="$HOME/.ssh/keyname_rsa.pub"  
$ ssh-copy-id -i "$PUBKEYPATH" "$USER_AT_HOST"

This command might be useful if you ever run into permission issues with the authorised keys file, but should not really be needed:
$ chmod 600 ~/.ssh/authorized_keys

Connect to remote host

To connect to the remote machine, you should be able to just issue:
$ ssh username@address

You can specify a key using:
$ ssh username@address -i $HOME/.ssh/keyname_rsa

Disable password login on remote host

To disable password login on the remote host you can edit the sshd config file. Before doing this, make sure you have key-based authentication up and running and test it.

Edit the config file:
$ sudo nano /etc/ssh/sshd_config
Add these to the bottom of the file:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Restart service with: $ sudo service ssh reload

Closing thoughts

This should be a bit more convenient than typing in long passwords and with the benefit of being more secure. Also useful when using Ansible. Yes, I use nano.

This and other tips in:
https://www.raspberrypi.org/documentation/configuration/security.md