Understanding SSH Keys

What Are SSH Keys?

As opposed to the usual username and password authentication method, you can establish an SSH connection using a method that is known as SSH key-based authentication.

SSH keys are considered an extremely secure way of logging into your device/server, and is often the recommended way to establish all SSH connections as opposed to username and password authentication.

SSH keys come in pairs (private & public). The private key remains a secret to the client (i.e. the computer you use to initiate an SSH connection). This private key is considered the most vital, as any access to a private key can compromise your device and allow attackers to log in over SSH.

As opposed to your private key, your public key can be shared freely as only your private key can decrypt messages sent over SSH using said public key. This public key is uploaded to the device you wish to access via SSH and is stored in a specific file within the home directory of the user you wish to log in as.

How a Secure Connection is Formed

When we attempt to log into our device over SSH, using key-based authentication, the remote device will respond with a message which the SSH client (our computer/laptop we are using to initiate an SSH connection) must encrypt using its locally stored private key.

The client then responds with this encrypted message, which the remote device will then attempt to decrypt using one of the public keys originally uploaded in the setup procedure.

If the remote device successfully decrypts the message (I.e., if the original message matches the decrypted message), then an SSH connection is authenticated.

Understanding this connection method really shows how vital it is to safely secure your private SSH key.

Creating a Private & Public Key

It is worth noting at this point, that the command to generate a private & public key-pair exists on Linux/Mac computers by default (or at least after installing the OpenSSH libraries). Windows users will need to download a program such as Git and expose it’s commands on the system path.

The command to generate a key-pair is

> ssh-keygen

Upon entering this in the command prompt/terminal (on the local client), you will be asked to enter a location to save the keys. By default, this command creates two files, id_rsa and id_rsa.pub in the .ssh folder found in the home directory of the currently logged in user. For example:

~/.ssh/id_rsa 

~/.ssh/id_rsa.pub

You can simply click enter at this point, to save in the default location (recommended).

If you wish to encrypt the keys on disk (recommended) you can do so now. If you do not wish to enter a passphrase, simply leave it blank and hit enter.

Uploading Your Public Key to Remote Device

Now that we have our private and public key-pair stored on our client, we are ready to upload our public key to the special file which stores all accepted public keys on the remote device. It is important to note, that the location is stored in the .ssh folder in the home directory of the user.

For example, if we want to log in as the user “bob” but we upload our public key to the user “brian” then we won’t be able to initiate an ssh connection via bob@<remoteIP>, but we would be able to via brian@<remoteIP> .

So, first things first is to get the contents of your public key (on the local client). This can be done by cat’ing your public key to the terminal via:

> cat ~/.ssh/id_rsa.pub

You will see a massively long string (key based authentication is very secure!). You simply need to copy all of this output.

Now on your remote device, log into the account of the user you wish to log in via SSH as and append your public key by entering the following in the command prompt:

> echo your_public_key >> ~/.ssh/authorized_keys

Where “your_public_key” is the contents of the file you originally copied.

NOTE: You may have to ensure your SSH directory exists if you have not set this up before. You can do this simply by entering the following (safe to do, if the directory already exists)

> mkdir –p ~/.ssh

Log in via Key-based SSH

With your public key uploaded to the remote device, we can now go back to our local client. We can attempt to initiate an ssh key-based connection by entering the following

> ssh username@<remoteIP>

If you entered a passphrase for your private key file, you will be prompted to enter that passphrase now. Otherwise your connection will be established.

If you wish to disable password authentication (I.e. a less secure authentication method), you can do so by entering the following on the remote device

> sudo nano /etc/ssh/sshd_config

Ensure the following line exists and not commented out (via a # symbol)

PasswordAuthentication no

Finally press ctrl + X to exit the file and “Y” to confirm changes.

You will then need to restart the machine.

Synergy Setup For Raspberry Pi

Introduction

Synergy is a cross platform tool that allows you to share your keyboard and mouse across any device with a synergy client running – this means you can use one keyboard and mouse and still use all your Mac/Windows/Linux devices (including your Raspberry Pi!).
I won’t talk about setting up Synergy on your PC, as this is extensively documented. If you want to know how to do this, here is a YouTube video showing how to setup Synergy for your main PC.
Instead I will focus on showing you how to install Synergy on your Raspberry Pi, more specifically your Pi running Raspian. Note that this tutorial will not benefit users of a headless OS such as Raspbian Lite.

Prerequisites

Before you begin, you must set up a synergy server on your main PC (the one with the keyboard and mouse you intend to use).

Whilst setting up the server, be sure to add a computer via the “Screens and Links” tab and name it “pi”. Your server setup should look something similar to the following:

Computer Setup for Synergy Server Image
Computer Setup for Synergy Server

Installing Synergy

To install Synergy on your Pi, we will be using the trusty apt-get package manager that we’ve used a number of times so far. The command is simply:
> sudo apt-get install synergy
If it asks you to continue simply enter “y” and hit enter.
That’s it! You have Synergy installed (aren’t package managers amazing?!)… but not yet configured!

Configuring Synergy Client

The last piece of the puzzle is to configure the pi as a Synergy Client, by telling it the name of the server you wish to connect to.
To do this, we will create a shell script which starts up synergy on our Pi using the connection settings we specify. To create this script, enter the following into the terminal:
> sudo touch /usr/bin/startsynergy

This will create our script named “start synergy” in the “/usr/bin” directory, which is on the system path by default, allowing us to execute the script anywhere with the command “startsynergy”.

Open up the script using the Nano Text Editor:
> sudo nano /usr/bin/startsynergy
Enter the following:
#!/bin/bash

killall synergyc    # Kill all previous synergy clients
sleep 1                 # Wait 1 second

synergyc --name pi <server name goes here>  # See below
exit 0   # Exit gracefully
Save the file by pressing “CTRL + X” and hitting “Y” to confirm the save.
The main contents on the script is the last line starting with “synergyc –name…
We are setting up a synergy client with the name pi (or whatever you specified as the pis name when you added a second computer on your synergy server).
Lastly <server name goes here> should be replaced with the name of your Synergy server, again, this is specified on your Synergy server setup.

Running Synergy Client

To run the script, we first need to tell the pi that this file should be executable. To do this enter the following:
> sudo chmod +x /usr/bin/startsynergy
Now finally, we can simply run the client with the following command in the terminal on the Pi:
> startsynergy
If your Synergy server was running, you should now be able to see “client pi connected” in the output log (on the server) and you should be able to use your keyboard and mouse seamlessly across your PC and your Pi.
TIP: To make your synergy script execute on startup, read my post on how to execute a script on startup.

Using Visual Studio Code Raspberry Pi Network Share [Mac]

Introduction

This post is not describing how to run Visual Studio Code on the Pi. This post shows you how to create a network share on your Pi where your scripts reside so that you can edit them from your computer (this post is aimed at Mac users, go here to setup visual studio code for Windows).

Setup

The first thing you want to do, is ensure that you have Visual Studio Code installed on your Mac. You can install plugins you require specifically, but I recommend this Python plugin as Python is usually the goto language with Pi development.
First, update the packages that are installed on the Pi by entering the following in the terminal:
> sudo apt-get update

Creating the Network Share

To allow our Mac to see a network share on the Pi, we must first install Netatalk., To do this, we simply use the Raspbian package manager “apt-get”. Here is the command to install Netatalk
> sudo apt-get install netatalk

apt-get will start installing Netatalk upon pressing enter.

Note: You may need to press “Y” when it asks you to confirm the install.

Surprisingly, that is all there is to creating a network share on the Pi (for Mac). Some users may want to reboot their Pi at this point, although it isn’t strictly necessary.  If you would like to check that you can access the Pis files, open up Finder and go to your network locations.

You should see a computer with the name “raspberrypi” (or whatever you have called your Pi, if you had changed it’s name using raspi-config).

Raspberry Pi on Mac Network
Raspberrypi available on Mac network thanks to Netatalk

Upon double clicking the raspberrypi computer, you will need to click “connect as” in the top right corner of the Finder window.

Connect As Button Displayed
Connect As Button Displayed

This will bring up a prompt for a username and password. This is basically the user you wish to log in as. Assuming default settings, this is usually “pi” and “raspberry” as the username and password respectively.

Entering Pi Username And Password
Entering Pi Username And Password

Upon logging in, you will see the home directory of the user you are logged in as.

Using Visual Studio Code

Now that we have Visual Studio Code installed on our Mac, and have access to the Pis home directory (where we save our scripts) we can start to edit our code!
Simply drag a file from the Raspberry Pi network share into Visual Studio Code. Any changes you make and save will be updated on the Pi itself.
Alternatively, you can open a folder from within Visual Studio code by clicking “file -> open folder” and navigating to the folder on the Pi that you want to open.
Happy Intellisense!

Fixed IP Address Over Ethernet & WiFi [Raspberry Pi]

Introduction

If you intend on using a headless OS (such as Raspbian Lite) for your Pi, setting up a Fixed IP address is a must. With this setup, you can SSH into your Pi with nothing more than an Ethernet cable and a power supply connected to your Raspberry Pi.

Setting Up a Fixed IP

Before you can go about setting up a fixed IP address, you will first need to either connect to your Pi via SSH or connect a monitor, mouse and keyboard so that you can edit the configuration files.

Once you are ready at the terminal on your pi, open up the dhcpcd.conf file with nano by entering

> sudo nano /etc/dhcpcd.conf

Some posts around the internet talk about using an “interfaces file” for setting up a fixed IP. This used to be how Raspbian managed assignment of IP addresses, but has now moved over in favour of the dhcp client.

With the config file open in nano, scroll down to the bottom using your keyboards arrow keys to the end of the file. Enter the following:

interface eth0
 static ip_address=192.168.1.5/24
 static routers=192.168.1.1
 static domain_name_servers=192.168.1.1
This looks like there is quite a lot involved, but broken down it is fairly straight forward.

interface eth0

Specifies which interface we want to assign the fixed ip address to. In this example we are assigning it to the ethernet port. If you have multiple ethernet wires plugged in (via a usb with ethernet adapter, for example) there will be more interface addresses such as eth1 etc. The same applies to WiFi, who’s interface range starts at wlan0.

 static ip_address=192.168.1.5/24

The most important line of all! 192.168.1.5 is the IP address you want to be assigned to your Pi.

What is the “/24” for? You may be wondering… This number represents the subnet mask, more specifically, how many bits of the mask should be 1 and the remainder being 0. As you may know, a common subnet mask is 255.255.255.0 – as the subnet mask is a 32bit integer, this would be represented as /24 (i.e. the first 24 bits are 1’s and the remainder (8 bits) are 0).

static routers=192.168.1.1

This one is fairly straight-forward. This is basically the IP address of the router you are connected to. Of course, change the IP address here to match your routers settings.

static domain_name_servers=192.168.1.1

The final piece of the puzzle, and quite a simple one, is the dns settings. This is usually the same as your routers address, so change this accordingly.

Saving Settings

Finally, to save your settings:
  • ctrl + X to quit nano
  • Y to confirm to save
For the new settings to be applied, you will need to restart your Pi. Simply type the following:
> sudo reboot

Connect Raspberry Pi Via SSH

Introduction

One of the most fundamental methods with Raspberry Pi development is the ability to connect your Raspberry Pi via SSH to manipulate files and execute scripts which run on the Pi.
The following tutorial will apply for all platforms, however Windows does not have SSH built in by default. To allow SSH access to the Pi via windows, it is recommended to download a program called PuTTY.

With PuTTY, you can simply enter (and save) the IP Address of the pi, username and password (will get onto this in a moment) and click open.

PuTTY Configuration Window
PuTTY Configuration Window
For the purpose of this tutorial, I will use the ‘terminal’ way for connecting over SSH. Once you connect over SSH via PuTTY on Windows, you will be at the same point post-connection as you are connecting to the Pi via a Mac/Linux computer.

SSH Setup

Pi Requirements

To begin, you first need to enable SSH on the Pi itself. Unfortunately, this does require you to have a keyboard (+ mouse if you are not running a headless version of Raspbian) plugged into the Pi for the time being.

To enable SSH, we must use the raspi-config menu:

  1. Boot up the Pi
  2. Type “sudo raspi-config” at the terminal
  3. Navigate to “Advanced Options”
  4. Select “Enable SSH”
  5. Restart the Pi by selecting Finish

Important Note: If this is the first time you have booted up the Pi, before you restart the Pi (step 5), you must enable the device to auto log-on. Without this option enabled, your Pi will wait in a state where it is prompting you to enter the username and password for the user you want to log into. While the Pi is in this state, you will not be able to SSH into the Pi! See “Enable Boot to desktop” in the raspi-config manual

Connecting To the Raspberry Pi Via SSH

Now that SSH is enabled on our Pi, we can remove our keyboard and mouse which was previously connected to it and ensure the Pi is plugged into the same network as our main computer.

Default Settings

Unless you have changed them, the default settings for the Pi are as follows:

  • Username: “pi”
  • Password: “raspberry”

Opening the Connection [Mac & Linux]

Open up the terminal and enter the following command:

> ssh pi@192.168.1.5

A prompt will appear to enter the password of the user you wish to log in as. In this example, the user “Pi” is chosen.

Of course, don’t forget to change the IP address to match the address of your Pi.

Opening the Connection [Windows]

Simply open PuTTY, enter the IP address of the Pi, along with the username and password of the user you want to log in as (see default settings if you have not made any changes to the Pis user account) and click open.

Getting the IP Address of the Pi

In a future post I will describe how to set up a fixed IP address for your Pi. For now, your Pi will need to be plugged into a monitor. When you boot up your Pi, you should be able to see the following.

IP Address Shown on Boot Image
IP Address Shown on Boot

For those interested in understanding how SSH works and additional security measures to take, read Understanding SSH Keys