Understanding SSH Keys

What Are SSH Keys?

As opposed to the usual username and password authentication method, you can establish an SSH connection using a method that is known as SSH key-based authentication.

SSH keys are considered an extremely secure way of logging into your device/server, and is often the recommended way to establish all SSH connections as opposed to username and password authentication.

SSH keys come in pairs (private & public). The private key remains a secret to the client (i.e. the computer you use to initiate an SSH connection). This private key is considered the most vital, as any access to a private key can compromise your device and allow attackers to log in over SSH.

As opposed to your private key, your public key can be shared freely as only your private key can decrypt messages sent over SSH using said public key. This public key is uploaded to the device you wish to access via SSH and is stored in a specific file within the home directory of the user you wish to log in as.

How a Secure Connection is Formed

When we attempt to log into our device over SSH, using key-based authentication, the remote device will respond with a message which the SSH client (our computer/laptop we are using to initiate an SSH connection) must encrypt using its locally stored private key.

The client then responds with this encrypted message, which the remote device will then attempt to decrypt using one of the public keys originally uploaded in the setup procedure.

If the remote device successfully decrypts the message (I.e., if the original message matches the decrypted message), then an SSH connection is authenticated.

Understanding this connection method really shows how vital it is to safely secure your private SSH key.

Creating a Private & Public Key

It is worth noting at this point, that the command to generate a private & public key-pair exists on Linux/Mac computers by default (or at least after installing the OpenSSH libraries). Windows users will need to download a program such as Git and expose it’s commands on the system path.

The command to generate a key-pair is

> ssh-keygen

Upon entering this in the command prompt/terminal (on the local client), you will be asked to enter a location to save the keys. By default, this command creates two files, id_rsa and id_rsa.pub in the .ssh folder found in the home directory of the currently logged in user. For example:

~/.ssh/id_rsa 

~/.ssh/id_rsa.pub

You can simply click enter at this point, to save in the default location (recommended).

If you wish to encrypt the keys on disk (recommended) you can do so now. If you do not wish to enter a passphrase, simply leave it blank and hit enter.

Uploading Your Public Key to Remote Device

Now that we have our private and public key-pair stored on our client, we are ready to upload our public key to the special file which stores all accepted public keys on the remote device. It is important to note, that the location is stored in the .ssh folder in the home directory of the user.

For example, if we want to log in as the user “bob” but we upload our public key to the user “brian” then we won’t be able to initiate an ssh connection via bob@<remoteIP>, but we would be able to via brian@<remoteIP> .

So, first things first is to get the contents of your public key (on the local client). This can be done by cat’ing your public key to the terminal via:

> cat ~/.ssh/id_rsa.pub

You will see a massively long string (key based authentication is very secure!). You simply need to copy all of this output.

Now on your remote device, log into the account of the user you wish to log in via SSH as and append your public key by entering the following in the command prompt:

> echo your_public_key >> ~/.ssh/authorized_keys

Where “your_public_key” is the contents of the file you originally copied.

NOTE: You may have to ensure your SSH directory exists if you have not set this up before. You can do this simply by entering the following (safe to do, if the directory already exists)

> mkdir –p ~/.ssh

Log in via Key-based SSH

With your public key uploaded to the remote device, we can now go back to our local client. We can attempt to initiate an ssh key-based connection by entering the following

> ssh username@<remoteIP>

If you entered a passphrase for your private key file, you will be prompted to enter that passphrase now. Otherwise your connection will be established.

If you wish to disable password authentication (I.e. a less secure authentication method), you can do so by entering the following on the remote device

> sudo nano /etc/ssh/sshd_config

Ensure the following line exists and not commented out (via a # symbol)

PasswordAuthentication no

Finally press ctrl + X to exit the file and “Y” to confirm changes.

You will then need to restart the machine.

Connect Raspberry Pi Via SSH

Introduction

One of the most fundamental methods with Raspberry Pi development is the ability to connect your Raspberry Pi via SSH to manipulate files and execute scripts which run on the Pi.
The following tutorial will apply for all platforms, however Windows does not have SSH built in by default. To allow SSH access to the Pi via windows, it is recommended to download a program called PuTTY.

With PuTTY, you can simply enter (and save) the IP Address of the pi, username and password (will get onto this in a moment) and click open.

PuTTY Configuration Window
PuTTY Configuration Window
For the purpose of this tutorial, I will use the ‘terminal’ way for connecting over SSH. Once you connect over SSH via PuTTY on Windows, you will be at the same point post-connection as you are connecting to the Pi via a Mac/Linux computer.

SSH Setup

Pi Requirements

To begin, you first need to enable SSH on the Pi itself. Unfortunately, this does require you to have a keyboard (+ mouse if you are not running a headless version of Raspbian) plugged into the Pi for the time being.

To enable SSH, we must use the raspi-config menu:

  1. Boot up the Pi
  2. Type “sudo raspi-config” at the terminal
  3. Navigate to “Advanced Options”
  4. Select “Enable SSH”
  5. Restart the Pi by selecting Finish

Important Note: If this is the first time you have booted up the Pi, before you restart the Pi (step 5), you must enable the device to auto log-on. Without this option enabled, your Pi will wait in a state where it is prompting you to enter the username and password for the user you want to log into. While the Pi is in this state, you will not be able to SSH into the Pi! See “Enable Boot to desktop” in the raspi-config manual

Connecting To the Raspberry Pi Via SSH

Now that SSH is enabled on our Pi, we can remove our keyboard and mouse which was previously connected to it and ensure the Pi is plugged into the same network as our main computer.

Default Settings

Unless you have changed them, the default settings for the Pi are as follows:

  • Username: “pi”
  • Password: “raspberry”

Opening the Connection [Mac & Linux]

Open up the terminal and enter the following command:

> ssh pi@192.168.1.5

A prompt will appear to enter the password of the user you wish to log in as. In this example, the user “Pi” is chosen.

Of course, don’t forget to change the IP address to match the address of your Pi.

Opening the Connection [Windows]

Simply open PuTTY, enter the IP address of the Pi, along with the username and password of the user you want to log in as (see default settings if you have not made any changes to the Pis user account) and click open.

Getting the IP Address of the Pi

In a future post I will describe how to set up a fixed IP address for your Pi. For now, your Pi will need to be plugged into a monitor. When you boot up your Pi, you should be able to see the following.

IP Address Shown on Boot Image
IP Address Shown on Boot

For those interested in understanding how SSH works and additional security measures to take, read Understanding SSH Keys