Generating Public Key Raspberry Pi

Using an SSH key to log on to your Raspberry Pi has a number of advantages over the tradition password-only method. Amongst others:

  • A password is not transmitted over the network, preventing interception by eavesdropping.
  • The risk posed by brute force password attack is reduced considerably.
  • Automatic login is possible without having to continuously enter your password (if you use an SSH agent such as Pageant).

In the instructions below, we will create a key pair. One of the keys is known as a public key, and the other a private key. The private key must be closely guarded, but the public key can be distributed freely.

As stated, the private key must be kept secure, so that only you have access to it, and typically it will be strored in encrypted form, requiring a passphrase to open it. In the scenario I present below, the private key will be stored on your PC in encrypted form. A piece of software called Pageant is used to manage this key (and any others you have), and will challenge you for a passphrase when you try to open the key. Once the key is open in Pageant, you will not need to enter the passphrase again unless you exit Pageant or close the key.

The public key will be copied to the Raspberry Pi, and saved in a directory owned by the user “pi”. This directory (/home/pi/.ssh) will be protected by permissions to prevent unauthorised users from placing their own public keys here and thus gaining access with their own key pairs.

With the two keys in place, and Pageant acting as the SSH agent for the private key, Putty software can be used to connect to the Raspberry Pi as user “pi” over SSH.

SSH keys are created using “Public-key cryptography”. This is a concept where a public key is stored on the remote device (i.e. A Raspberry Pi) and a private key is used by the owner to prove they own the keys. The public key could be given to everyone but the private key must be kept secret. That’s it, job done! You can now log out with the exit command and go back to your local machine and be able to successfully copy the public ssh key from your local machine to your Raspberry Pi and then add it to the authorizedkeys file.

So I was considering using a Raspberry Pi 2 B for generating keys. The problem then, is that Tails cannot be run on a Raspberry Pi. So I was thinking about the following: Create a trusted Raspbian image on a cheap 8GB SD card. Use the Raspbian SD card on a Raspberry Pi 2 B (so no Wifi / bluetooth / hard disk). Generate my keys on the Pi.

In order to create the keys in the first place, there are many ways we can do this, but here we will use yet another piece of software, called Puttygen.

Create the keys using PuTTYgen

  • Download PuTTYgen to your PC from http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
  • Run the PuTTYgen.exe file you just downloaded to display the “PuTTY Key Generator” window.
  • Select SSH-2 RSA as the “Type of key to generate” and leave the “Number of bits in a generated key” set to 2048.
  • Click “Generate” and then move the cursor around the blank grey area of the “Key” pane to randomly generate a unique key. On completion, you will see information about the key.
  • Don’t touch the “Key fingerprint” or “Key comment” fields, but enter a passphrase in the “Key passphrase” and “Confirm passphrase” fields. This will encrypt the key on the PC disk and prevent unauthorised access.
  • Click “Save public key” and you will be prompted for the name and location of the public key. Let’s call it “MyPi.pub”, and save it somewhere sensible on your PC.
  • Click “Save private key” and you will be prompted for the name and location of the public key. Let’s call it “MyPi.ppk”, and save it to the same location as your public key.
  • You can now close PuTTYgen.

Copy the public key to your Raspberry Pi

  • Use PuTTY (available from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe) to log on to your Raspberry Pi as user “pi”
  • Create a directory for the public key and move into it:

    mkdir -p ~/.ssh
    cd ~/.ssh
  • Open the authorized_keys file for editing (assuming it doesn’t already exist):

    sudo vi ~/.ssh/authorized_keys

    …and copy and paste the content of the MyPi.pub key into it. It has to be EXACTLY the same as the original, otherwise it won’t work. You can add multiple keys to the authorized_keys file if necessary, but each one will be on a new line in the file. Save and exit the file.
  • Secure the keys file with:

    sudo chmod 644 ~/.ssh/authorized_keys
    sudo chown pi:pi ~/.ssh/authorized_keys
    sudo chmod 700 ~/.ssh

Test that the key pair works

  • Open the sshd configuration file for editing with:

    sudo vi /etc/ssh/sshd_config

    …and add to the end of the file:

    UsePAM no
    PermitRootLogin no
    AllowUsers pi
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    PasswordAuthentication yes
  • Restart the ssh service with:
    sudo service ssh restart
  • Exit your PuTTY session, and download the Pageant software from http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe
  • Run the Pageant software you just downloaded, and click “Add Key”. Select the private key file you just created (“MyPi.ppk”) and enter your passphrase when prompted.
  • Now open PuTTY again and try to connect to the Raspberry Pi as user “pi”. You shouldn’t be prompted for a password. If you are, the keys are not matched, or there is a problem with the /etc/ssh/sshd_config file.
  • If all is well, you can continue on to the final step

Disable password authentication on the Raspberry Pi

Now that we have confirmed that we can connect to the Raspberry Pi using keys, we can turn off password authentication altogether for added security.

  • Open the sshd configuration file for editing with:

    sudo vi /etc/ssh/sshd_config

    …and change:

    PasswordAuthentication yes

    …to:

    PasswordAuthentication no
  • Restart the ssh service with:
    sudo service ssh restart
  • Exit your PuTTY session, and then open a new PuTTY session. You should connect immediately without being challenged for authentication.

When you have finished working on the Raspberry Pi

Remember to close down Pageant when you have finished working on the Raspberry Pi, otherwise other users with access to your PC willl be able to connect to your Raspberry Pi without being challenged.

It is possible to configure your Pi to allow your computer to access it without providing a password each time you try to connect. To do this you need to generate an SSH key:

Check for existing SSH keys

First, check whether there are already keys on the computer you are using to connect to the Raspberry Pi:

If you see files named id_rsa.pub or id_dsa.pub you have keys set up already, so you can skip the generating keys step (or delete these files with rm id* and make new keys).

Generate new SSH keys

To generate new SSH keys enter the following command:

Upon entering this command, you'll be asked where to save the key. We suggest you save it in the default location (/home/pi/.ssh/id_rsa) by just hitting Enter.

You'll also be asked to enter a passphrase. This is extra security which will make the key unusable without your passphrase, so if someone else copied your key, they could not impersonate you to gain access. If you choose to use a passphrase, type it here and press Enter, then type it again when prompted. Leave the field empty for no passphrase.

Now look inside your .ssh directory:

and you should see the files id_rsa and id_rsa.pub:

The id_rsa file is your private key. Keep this on your computer.

The id_rsa.pub file is your public key. This is what you share with machines you want to connect to. When the machine you try to connect to matches up your public and private key, it will allow you to connect.

Take a look at your public key to see what it looks like:

It should be in the form:

Copy your public key to your Raspberry Pi

To copy your public key to your Raspberry Pi, use the following command, on the computer you will be connecting from, to append the public key to your authorized_keys file on the Pi, sending it over SSH:

Note that this time you will have to authenticate with your password.

Alternatively, if the ssh-copy-id is not available on your system, you can copy the file manually over SSH:

If you see the message ssh: connect to host <IP-ADDRESS> port 22: Connection refused and you know the IP-ADDRESS is correct, then you probably haven't enabled SSH on your Pi. Run sudo raspi-config in the Pi's terminal window, enable SSH, and then try to copy the files again.

Now try ssh <USER>@<IP-ADDRESS> and you should connect without a password prompt.

Generating Public Key Raspberry Pi

If you see a message 'Agent admitted failure to sign using the key' then add your RSA or DSA identities to the authentication agent ssh-agent then execute the following command:

If this did not work, delete your keys with rm ~/.ssh/id* and follow the instructions again.

You can also send files over SSH using the scp command (secure copy). See the SCP guide for more information.

Let macOS store your passphrase so you don't have to enter it each time

If you're using macOS and after verifying that your new key allows you to connect, you can optionally choose to store the passphrase for your key in the macOS Keychain. This will make it so that you don't have to enter the passphrase each time you connect to your Pi.

Public Key Definition

Run the following command to store it in your keychain: