How To Set Up and Distribute SSH Key Pairs

2019-04-22 - By Robert Elder

In this article, we will discuss the process of setting up SSH key pairs. This guide will focus on situations where you have physical access to both computers that you'll be using. The end result will allow you to use SSH to access one computer from the other without needing to type in a password. We will also assume that you already have the ability to access the machine you're granting access for through either password-based SSH authentication, or physical access which you can use to modify files directly.

For this discussion, we will assume that the computer you want to access is a Raspberry Pi (it could be any other Unix machine running an SSH server), and that its IP address on the LAN is '192.168.0.177'. We'll also assume that you want to log in under the user 'pi'. First, let's make sure that you have a '.ssh' directory on your laptop/desktop computer:

mkdir -p ~/.ssh

Now, in order to generate a public and private keypair (on your laptop/desktop), you can use these commands:

cd ~/.ssh
ssh-keygen

to create a keypair named 'my-first-keypair'. When you do this, adding a password is optional so we will leave it blank for this example. Here's what this looks like when I ran through the process:

robert@computer:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/robert/.ssh/id_rsa): my-first-keypair
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my-first-keypair.
Your public key has been saved in my-first-keypair.pub.
The key fingerprint is:
SHA256:2L1U7/JJ8Gak8RqUizZl+Y5b/gNPdybvMgtSBapp3GQ robert@computer
The key's randomart image is:
+---[RSA 2048]----+
|            .    |
|           . .   |
|        E +   .  |
|       B X *   . |
|  .     T @ +    |
|       . o %. o +|
|          * @+ =.|
|           # o= .|
|          +.=.o*.|
+----[SHA256]-----+

The result of running this command is to create two files: 'my-first-keypair' and 'my-first-keypair.pub'. The file 'my-first-keypair' contains the private key and the 'my-first-keypair.pub' contains the public key. Here's a visual illustration of what you just did:

The 'private' key is called private key because you're supposed to keep it secret and it never leaves the computer where it was created. The 'public' key is called public because you can freely share it with others publicly. The private key is something we will use to log into the Raspberry Pi using SSH after we add our public key onto the Raspberry Pi. In order to 'distribute' the public key, you must add it inside a file located at '~/.ssh/authorized_keys' on the machine you need to log into:

In order to use SSH keys to log into your Raspberry Pi, you must first copy your public key to the Raspberry Pi inside a file located at '~/.ssh/authorized_keys'. The 'authorized_keys' file can store multiple keys (one on each line) if you have multiple people or keypairs that are allowed to log in. If you're able to use SSH with a password to access the Pi, you should first make sure that the '~/.ssh' directory exists on the Raspberry Pi:

ssh pi@192.168.0.177 "mkdir -p ~/.ssh"

Now copy the public key over and add it to 'authorized_keys' by running this this command from the laptop:

cat ~/.ssh/my-first-keypair.pub | ssh pi@192.168.0.177 "cat - >> ~/.ssh/authorized_keys"

This command looks complicated, but it just reads a copy of the public key on your current computer, then sends it through the SSH connection and adds it to the end of the 'authorized_keys' file. If you want to check to make sure the public key got copied over, run this command from the laptop:

ssh pi@192.168.0.177 "cat ~/.ssh/authorized_keys"

If you see something that looks like your public key, then it has been copied successfully. Now, try using your private key to see if you can use ssh to log into the Raspberry Pi without a password:

ssh -i ~/.ssh/my-first-keypair pi@192.168.0.177

If you get a command prompt on the Raspberry Pi, then you're in! Congratulations! You have now completed the process of distributing your SSH key!

A Surprisingly Common Mistake Involving Wildcards & The Find Command Published 2020-01-21	$1.00 CAD Terminal Block Mining Simulation Game	A Guide to Recording 660FPS Video On A $6 Raspberry Pi Camera Published 2019-08-01	The Most Confusing Grep Mistakes I've Ever Made Published 2020-11-02
Use The 'tail' Command To Monitor Everything Published 2021-04-08	An Overview of How to Do Everything with Raspberry Pi Cameras Published 2019-05-28	An Introduction To Data Science On The Linux Command Line Published 2019-10-16	Using A Piece Of Paper As A Display Terminal - ed Vs. vim Published 2020-10-05

Why Bother Subscribing?

Free Software/Engineering Content. I publish all of my educational content publicly for free so everybody can make use of it. Why bother signing up for a paid 'course', when you can just sign up for this email list?
Read about cool new products that I'm building. How do I make money? Glad you asked! You'll get some emails with examples of things that I sell. You might even get some business ideas of your own :)
People actually like this email list. I know that sounds crazy, because who actually subscribes to email lists these days, right? Well, some do, and if you end up not liking it, I give you permission to unsubscribe and mark it as spam.