2019-04-22 - By Robert Elder
In this article, we will discuss the process of setting up SSH key pairs. This guide will focus on situations where you have physical access to both computers that you'll be using. The end result will allow you to use SSH to access one computer from the other without needing to type in a password. We will also assume that you already have the ability to access the machine you're granting access for through either password-based SSH authentication, or physical access which you can use to modify files directly.
For this discussion, we will assume that the computer you want to access is a Raspberry Pi (it could be any other Unix machine running an SSH server), and that its IP address on the LAN is '192.168.0.177'. We'll also assume that you want to log in under the user 'pi'. First, let's make sure that you have a '.ssh' directory on your laptop/desktop computer:
mkdir -p ~/.ssh
Now, in order to generate a public and private keypair (on your laptop/desktop), you can use these commands:
cd ~/.ssh ssh-keygen
to create a keypair named 'my-first-keypair'. When you do this, adding a password is optional so we will leave it blank for this example. Here's what this looks like when I ran through the process:
robert@computer:~/.ssh$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/robert/.ssh/id_rsa): my-first-keypair Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in my-first-keypair. Your public key has been saved in my-first-keypair.pub. The key fingerprint is: SHA256:2L1U7/JJ8Gak8RqUizZl+Y5b/gNPdybvMgtSBapp3GQ robert@computer The key's randomart image is: +---[RSA 2048]----+ | . | | . . | | E + . | | B X * . | | . T @ + | | . o %. o +| | * @+ =.| | # o= .| | +.=.o*.| +----[SHA256]-----+
The result of running this command is to create two files: 'my-first-keypair' and 'my-first-keypair.pub'. The file 'my-first-keypair' contains the private key and the 'my-first-keypair.pub' contains the public key. Here's a visual illustration of what you just did:
The 'private' key is called private key because you're supposed to keep it secret and it never leaves the computer where it was created. The 'public' key is called public because you can freely share it with others publicly. The private key is something we will use to log into the Raspberry Pi using SSH after we add our public key onto the Raspberry Pi. In order to 'distribute' the public key, you must add it inside a file located at '~/.ssh/authorized_keys' on the machine you need to log into:
In order to use SSH keys to log into your Raspberry Pi, you must first copy your public key to the Raspberry Pi inside a file located at '~/.ssh/authorized_keys'. The 'authorized_keys' file can store multiple keys (one on each line) if you have multiple people or keypairs that are allowed to log in. If you're able to use SSH with a password to access the Pi, you should first make sure that the '~/.ssh' directory exists on the Raspberry Pi:
ssh email@example.com "mkdir -p ~/.ssh"
Now copy the public key over and add it to 'authorized_keys' by running this this command from the laptop:
cat ~/.ssh/my-first-keypair.pub | ssh firstname.lastname@example.org "cat - >> ~/.ssh/authorized_keys"
This command looks complicated, but it just reads a copy of the public key on your current computer, then sends it through the SSH connection and adds it to the end of the 'authorized_keys' file. If you want to check to make sure the public key got copied over, run this command from the laptop:
ssh email@example.com "cat ~/.ssh/authorized_keys"
If you see something that looks like your public key, then it has been copied successfully. Now, try using your private key to see if you can use ssh to log into the Raspberry Pi without a password:
ssh -i ~/.ssh/my-first-keypair firstname.lastname@example.org
If you get a command prompt on the Raspberry Pi, then you're in! Congratulations! You have now completed the process of distributing your SSH key!