Setting up SSH Keys on the Raspberry Pi

by admin

Setting up SSH keys on a Raspberry Pi is relatively easy and can make connecting to one over a network more convenient. In this tutorial we’ll explain how to create and configure SSH keys so you can connect to a Pi remotely without needing to enter a password.

SSH keys are created using “Public-key cryptography”. This is a concept where a public key is stored on the remote device (i.e. a Raspberry Pi) and a private key is used by the owner to prove they own the keys. The public key could be given to everyone but the private key must be kept secret.

In practice the keys are long strings of characters stored in a text file.

To continue with this tutorial you must have either direct access to the Pi with a keyboard and monitor or remote access using SSH or VNC.

Step 1 : Create SSH Directory & authorized_keys File

To start with navigate to the home directory :

cd ~

and create a new directory called “ssh” :

mkdir .ssh

Navigate into the new directory :

cd .ssh

and create an empty “authorized_keys” file :

touch authorized_keys

Step 2 : Set Permissions

The permissions on the ssh directory need to be modified :

chmod 700 ~/.ssh

Next change the permissions on the “authorized_keys” file so only the Pi user can read and write :

chmod 600 ~/.ssh/authorized_keys

Step 3 : Creating A New Key Pair

If you want to create a fresh key pair then this is easy to do using the ssh-keygen utility.

Navigate to the SSH directory :

cd ~/.ssh

then run the ssh-keygen utility :

ssh-keygen

You will be prompted for a location to save the key file. Press ENTER to accept the default.

You will be asked for a passphrase. This is optional. If you use a passphrase you may be asked for it when using the key. It is an extra security step and you will have to decide if you want to make use of it. Either type a passphrase or leave it blank and press ENTER to finish.

If you use a passphrase do not forget it!

This process should create two files for you. A Public key named “id_rsa.pub” and a matching Private key named “id_rsa”.

Add the contents of the Public key to the authorized_keys file using :

cat id_rsa.pub >> authorized_keys

Some clients prefer PuTTY style keys. I would recommend creating this format now so you have the choice in the future. The following commands will install puttygen and create a PuTTY version of your new key :

sudo apt-get install putty-tools

then :

puttygen id_rsa -o id_rsa.ppk

You should now have three files :

  • id_rsa
  • id_rsa.pub
  • id_rsa.ppk

Copy these files to a safe location. The Private key (id_rsa or id_rsa.ppk) is required by the client you use to connect to the Pi. This might be a PC, laptop or mobile phone. The Public key (id_rsa) is used by the Pi you wish to connect to.

You can use the same Public key on multiple devices as long as you have the Private key to match.

Once you have safely stored the keys somewhere else they can be deleted from the Pi :

rm id_rsa
rm id_rsa.pub
rm id_rsa.ppk

Step 4 : Adding an Existing Key

If you already have a Public/Private key pair you can add the Public key to the “authorized_keys” file.

You’ve got two methods for putting the public key details into the keys file.

The first method is to edit the keys file directly :

nano authorized_keys

and paste the contents of the Public key file into the editor. Use CTRL-X, Y and ENTER to save the changes and return to the command line.

The second method is to copy the Public key file (e.g. id_rsa.pub) into the .ssh directory. Then use the following command to add it to the keys file :

cd ~/.ssh
cat id_rsa.pub >> authorized_keys

where “id_rsa.pub” is your Public key file.

Once the authorized_keys file has been updated you can delete the id_rsa.pub file :

rm id_rsa.pub

Step 5: Configure SSH Client

At this point you should be able to use your favourite SSH client to connect to the Pi but rather than specify a password you can point it to the Private key. The exact process for doing this will depend on the client used.

As an example here are the session settings in WinSCP :

WinSCP Session SSH settings

The IP address and username must be specified. Under “Advanced” it allows a Private key file to be selected. WinSCP prefers Putty style keys but will convert an OpenSSH key into a ppk with a single click.

Other SSH clients operate in a similar way.

Step 6: Connect

If configured correctly connections to the Pi can now be made without having to enter a password.

Although many clients can remember passwords the advantage with SSH keys is that you can use the same key file in all your clients. If you change the key file you won’t have to change the password in all the places you may have it remembered.

You can also store the Private key on a removable drive or within an encrypted container (i.e. Veracrypt). This means if your computer is stolen the connections to your devices won’t work even if someone can open your SSH client and see your saved sessions. No key file no access!

Convert PPK Files to Private and Public Keys with puttygen

At some point in the future you may need to convert a Putty PPK file to OpenSSH style keys files. Here are the commands you can use to convert a PPK to private and public keys :

puttygen my_key.ppk -O private-openssh -o my_key.private puttygen my_key.ppk -O public-openssh -o my_key.public

This guide will allow you to login to your Pi using SSH keys but the standard username/password approach will still work. Make sure you have changed the default Raspberry Pi password to something secure. I tend to use a password that is at least 15 characters long.

It is possible to rely on SSH keys completely and disable the ability to log in with a password. However this is beyond the scope of this guide.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

You May Missed