Cloud1
Posts: 44
Joined: Sat Jun 05, 2021 3:46 pm

Need info on SSH Keys

Thu Jun 17, 2021 5:20 pm

Hi everyone
I have copied my ssh public key to the Pi I run, and can now ssh in without having to enter a password.

I need to know if I should now go to the Pi, and run ssh-keygen there,
and then run copy-ssh-id example@myothercomputer.com in order that I can ssh from the Pi
to my other computer without entering a password.

Or will doing this mess up what I already have done in being able to access my Pi from my computer
without having to enter a password, I need to keep access to the Pi password free so Cron can run
scripts without asking for a passowrd.

Also, can rsync be run on either computer or Pi via Cron, or is it best to push the backup from the main computer
to the Pi, would this push from the more powerful computer to the Pi also be easier on resources for the Pi than
the Pi pulling a backup from the more powerful computer, trying to figure out what direction is best so the Pi
doesn't get the heavy lifting.
I will probably reformat the backup drive on the Pi to ext4 to help it too, its currently NTFS.

Thanks

pidd
Posts: 2277
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: Need info on SSH Keys

Thu Jun 17, 2021 7:34 pm

SSH key in one direction won't mess the other up, it only affects the "in" direction because the user has been given the key to allow it in.

Rsync can pull or push, the argument about which is the best way has gone on for years. Although I prefer to push I've ended up mostly pulling as that means I can have less ssh-keys floating around, especially not allowing my internet server to ssh out to my other machines as root. My backup Pi pulls everything in from the other Pi's, my desktop can go wherever it wants but my internet server finds the doors are shut.

Cloud1
Posts: 44
Joined: Sat Jun 05, 2021 3:46 pm

Re: Need info on SSH Keys

Thu Jun 17, 2021 11:41 pm

pidd wrote:
Thu Jun 17, 2021 7:34 pm
SSH key in one direction won't mess the other up, it only affects the "in" direction because the user has been given the key to allow it in.

Rsync can pull or push, the argument about which is the best way has gone on for years. Although I prefer to push I've ended up mostly pulling as that means I can have less ssh-keys floating around, especially not allowing my internet server to ssh out to my other machines as root. My backup Pi pulls everything in from the other Pi's, my desktop can go wherever it wants but my internet server finds the doors are shut.
Thank you for posting @pidd
If I understand right, and use my Pi to pull backups, then I will need to have the Pi
ssh to my computer, and to do this via rsync and Cron I will need to import the
private key from my Pi to my computer.

pidd
Posts: 2277
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: Need info on SSH Keys

Fri Jun 18, 2021 12:50 am

Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user

I normally copy and paste it into /root/.ssh/authorized_keys.

Test it by logging into the pi then

Code: Select all

sudo ssh mycomputer
You might have to confirm the host if it is the first time root@pi has ssh in to root@mycomputer

bls
Posts: 1564
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Need info on SSH Keys

Fri Jun 18, 2021 12:57 am

pidd wrote:
Fri Jun 18, 2021 12:50 am
Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user
I'm pretty sure that the user information isn't stored in the key. I've moved keys created by one user to another with no problem.

That said, the keys need to be configured correctly (in ~/.ssh) for the user that's going to be using them, so if that's what you were saying, then absolutely agree.
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

pidd
Posts: 2277
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: Need info on SSH Keys

Fri Jun 18, 2021 1:18 am

bls wrote:
Fri Jun 18, 2021 12:57 am
pidd wrote:
Fri Jun 18, 2021 12:50 am
Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user
I'm pretty sure that the user information isn't stored in the key. I've moved keys created by one user to another with no problem.

That said, the keys need to be configured correctly (in ~/.ssh) for the user that's going to be using them, so if that's what you were saying, then absolutely agree.
The key has the target user and host on the end of the key eg it would be root@mycomputer in my example above. Yes, it is portable and can be given to any user on any computer, the OP said he intended to use cron to pull a rsync backup from @mycomputer to @pi, it makes sense to do it all as root.

Cloud1
Posts: 44
Joined: Sat Jun 05, 2021 3:46 pm

Re: Need info on SSH Keys

Fri Jun 18, 2021 1:24 am

pidd wrote:
Fri Jun 18, 2021 1:18 am
bls wrote:
Fri Jun 18, 2021 12:57 am
pidd wrote:
Fri Jun 18, 2021 12:50 am
Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user
I'm pretty sure that the user information isn't stored in the key. I've moved keys created by one user to another with no problem.

That said, the keys need to be configured correctly (in ~/.ssh) for the user that's going to be using them, so if that's what you were saying, then absolutely agree.
The key has the target user and host on the end of the key eg it would be root@mycomputer in my example above. Yes, it is portable and can be given to any user on any computer, the OP said he intended to use cron to pull a rsync backup from @mycomputer to @pi, it makes sense to do it all as root.
Yes, I want the Pi to pull from the daily use computer.
But would that not mean copying a public key from the Pi to the computer, so Pi can attain
ssh access without being prompted for a password.

Cloud1
Posts: 44
Joined: Sat Jun 05, 2021 3:46 pm

Re: Need info on SSH Keys

Fri Jun 18, 2021 1:32 am

pidd wrote:
Fri Jun 18, 2021 12:50 am
Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user

I normally copy and paste it into /root/.ssh/authorized_keys.

Test it by logging into the pi then

Code: Select all

sudo ssh mycomputer
You might have to confirm the host if it is the first time root@pi has ssh in to root@mycomputer
This seems opposite to what I want, I need Pi to access my daily computer via ssh without
being prompted for a password, so do I generate ssh keys on the Pi with ssh keygen,
and then copy the public key from the Pi to my daily computer to solve this problem.
Last edited by Cloud1 on Fri Jun 18, 2021 1:42 am, edited 1 time in total.

pidd
Posts: 2277
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: Need info on SSH Keys

Fri Jun 18, 2021 1:42 am

Cloud1 wrote:
Fri Jun 18, 2021 1:32 am
pidd wrote:
Fri Jun 18, 2021 12:50 am
Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user

I normally copy and paste it into /root/.ssh/authorized_keys.

Test it by logging into the pi then

Code: Select all

sudo ssh mycomputer
You might have to confirm the host if it is the first time root@pi has ssh in to root@mycomputer
This seems opposite to what I want, I need Pi to access my daily computer via ssh without
being prompted for a password, so do I copy my public key from the Pi to my daily computer
to solve this problem.
It is a one off for ssh to put it (mycomputer) in the user's known_hosts list (on the pi), that's why I suggested doing the ssh test, you answer yes to the prompt and it is then stored and you don't get asked again unless something is changed (I think it might run off mac address - maybe).

Cloud1
Posts: 44
Joined: Sat Jun 05, 2021 3:46 pm

Re: Need info on SSH Keys

Fri Jun 18, 2021 2:09 am

pidd wrote:
Fri Jun 18, 2021 1:42 am
Cloud1 wrote:
Fri Jun 18, 2021 1:32 am
pidd wrote:
Fri Jun 18, 2021 12:50 am
Yes, create the key on your computer (with correct user - usually root for backups) then transfer it to the Pi root user

I normally copy and paste it into /root/.ssh/authorized_keys.

Test it by logging into the pi then

Code: Select all

sudo ssh mycomputer
You might have to confirm the host if it is the first time root@pi has ssh in to root@mycomputer
This seems opposite to what I want, I need Pi to access my daily computer via ssh without
being prompted for a password, so do I copy my public key from the Pi to my daily computer
to solve this problem.
It is a one off for ssh to put it (mycomputer) in the user's known_hosts list (on the pi), that's why I suggested doing the ssh test, you answer yes to the prompt and it is then stored and you don't get asked again unless something is changed (I think it might run off mac address - maybe).
I generated ssh keys on my daily computer, copied the public key to my Pi,
and can ssh from my computer to my Pi without being prompted for a password.

But when I go to my Pi, and ssh to my computer I get asked for a password, which is not
what I want, so I think I will now need to go to my Pi and generate a set of keys and copy
the public key from the Pi to the computer, this would seem the only logical way for me
to ssh from my Pi to my computer without being prompted for a password, it is late now so
I will try this tomorrow.
If anyone thinks my approach is wrong please advise, thanks.

pidd
Posts: 2277
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: Need info on SSH Keys

Fri Jun 18, 2021 2:23 am

My humblest apologies, I did get it back to front - I even thought I had double checked where my keys were (because I got it back-to-front once before) :oops:

Cloud1
Posts: 44
Joined: Sat Jun 05, 2021 3:46 pm

Re: Need info on SSH Keys

Fri Jun 18, 2021 2:37 am

pidd wrote:
Fri Jun 18, 2021 2:23 am
My humblest apologies, I did get it back to front - I even thought I had double checked where my keys were (because I got it back-to-front once before) :oops:
No problem, am new to all this, so I realise my questions may be hard to understand, or confusing,
and lots may just pass them by, so I am happy to get replies, even if I don’t understand them,
I take another shot and shake the tree, no other choice when learning.

bls
Posts: 1564
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Need info on SSH Keys

Fri Jun 18, 2021 3:29 am

pidd wrote:
Fri Jun 18, 2021 1:18 am

The key has the target user and host on the end of the key eg it would be root@mycomputer in my example above. Yes, it is portable and can be given to any user on any computer, the OP said he intended to use cron to pull a rsync backup from @mycomputer to @pi, it makes sense to do it all as root.
Not to drag this off-topic, but in the interest of completeness and correctness, will mention that my keys don't have the user and host in them. I'm pretty sure they did at one point in the past, but I haven't seen that for years.

As a test, I just tried generating both an ecdsa key and a 'standard' rsa key, and neither of them have the target user and host at the end of the key. Here they are (I already deleted them, so no worries!):

Code: Select all

bash$ ssh-keygen -t ecdsa -C foo
bash$ cat foobar.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEimSexFcEcraQWi8geyZZ/KmSoFwdbl8yEUV27zXIoKEvILVDLQmxHXO+Ea5gFZaf9/c01+p7X7welEa1kZsOU= foo
bash$ ssh-keygen -C foo
bash$ cat foobar2.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkJETq7p0DfJmU3iGcskmGmbxnl+3Z3jf+As6bpCMSac05ArXbbbEAl/M9UREevXVBk4w/twEzFJI1H+7FdDzTgi+X2cd8BR8rCTFH8Kdky6KjRRO58C8FJzwqoaZCnwswH0UPViMOPXG79CK0I0+zTBL62EtprxQGbAiUWILPYKWX1fBK3l2qAO0ttCrN2EOD0YXLIuwRTMYIVEjORiFt9nB0NGzAV6bKmK7S6KRgTOVTwn0QZJw6qgVS633JwauCkEf+ipQxQNBIOXB+10WGl+oEAFVKMG5+04Ed4FFN92BYATDRPhFAXHRoaMdCPDQVnJwfURgwgvuVlcjPlUhb foo
I like it much better this way, as the comment ends up in the key, so they can be somewhat self-identifying.
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

Return to “General discussion”