Logging in via Putty and Secure Keys


3 posts
by Miles2912 » Wed Jul 25, 2012 2:00 am
My example uses the pi and putty in windows- the goal is to log in via putty with secure keys. Putty is freeware. Also grab puttygen to make the keys. This assumes that you are in the pi with putty (lol sounds like we are back in grade school)

Locking down the pi with ssh keys. I logged in as root to do all of this. Might be a lot easier that way. I have found the easiest way is to do a sudo -i. To leave root type 'exit'

On the pi run #ssh-keygen to make your keys

This creates a .ssh directory under root's account. In that directory there are 2 files. id_rsa and id_rsa.pub.

Your server is in theory public - ie. anyone can access it. The way to unlock this public server is with keys - private keys. With that concept in mind we leave the public keys on the server and use the private keys in putty to gain access.

I am going to be a little vague here. Part of the fun for me at least is learning the linux os - from a command line. I try to avoid the gui. Reminds me of my old DOS days. So here are the steps.

1) create a sub directory called .ssh in your local users home directory.
2) chmod the directory 755
3) copy the id_rsa.pub from root to that directory (a little tricky here - hint! search for scp)
4) rename the file authorized_keys (hint ren doen't work - this is NOT DOS :))
5) edit the /etc/ssh/sshd_config file to make all this will work (I am going to give this one to you, make sure -RSAAuthentication yes and - PubkeyAuthentication yes. On my distribution this was already done but make sure)
6) list all the text in id_rsa. It is just a bunch of text with
-----BEGIN RSA PRIVATE KEY-----
and at the end
-----END RSA PRIVATE KEY-----

ON A WINDOWS machine
7) copy that text to a windows text doc - save locally.
8) Imprt that into puttygen (PUTTYGEN not Putty) via that big 'Load and existing private key' LOAD button
9) Export your private key file
10) In putty under connection -->ssh --->auth Browse to your private key file

Now in theory your are good to go. Reconnect to the pi. It should just ask for a user name and then auto-log you in with the keys.

Taking this one step further enter the user name in Putty under Connection --> Data [Auto-login username]. Now just launch putty and you are in.

EXTRA CREDIT ASSIGNMENT!
At this point look into connecting to your pi via ssh on a new port (22 is way too generic) and removing the password prompt completely for added security. Don't forget this is a toy - have fun playing.\



EDIT ---- I did this a few years back and there are easier ways. Logging in as root is not the way to go. Putty and the files that come with it can do this a lot easier too.
Last edited by Miles2912 on Tue Apr 29, 2014 3:25 am, edited 1 time in total.
Posts: 3
Joined: Tue Jul 10, 2012 5:46 am
Location: Long Beach, CA
by bobdaniel » Thu Sep 06, 2012 9:48 am
Thanks.
This was the only tutorial that I found that actually works. The others skim over the creation of keys, and so connecting fails.
Congratulations.
Bob
Posts: 3
Joined: Mon Jul 09, 2012 5:17 pm
by jojopi » Thu Sep 06, 2012 9:30 pm
Miles2912 wrote:I logged in as root to do all of this. Might be a lot easier that way.
Actually, this makes your procedure much more complicated. There is no need to be root either to generate or to authorize ssh keys. And all of your steps involving creating .ssh, setting permissions, and copying files from /root, would have been unnecessary if you had run ssh-keygen as the correct user.

A lesser problem with your technique is that you create the key-pair on the destination machine and then copy the private key to the source machine. The recommended practice is to create the key-pair on the source machine, using puttygen, and then copy the public part to the destination.

It is best never to copy a private key, and especially for the destination system never to see it, so that you use the same key to access multiple destinations. In your scheme you must make a new key for each destination. Otherwise another user on pi1 can potentially impersonate you and log in to pi2.
User avatar
Posts: 2939
Joined: Tue Oct 11, 2011 8:38 pm