My example uses the pi and putty in windows- the goal is to log in via putty with secure keys. Putty is freeware. Also grab puttygen to make the keys. This assumes that you are in the pi with putty (lol sounds like we are back in grade school)
Locking down the pi with ssh keys. I logged in as root to do all of this. Might be a lot easier that way. I have found the easiest way is to do a sudo -i. To leave root type 'exit'
On the pi run #ssh-keygen to make your keys
This creates a .ssh directory under root's account. In that directory there are 2 files. id_rsa and id_rsa.pub.
Your server is in theory public - ie. anyone can access it. The way to unlock this public server is with keys - private keys. With that concept in mind we leave the public keys on the server and use the private keys in putty to gain access.
I am going to be a little vague here. Part of the fun for me at least is learning the linux os - from a command line. I try to avoid the gui. Reminds me of my old DOS days. So here are the steps.
1) create a sub directory called .ssh in your local users home directory.
2) chmod the directory 755
3) copy the id_rsa.pub from root to that directory (a little tricky here - hint! search for scp)
4) rename the file authorized_keys (hint ren doen't work - this is NOT DOS )
5) edit the /etc/ssh/sshd_config file to make all this will work (I am going to give this one to you, make sure -RSAAuthentication yes and - PubkeyAuthentication yes. On my distribution this was already done but make sure)
6) list all the text in id_rsa. It is just a bunch of text with
-----BEGIN RSA PRIVATE KEY-----
and at the end
-----END RSA PRIVATE KEY-----
ON A WINDOWS machine
7) copy that text to a windows text doc - save locally.
8) Imprt that into puttygen (PUTTYGEN not Putty) via that big 'Load and existing private key' LOAD button
9) Export your private key file
10) In putty under connection -->ssh --->auth Browse to your private key file
Now in theory your are good to go. Reconnect to the pi. It should just ask for a user name and then auto-log you in with the keys.
Taking this one step further enter the user name in Putty under Connection --> Data [Auto-login username]. Now just launch putty and you are in.
EXTRA CREDIT ASSIGNMENT!
At this point look into connecting to your pi via ssh on a new port (22 is way too generic) and removing the password prompt completely for added security. Don't forget this is a toy - have fun playing.\
EDIT ---- I did this a few years back and there are easier ways. Logging in as root is not the way to go. Putty and the files that come with it can do this a lot easier too.
3 posts • Page 1 of 1
Actually, this makes your procedure much more complicated. There is no need to be root either to generate or to authorize ssh keys. And all of your steps involving creating .ssh, setting permissions, and copying files from /root, would have been unnecessary if you had run ssh-keygen as the correct user.Miles2912 wrote:I logged in as root to do all of this. Might be a lot easier that way.
A lesser problem with your technique is that you create the key-pair on the destination machine and then copy the private key to the source machine. The recommended practice is to create the key-pair on the source machine, using puttygen, and then copy the public part to the destination.
It is best never to copy a private key, and especially for the destination system never to see it, so that you use the same key to access multiple destinations. In your scheme you must make a new key for each destination. Otherwise another user on pi1 can potentially impersonate you and log in to pi2.