tpyo kingg
Posts: 982
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

How can I pre-load an SSH key onyo a new SD card?

Tue May 01, 2018 1:44 pm

I can't find an authoritative source, but it seems that several sites mention that if one adds an empty file named ssh to the SD card's VFAT partition, then when the Raspberry Pi is booted for the first time, then the SSH daemon is started automatically. However, there seems to be no way to pre-load a new password.

Is there a way to pre-load ~pi/.ssh/authorized_keys with an SSH key or two prior to first boot? If so, how?

If not, it would make sense (to me) that if I were to put an SSH key in the ssh file that it would be copied automatically to ~pi/.ssh/authorized_keys and then possibly PasswordAuthentication set to "no" in /etc/ssh/sshd_config

The following script would do that if run before the ssh file is removed. How should I go about requesting adding this to the Raspbian image?

Code: Select all

#!/bin/sh
set -e;
PATH=/usr/sbin:/usr/bin:/sbin:/bin;

ssh-keygen -q -l -f /boot/ssh > /dev/null 2>&1;

mkdir -p -m 700 /home/pi/.ssh/
cp /boot/ssh /home/.ssh/authorized_keys;
chmod 640 /home/.ssh/authorized_keys;
chown -R pi:pi /home/pi/;

sed -i.orig '/^#PasswordAuthentication yes/cPasswordAuthentication no' /etc/ssh/sshd_config

exit 0;
Or something like that.

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: How can I pre-load an SSH key onyo a new SD card?

Tue May 01, 2018 1:52 pm

This is a (yet another) special case of the generalized problem of pre-configuring Raspbian.

There is an eternal debate as to whether or not it should be possible to do arbitrary things, such as this. Everyone pretty much agrees that the current system - with exactly two working cases (ssh and wpa_supplicant) - is a stopgap on the way to a more generalized solution. However, the fact that the Foundation seems to be dragging its feet on this (yes, yes, I know, ...) seems to indicate that one should not hold one's breath for additional functionalities (beyond "ssh" and "wpa_supplicant") to be implemented ("officially").

That all said, it *IS* possible to do something like this - without official support. Or at least it is in theory; I've never had sufficient motivation to try it out myself. That would be by going into the FAT partition (the one you can see from Windows) and editing cmdline.txt. You would append something like:

Code: Select all

init=/path/to/my/script
at the end of the line. Then, when the card/system is booted, it would, in theory at least, run your script, and that script could do whatever you like.

From what I hear, "Pi Bakery" uses this technique to perform its magic.
Last edited by n67 on Tue May 01, 2018 2:38 pm, edited 1 time in total.
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

tpyo kingg
Posts: 982
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: How can I pre-load an SSH key onyo a new SD card?

Tue May 01, 2018 2:22 pm

Thanks. Using init= makes sense as work-around.

Which script should my custom script then call so that the rest remains as before? Would that be /usr/lib/raspi-config/init_resize.sh as found in cmdline.txt in the original boot directory?

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: How can I pre-load an SSH key onyo a new SD card?

Tue May 01, 2018 2:43 pm

IDK on that. As I say, I've never tried it.

An alternative, though - and one much simpler - is to reject the assumption that it must be do-able using only Windows (or Mac). I.e., assume instead that you are working on a Linux system (as all us Kewl People do). Then you can just go ahead and do what you want to do (on/in the ext4 partition), without needing to faff around with only being able to access the FAT partition.

I.e., instead of asking for another hack like the ssh and wpa_supplicant ones, where you put your keys file and have it get magically picked up by some magic protocol, you would just put your keys file where it needs to be (in /home/pi/.ssh).
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

tpyo kingg
Posts: 982
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: How can I pre-load an SSH key onyo a new SD card?

Tue May 01, 2018 2:49 pm

Ok. Yes, it's much easier to just mount ext4 and write directly to the authorized_keys file there.

I have enough info for now to experiment quite a bit and will write back later.

Thanks.

tpyo kingg
Posts: 982
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Preloadng Raspbian with SSH Keys

Thu May 03, 2018 1:21 pm

Here are the steps:

1) Burn Raspian to the SD card

2) Mount the VFAT and EXT4 partitions from the SD card,
for brevitity referred to here as /mnt01/ and /mnt02/ respectively.
The actual path will be different.

3) Add the file "ssh.txt" to the VFAT partition.

Code: Select all

        sudo touch /mnt01/ssh.txt
4) Make an SSH key pair and transfer the public key to the EXT4 partition.

Code: Select all

        cd ~/.ssh/
        ssh-keygen -t ed25519 -f rpi.ed25519 -C "me at my laptop"

        sudo mkdir -m 700 /mnt02/home/pi/.ssh/
        sudo cp rpi.ed25519.pub /mnt02/home/pi/.ssh/authorized_keys
        sudo chown -R 1000:1000 /mnt02/home/pi/.ssh/
5) Update the SSH server's configuration to block password authentication.
Change "#PasswordAuthentication yes" to "PasswordAuthentication no"
Note the removal of the comment marker pound sign (#)

Code: Select all

        sudoedit /mnt02/etc/ssh/sshd_config
6) Unmount and remove the SD card.
Now it is ready to use for installation and can be reached via SSH with the key only.

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: How can I pre-load an SSH key onyo a new SD card?

Thu May 03, 2018 2:07 pm

2) Mount the VFAT and EXT4 partitions from the SD card,
for brevitity referred to here as /mnt01/ and /mnt02/ respectively.
The actual path will be different.
Yes, as I mentioned at length above, it is all easy if you relax the requirement that it be doable on Windows or Mac. I.e., if you assume a Linux system (as you do above), then it is all trivial.

(Insert old economist joke about "First you assume a can opener" here...)

Not that I'm saying you're wrong, by the way, but what I am saying is that the whole point of the existing ssh.txt and wpa_supplicant tricks is that they can be done from a non-Linux host machine.

If you relax that assumption - that is, allow the hacking to be done on a Linux system by directly mounting the ext4 partition - then it all becomes trivial - and you don't need to do the "put a magic file in a magic location and have the booting Pi system do the magic" trick.

Usually whenever this topic comes up on the board, people are assuming the assumption and trying to come up with tricks that allow it to be done under that assumption.
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

tpyo kingg
Posts: 982
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: How can I pre-load an SSH key onyo a new SD card?

Thu May 03, 2018 6:19 pm

Not that I'm saying you're wrong, by the way, but what I am saying is that the whole point of the existing ssh.txt and wpa_supplicant tricks is that they can be done from a non-Linux host machine.
I understand the point.

So the real trick would be instructions to generate the keys for the Windows' legacy users. They cannot mount the EXT4 partition and so need a script in /boot/ but that script cannot generate the keys because the private key is already needed on the client machine before first boot. The legacy systems also lack standard SSH utilities so making keys would be a challenge. I have read that PuTTY can generate OpenSSH-compatible Keys but have no way to test. That method seems to involve copy-paste of some output which increases the probability of mistakes, I would think.

In most cases, anyone still on Windows won't know shell scripting so the script in the first post above would be voodoo to them. If they cargo-cult it, the script could be loaded from cmdline.txt via the init setting and then call /usr/lib/raspi-config/init_resize.sh on first boot. But then the question generating keys remains. Though once generated they could be put in ssh.txt.

*BSD and OS X users would not be able to mount the EXT4 partition but would have no problem generating keys. Likewise, Linux users would have no problem making their keys.

Return to “Raspberry Pi OS”