If you’re comfortable that you’ve got a strong firewall and password on it, you can preshare keys between all of your raspberries! That way, when you ssh from pi to pi, you don’t have to constantly type your password on each pi. The process is fairly simple. Key based authentication in SSH is called “public key authentication”, compared to “password authentication”.
SETTING UP PUBLIC KEY AUTHENTICATION
The process is as follows:
- GENERATE AN SSH KEY – With OpenSSH, an SSH key is created using ssh-keygen. In the simplest form, just run ssh-keygen and answer the questions.
- COPY THE KEY TO A SERVER – Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server. Once the key has been authorized for SSH, it grants access to the server without a password.
Here’s an example:
login as: pi pi@webs1's password: pi@webs1:~ $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/pi/.ssh/id_rsa): [enter] Created directory '/home/pi/.ssh'. Enter passphrase (empty for no passphrase): [enter] Enter same passphrase again: [enter] Your identification has been saved in /home/pi/.ssh/id_rsa. Your public key has been saved in /home/pi/.ssh/id_rsa.pub. The key fingerprint is: SHA256:UMzEag52eIwlFF9kCkNQ6BL1xRkl9jE8zf1IPfgemyQ pi@webs1 The key's randomart image is: +---[RSA 2048]----+ | .oBo=@Xo . o | |. …+Boo + o | | o .+… . + . | |. . = *. E = | | . . * S + + | | . + | | | | | | | +----[SHA256]-----+ pi@webs1:~ $ ssh-copy-id pi@webs2 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub" The authenticity of host 'webs2 (10.0.0.204)' can't be established. ECDSA key fingerprint is SHA256:4BOv0si6zdSHtgQjF2OdW0TH8lNOS8qQYCG/N/sSqJ8. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompt ed now it is to install the new keys pi@webs2's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'pi@webs2'" and check to make sure that only the key(s) you wanted were added. pi@webs1:~ $ ssh pi@webs2 Last login: Fri Apr 3 20:28:34 2020 from 10.0.0.6 pi@webs2:~ $
Works great – when it works… A lot can go wrong.
ssh-copy-id doesn’t always work. Sometimes you have to do this by hand. If you do, your biggest stumbling block will probably be permissions. [So, what else is new?]
You’ve already generated the key. Look in your home directory in the .ssh directory. That “.” prefixing the directory name means it’s a hidden directory.
root@webs1:~# ls
root@webs1:~# ls -a
. .. .bash_history .bashrc .gnupg .profile .ssh .viminfo
root@webs1:~# cd .ssh
root@webs1:~/.ssh# ls
id_rsa id_rsa.pub known_hosts
root@webs1:~/.ssh#
id_rsa – this is your private key. Don’t share it with anyone!
id_rsa.pub – This is your public key. Spread this far and wide. Mostly get a copy of it on the server you want to connect to.
known_hosts – This is the file containing all the HOST keys for the servers that you’ve already connected to. You may have to edit this file to remove host keys for servers that have been replaced or rebuilt.
Next, ssh to the computer that you need to connect to. Check the .ssh directory in your home. You may need to create the .ssh directory.
root@webs2:~# ls -la total 36 drwx------ 3 root root 4096 Apr 20 11:48 . drwxr-xr-x 21 root root 4096 Feb 13 11:10 .. -rw------- 1 root root 1706 Apr 19 13:20 .bash_history -rw-r--r-- 1 root root 570 Feb 8 21:47 .bashrc drwx------ 3 root root 4096 Apr 5 08:10 .gnupg -rw-r--r-- 1 root root 148 Feb 8 21:47 .profile -rw------- 1 root root 10315 Apr 20 11:43 .viminfo root@webs2:~# root@webs2:~# mkdir .ssh root@webs2:~# chmod 700 .ssh
Now, you want to copy the contents of id_rsa.pub from the first server into the file authorized_hosts on the second server:
root@webs2:~# cd .ssh
root@webs2:~/.ssh# ls
known_hosts
root@webs2:~/.ssh# touch authorized_keys
root@webs2:~/.ssh# chmod 600 authorized_keys
root@webs2:~/.ssh# ls -la
total 12
drwx------ 2 root root 4096 Apr 20 11:39 .
drwx------ 4 root root 4096 Apr 19 13:10 ..
-rw------- 1 root root 0 Apr 20 11:39 authorized_keys
-rw-r--r-- 1 root root 444 Apr 17 08:33 known_hosts
root@webs2:~/.ssh#
It’s not pretty, but it’s just ASCII. You can cut & paste!
ssh-rsa c2EAAAADAQABAAABAQDEF99iBl2DFmzNgZViwOHyM1j2ORn2WhRQWxr0ltPglOhgaYTJZJP8tz2dsx YMU3sKrKrNpeTvpQBkp1AZnrv9cO3o1RJxe1oR7gq+AVr4e2ybSIBi98Q7qHMfGedlPt0SRw1Od+6P7itBWIWUoDyBGIO6X9BcurriEPun/HZvIqYPV4AuonozTV9n6VMnnwAxM1bBmTFfjrgOGk5OUrBS9hBcqiUrFOqHD0IVqD5iXi+y4jWRwUaK+n8xb+PJkd5hSKI/QBSPgB3OBXz4sNjwfaOzsIqjL4zN97UwOg6oakGd57YBkizXCJWUB5V3jAWHDrEifwzRVDNMzbfU7r root@webs1
Or you can secure copy it to the second server. You’ll probably need to adjust permissions, but it’s a valid way to set this up:
root@webs1:~/.ssh# scp id_rsa.pub webs2:/root/.ssh/authorized_keys
root@webs2's password:
id_rsa.pub 100% 392 259.5KB/s 00:00
root@webs1:~/.ssh#
Finally, test the connection. Go back to the first server and try your ssh connection to the second. If everything worked, you’ll get right in without a password challenge!
root@salt:~# ssh webs1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ECDSA host key for webs1 has changed, and the key for the corresponding IP address 10.0.0.204 is unchanged. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. Offending key for IP in /root/.ssh/known_hosts:17 remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R "10.0.0.204" @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:4BOv0si6zdSHtgQjF2OdW0TH8lNOS8qQYCG/N/sSqJ8. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:14 remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R "webs1" ECDSA host key for webs1 has changed and you have requested strict checking. Host key verification failed. root@salt:~# root@salt:~# ssh webs1 The authenticity of host 'webs1 (10.0.0.204)' can't be established. ECDSA key fingerprint is SHA256:4BOv0si6zdSHtgQjF2OdW0TH8lNOS8qQYCG/N/sSqJ8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'webs1' (ECDSA) to the list of known hosts. root@webs1's password: