Configuring SSH Keys on Raspberry Pi from Raspberry Pi

In an earlier article I configured a Raspberry Pi to accept SSH logins using keys rather than passwords all the while working from a Windows 10 machine. In this article I’ll do the same but working from another Raspberry Pi machine.

Although I’m using a Raspberry Pi here this process, or something very much like it, will work on any Linux based system. This is because Raspberry Pi OS is built from Debian which is the basis of many Linux distributions. Additionally, the tools we’ll be using are standard across nearly all Linux distributions.

Generating SSH Keys

Unlike on Windows all the tools you need to generate keys and remotely access another machine are already installed on the Raspberry Pi (and almost all Linux machines). To get started open a terminal and enter the commands

cd ~/.ssh
ssh-keygen

The first command just puts you in the .ssh directory which is where keys are usually held. The second command runs the keygen tool which will generate a key pair for you. The keygen tool will ask you to specify a filename for the key. The default filename is “id_rsa” and the SSH application will look for this file automatically. The intention, in essence, is this file is your identity and you’ll use it wherever you need to identify yourself. In other words you have a single private key that you use everywhere.

I’m in two minds whether using a single key and therefore this default is a good idea. The upside is that it makes life simpler, you only have a single key to manage and remember a password for. There are a couple of downsides though, a single key lacks granularity. If your private key becomes compromised you have to revoke it everywhere. There’s also a privacy concern in so much as you can be traced by where your public key is installed. You also, probably, don’t have a single identity. Most people have a work identity that is separate from their private identity, having separate keys for these identities makes sense.

Personally, I prefer a single key per service. For example this might mean I have a key for my web host, a key for my GitHub account and other key for my home lab server. Some people go further and have a separate key for each host and client e.g. if they log in to GitHub from two different machines they have separate keys for each machine. I feel this latter approach is more hassle than it’s worth and it can lead to private information leakage as the host can identify which machine you are using.

This is all a very long winded way of saying that you need to specify a filename for the key if you want to run per-service keys. At this point you might wonder how we use multiple keys, don’t worry, we’ll get to that.

Keytool will then ask you for a passphrase, I recommend setting a passphrase unless you really don’t care about the security of the systems you are connecting too. There’s no doubt it’s hassle to enter the passphrase to unlock your key but it’s better than the alternative. An example session with the keygen tool is shown below (this key is not used anywhere).

pi@testpi:~ $ cd .ssh/
pi@testpi:~/.ssh $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa): test
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:mw3SjJHEq6ja7tQkD/WDmJAnZuhbpA1AWO3+eW1yU3Q pi@testpi
The key's randomart image is:
+---[RSA 3072]----+
|+o.. ..          |
|+.  ....         |
|=+.o. o.         |
|++=+.o.=    . E  |
| o==o.= S  . .   |
|  +*o  o =  .    |
| o. o. .o...     |
|.o    o o =      |
|oo+    . + .     |
+----[SHA256]-----+

Installing the Public Key on the Remote Machine

There are a couple of options here. The first uses built in SSH tools which makes it very quick and convenient.

Using SSH Tools

If the remote machine is configured to accept password logins this is the quickest and easiest way to add the public key. Simply enter the following command at a terminal (adjusting as required)

ssh-copy-id -i ~/.ssh/test [email protected]

Where “test” is the name of the key to install and username is your remote username (obviously change the IP address too). This command won’t work if the machine is already set to only accept key based logins.

The ssh-copy-id command is essentially just a wrapper for the command sequence below. This first copies the key over and then concatenates it to the end of the authorized_keys file. Finally deleting the file it copied over.

scp .ssh/test.pub username@other-host:
ssh username@other-host 'cat test.pub >> .ssh/authorized_keys'
ssh username@other-host 'rm test.pub'

Manually Adding the Key

See the section called “Installing the Public Key on the Raspberry Pi” in the earlier article. Essentially you need to copy the contents of the public key into the authorized_keys file of the remote machine. On Windows you copy it from the PuTTYgen application, on the Raspberry Pi you copy it from the “test.pub” file.

Connecting to the Remote Machine Using Your Key

Connecting to the remote machine with your key couldn’t be easier. If you’re using the default key and you have the same username on both machines then it’s as simple as

ssh ip_address

I usually seem to end up with different usernames on different machines and, as mentioned above, I like to have a key per service so I use a couple of additional options as shown here

ssh -i test username@ip_address

The -i flag lets you tell the SSH application which key file to use and username lets you specify the username to use. In both cases you’ll need to give your passphrase if you’ve used one. A future article will show you how to avoid using the -i flag.

Converting a PuTTy PPK into a PEM File

If you created key files on a Windows machine you’ll likely have used PuTTy as described in an earlier article. This is fine but PuTTy saves the keys in it’s own file format with a PPK extension. Since both SSH and PuTTy use the same underlying encryption systems the PPK file can be converted to PEM.

PuTTy and it’s tools are available for most Linux based systems, we need the PuTTygen tool to convert the keys. To install the PuTTy tools use the following command.

sudo apt install putty-tools

To convert the key from PPK to OpenSSH format use the following command:

puttygen test.ppk -O private-openssh -o test

This tells puttygen to load the “test.ppk” file and output the private key in openssh format into the file “test” – OpenSSh key files often don’t have an extension.

Additional Reading