Bonus: Passwordless SSH using Public-Private Key Pairs
It may become tedius to log in to your WLAN Pi multiple times using SSH. Each new session requires you to enter your username and password.
To save the hassle of having to enter credentials to log in each time, you can set up your WLAN Pi to store your passphrase protected personal SSH public key, and allowing a secure and "passwordless" login.
Generating a new SSH key pair
You will want to generate the SSH key on your laptop. Once you've generated the keys, you will add the public key to your WLAN Pi.
Open a Terminal on your laptop.
If you're running Windows, recommend to download and install Win32-OpenSSH and Windows Terminal.
Use
ssh-keygen -t ed25519
to generate a key pair consisting of a public and private key.When prompted enter a filename for the key. You can use the default if you'd like. This lab assumes you used the default. Otherwise you will need to substitute your filename for
id_ed25519
in the steps below.When prompted to enter a passphrase you should add a passphrase. Please don't skip or ignore this! It is an important step in securing the local key, which otherwise is usable by anyone who acquires the key itself. Several SSH agents can be configured to save the passphrase for a "passwordless" experience. We'll do that after we generate and setup the keys.
Now we have two files.
id_ed25519
which contains the private keyid_ed25519.pub
which contains the public key (hence the .pub)
Upload the public key to WLAN Pi
Windows
Open PowerShell and run the following command. Substitute <IP>
for the IP address of your WLAN Pi.
Linux or macOS
We could do this manually or with a one liner like for Windows above, but we could just use ssh-copy-id
to propagate the public key to the WLAN Pi.
ssh-copy-id
uses SSH to connect to the WLAN Pi and upload the SSH public key. The tool will shove the public key into the WLAN Pi's authorized_keys
file which is located in the /home/wlanpi/.ssh
directory. The tool also checks if the key already exists and checks that key files have appropriate permissions.
Ok, let's run ssh-copy-id wlanpi@<IP>
Ok, let's try to SSH in with ssh wlanpi@<IP>
Great! Now we're using SSH keys instead of a username and password to connect. Since we put a passphrase on our SSH key, we still have to enter a passphrase. So, how do we actually make this experience worth the hype and 'passwordless'?
Didn't secure your private key with a passphrase? Not to beat a dead horse, but use a passphrase on your SSH keys whenever possible.
It is recommended to use a passphrase for keys used for single sign-on. Get in the habit of doing this. This prevents use of the key if it is stolen or inadvertently leaked.
Making a passphrase secured key passwordless:
Let's use ssh-add
to avoid having to use a passphrase every time the key is used. ssh-add
adds the private key identities to the authentication agent (ssh-agent
) so that ssh-agent
can take care of the authentication for us! And so we don't have to type in passwords! Yay!
Linux / macOS:
Windows:
Same command (ssh-add.exe
), but you need to first open services.msc
, start the OpenSSH Authentication Agent
and then run ssh-add.exe
.
Hey, look at that, no more passphrase!
(Optional) GitHub Method to Import Public SSH Key
Already using GitHub to store your SSH public keys? We can import them to the WLAN Pi with ssh-import-id-gh
.
ssh-import-id
There are two steps to this process:
You'll need to create a (free) GitHub account if you don't already have one.
You need will need to add your public key to your GitHub account. There are some instructions in the blog post below.
Verify your public key is added.
SSH in to your WLAN Pi and add your SSH public key with the following command:
Finally, use your SSH client to log in to your WLAN Pi. There should be no prompt for your username and password when you log in. If you setup a passphrase protected key-pair, you may have to enter the passphrase unless you added the passphrase to the SSH agent.
Last updated