SSH-KEY not working between laptop and Rasbian?
 

Hi.

I am testing Raspbian by ssh on local network and internet, but I can't get it to work with SSH-KEY:

Note: I have created a new user first and deleted the pi user and then did the following:

Debianlaptop client:
ssh-keygen -o -t rsa -b 4096
cat ~ / .ssh / id_rsa.pub
Copy ssh-key:
ssh-rsa GBjsdhbcv ... ... H755f client @ debianlaptop

Raspbian:
sudo mkdir ~ / .ssh
sudo chmod 700 ~ / .ssh
sudo nano ~ / .ssh / authorized_keys
Paste ssh-key:
ssh-rsa GBjsdhbcv ... ... H755f client @ debianlaptop
chmod 600 ~ / .ssh / authorized_keys

I'm wrong about something, what am I missing?

Needed:
- make it work with ssh-key
- Ask me for the ssh-key password to be able to enter
- And not with the Raspbian user's sudo password.

Raspbian connects either from the local network or from the internet with the Raspbian user's sudo password.

Thank you.

The ssh-copy-id script is the easiest way to transfer the public key to the server. A web search will find lots of guides. It defaults to ida_rsa.pub, from the client where you created the keys:

ssh-copy-id user@pi

If the permissions were setup correctly you should now be able to login to the pi without a password. The passphrase protects the private key.

I don't see what you are doing wrong except for making it more complicated than necessary. I am using mint which is an offshoot of Debian, so I believe the commands are the same and I have no trouble working with any of my rps, so lets start from the begining and see if it works.

First, we make fresh keys. If this will mess up something that exists then create a new, experimental user to work with. To make the keys simply: while loggged in as the appropriate user, of course. It will automatically make rsa keys unless told otherwise and will automtically put them in that user's .ssh directory. For simplicity at the moment, leave the password blank. When it is all working you can deal with that later.

Make sure you have the appropriate user on the rpi and that you can sign in with the password with ssh. Now, if you have no ssh keys set up on the pi, do things the easy way. Change to your .ssh directory, then . You will be asked for the user's password. Enter it and the file should be transferred. Now you should be set up and should be able to ssh to it without a problem. However, if you get an error such as port 22 is refused, check the firewall and be sure port 22 is not blocked, and then make sure sshd (openssh-server) is running. It is probably not started automatically (sshd, not ssh). Try the command and that should do it. If it doesn't find sshd.service then try starting ssh, not sshd. It may be a problem of names. But now, if you are using the same username on both, there shouldn't be a problem.

Now, if transferring the key in one swoop to authorized_keys is a no-go for some reason there is always the long way.
That should do it, again assuming sshd is running on the pi and that the configuration file isn't screwed up and blocking sshd or public keys somewhow.

Ok, I don't understand, I did everything they indicate.

Raspbian ignores the ssh-key and only logs in with the user's password, not the ssh-key password.

From another PC on the internet you can enter without needing an ssh-key, but they are already added.

First, who is 'they'?

With raspbian, or any other system, you cannot login remotely without some remote login program. Secure shell (ssh) is such a program. There are others. If you use ssh then it is the avenue of contact between the two computers, ssh on the client, sshd on the server, the pi. Without them, or some other, the pi doesn't even know it is being talked to from a remote client.

Here is the way sshd works on the pi. During system configuration you tell raspbian you want to secure shell for remote sessions. So, during boot sshd is started as a daemon using the configuration in the file /etc/ssh/sshd_config. In that file there are two entries you are interested in at this point:
and
Find each of those lines and make sure they are set to yes. After everything works you can turn one of them off to not use that system. Although they are commented out they are the defaults. To override these default values remove the #. Then the system will use the yes or no you put there.

Here is the way secure shell (sshd) works. Upon initial contact it verifies the hosts by methods invisible to the user. Then it checks to see if the client can provide an authorized public key. If so, it goes through that authentication method and, if successful allows access. Note that the client has access to the sshd daemon, not to raspbian itself. Everything is encrypted and the daemon is actually the user working in the name of the user. If the PubkeyAuthentication system fails for whatever reason then the daemon falls back to PasswordAuthentication, or some other method, if allowed. The deamon then accesses the pam system to check authentication. If allowed, then it will allow access to the client. Again, access so to the sshd daemon, not directly to raspbian. The sshd is the go-between so everything can be encrypted in transit.

Now, having said all of that, I can see two possible causes of your problem. One, somehow the configuration file got changed so the PubkeyAuthentication is disabled. This I doubt but it is possible. Two, something has gone wrong with your keys or your use thereof. I would strongly urge you to remove your keys from the client and the authorized_keys from the server and start again. This is, of course, you are not using them for anything else so nothing else will be affected. If that is not true, or you are not sure, set up test users on both machines and work with them.

You have three possible ways to install the authorized keys that will work. If you use michaelk's method be sure to generate the keys first. Don't use some complicated method that can introduce errors. I haven't used michaelk's method but other advice he has given has been spot on. My methods have worked for multiple raspbian installations over the years for my six pi's for me so I am fairly confident in them. Pick one and go with it. At least with them if something goes wrong we will have a chance of helping you.

How are you actually trying to connect to the Raspberry Pi? You do need to specify the key:

Or

Adjust the user or IP address as needed.

If that what was wrong and you wish to make the changes permanent you can edit ~/.ssh/config and make a listing for your Raspberry Pi with the settings you wish to use. Here are some for the default user. Change the user and IP address as needed:

In that way you just need to type "ssh rpi" and the rest happens automatically, unless overridden. Entries must be added from specific to general because the directives are used in a first match priority. See "man ssh_config" for more details.

agillator

Thanks so much for the explanation

Turbocapitalist

Thank you very much for idea of configuring in ~/.ssh/config

michaelk

ssh-copy-id is the simplest command, the only problem is that it copies other keys, but it was the command that I use now.


I really understand that it is very simple, there is not much secret, just take the client key and put it in Raspbian.

I reinstalled Raspbian and added the key, this time it works and just switch to PasswordAuthentication no to enter only with the key.


Thank you very much for the help.

ssh-copy-id defaults to id_rsa.pub by default but you can specify any key on the command line.

ssh-copy-id -i public_key_name user@server

https://linux.die.net/man/1/ssh-copy-id

Thanks for the information.

I have read that the permissions recommendation is chmod 700 for .ssh and chmod 600 for authorized_keys

But when I apply it I cannot enter.

It only works with the "user"

-rw ------- 1 user user 1483 Mar 31 23:36 authorized_keys
It works to enter

-rw ------- 1 root root 1483 Mar 31 23:20 authorized_keys
It does not work to enter


Thanks

If I understand what you are posting yes, the authorized_keys file in the users .ssh directory must be owned by that user.