LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-30-2020, 06:35 PM   #1
usodiario
Member
 
Registered: Jan 2020
Posts: 41

Rep: Reputation: Disabled
SSH-KEY not working between laptop and Rasbian?


Hi.

I am testing Raspbian by ssh on local network and internet, but I can't get it to work with SSH-KEY:

Note: I have created a new user first and deleted the pi user and then did the following:

Debianlaptop client:
ssh-keygen -o -t rsa -b 4096
cat ~ / .ssh / id_rsa.pub
Copy ssh-key:
ssh-rsa GBjsdhbcv ... ... H755f client @ debianlaptop

Raspbian:
sudo mkdir ~ / .ssh
sudo chmod 700 ~ / .ssh
sudo nano ~ / .ssh / authorized_keys
Paste ssh-key:
ssh-rsa GBjsdhbcv ... ... H755f client @ debianlaptop
chmod 600 ~ / .ssh / authorized_keys

I'm wrong about something, what am I missing?

Needed:
- make it work with ssh-key
- Ask me for the ssh-key password to be able to enter
- And not with the Raspbian user's sudo password.

Raspbian connects either from the local network or from the internet with the Raspbian user's sudo password.

Thank you.
 
Old 03-30-2020, 08:39 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 19,946

Rep: Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316
The ssh-copy-id script is the easiest way to transfer the public key to the server. A web search will find lots of guides. It defaults to ida_rsa.pub, from the client where you created the keys:

ssh-copy-id user@pi

If the permissions were setup correctly you should now be able to login to the pi without a password. The passphrase protects the private key.
 
1 members found this post helpful.
Old 03-30-2020, 08:43 PM   #3
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 365

Rep: Reputation: Disabled
I don't see what you are doing wrong except for making it more complicated than necessary. I am using mint which is an offshoot of Debian, so I believe the commands are the same and I have no trouble working with any of my rps, so lets start from the begining and see if it works.

First, we make fresh keys. If this will mess up something that exists then create a new, experimental user to work with. To make the keys simply:
Code:
 ssh-keygen
while loggged in as the appropriate user, of course. It will automatically make rsa keys unless told otherwise and will automtically put them in that user's .ssh directory. For simplicity at the moment, leave the password blank. When it is all working you can deal with that later.

Make sure you have the appropriate user on the rpi and that you can sign in with the password with ssh. Now, if you have no ssh keys set up on the pi, do things the easy way. Change to your .ssh directory, then
Code:
scp id_rsa.pub <pi hostname>:/home/<username>/.ssh/authorized_keys
. You will be asked for the user's password. Enter it and the file should be transferred. Now you should be set up and should be able to ssh to it without a problem. However, if you get an error such as port 22 is refused, check the firewall and be sure port 22 is not blocked, and then make sure sshd (openssh-server) is running. It is probably not started automatically (sshd, not ssh). Try the command
Code:
sudo systemctl start sshd
and that should do it. If it doesn't find sshd.service then try starting ssh, not sshd. It may be a problem of names. But now, if you are using the same username on both, there shouldn't be a problem.

Now, if transferring the key in one swoop to authorized_keys is a no-go for some reason there is always the long way.
Code:
ssh-keygen 
cd /home/<username/.ssh
scp id_rsa.pub <user>@<host>:/home/<username>/.ssh/<some filename other than id_rsa.pub>
ssh <username>@<host>
NOTE: Give the password when requested.
cd /home/<username>/.ssh
cat <filename> >> authorized_keys
exit
That should do it, again assuming sshd is running on the pi and that the configuration file isn't screwed up and blocking sshd or public keys somewhow.

Last edited by agillator; 03-30-2020 at 08:45 PM. Reason: michaelk wrote faster than I did - and his way may be simpler.
 
1 members found this post helpful.
Old 03-30-2020, 10:43 PM   #4
usodiario
Member
 
Registered: Jan 2020
Posts: 41

Original Poster
Rep: Reputation: Disabled
Ok, I don't understand, I did everything they indicate.

Raspbian ignores the ssh-key and only logs in with the user's password, not the ssh-key password.

From another PC on the internet you can enter without needing an ssh-key, but they are already added.
 
Old 03-31-2020, 02:32 AM   #5
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 365

Rep: Reputation: Disabled
First, who is 'they'?

Quote:
From another PC on the internet you can enter without needing an ssh-key, but they are already added.
With raspbian, or any other system, you cannot login remotely without some remote login program. Secure shell (ssh) is such a program. There are others. If you use ssh then it is the avenue of contact between the two computers, ssh on the client, sshd on the server, the pi. Without them, or some other, the pi doesn't even know it is being talked to from a remote client.

Here is the way sshd works on the pi. During system configuration you tell raspbian you want to secure shell for remote sessions. So, during boot sshd is started as a daemon using the configuration in the file /etc/ssh/sshd_config. In that file there are two entries you are interested in at this point:
Code:
#PubkeyAuthentication yes
and
Code:
#PasswordAuthentication yes
Find each of those lines and make sure they are set to yes. After everything works you can turn one of them off to not use that system. Although they are commented out they are the defaults. To override these default values remove the #. Then the system will use the yes or no you put there.

Here is the way secure shell (sshd) works. Upon initial contact it verifies the hosts by methods invisible to the user. Then it checks to see if the client can provide an authorized public key. If so, it goes through that authentication method and, if successful allows access. Note that the client has access to the sshd daemon, not to raspbian itself. Everything is encrypted and the daemon is actually the user working in the name of the user. If the PubkeyAuthentication system fails for whatever reason then the daemon falls back to PasswordAuthentication, or some other method, if allowed. The deamon then accesses the pam system to check authentication. If allowed, then it will allow access to the client. Again, access so to the sshd daemon, not directly to raspbian. The sshd is the go-between so everything can be encrypted in transit.

Now, having said all of that, I can see two possible causes of your problem. One, somehow the configuration file got changed so the PubkeyAuthentication is disabled. This I doubt but it is possible. Two, something has gone wrong with your keys or your use thereof. I would strongly urge you to remove your keys from the client and the authorized_keys from the server and start again. This is, of course, you are not using them for anything else so nothing else will be affected. If that is not true, or you are not sure, set up test users on both machines and work with them.

You have three possible ways to install the authorized keys that will work. If you use michaelk's method be sure to generate the keys first. Don't use some complicated method that can introduce errors. I haven't used michaelk's method but other advice he has given has been spot on. My methods have worked for multiple raspbian installations over the years for my six pi's for me so I am fairly confident in them. Pick one and go with it. At least with them if something goes wrong we will have a chance of helping you.
 
2 members found this post helpful.
Old 03-31-2020, 02:40 AM   #6
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,789
Blog Entries: 3

Rep: Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386Reputation: 2386
How are you actually trying to connect to the Raspberry Pi? You do need to specify the key:

Code:
ssh -i ~/.ssh/id_rsa pi@192.168.1.101
Or

Code:
ssh-add ~/.ssh/id_rsa 

ssh pi@192.168.1.101
Adjust the user or IP address as needed.

If that what was wrong and you wish to make the changes permanent you can edit ~/.ssh/config and make a listing for your Raspberry Pi with the settings you wish to use. Here are some for the default user. Change the user and IP address as needed:

Code:
Host rpi
        Hostname 192.168.1.101
        Port 22
        User pi
        IdentitiesOnly yes
        IdentityFile ~/.ssh/id_rsa

Host 192.168.1.*
        IdentitiesOnly yes
        AddKeysToAgent yes
        UpdateHostKeys yes

Host *
        PermitLocalCommand yes
        ServerAliveCountMax 3
        ServerAliveInterval 60
In that way you just need to type "ssh rpi" and the rest happens automatically, unless overridden. Entries must be added from specific to general because the directives are used in a first match priority. See "man ssh_config" for more details.
 
1 members found this post helpful.
Old 03-31-2020, 05:55 PM   #7
usodiario
Member
 
Registered: Jan 2020
Posts: 41

Original Poster
Rep: Reputation: Disabled
agillator

Thanks so much for the explanation

Turbocapitalist

Thank you very much for idea of configuring in ~/.ssh/config

michaelk

ssh-copy-id is the simplest command, the only problem is that it copies other keys, but it was the command that I use now.


I really understand that it is very simple, there is not much secret, just take the client key and put it in Raspbian.

I reinstalled Raspbian and added the key, this time it works and just switch to PasswordAuthentication no to enter only with the key.


Thank you very much for the help.
 
Old 03-31-2020, 06:31 PM   #8
michaelk
Moderator
 
Registered: Aug 2002
Posts: 19,946

Rep: Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316
ssh-copy-id defaults to id_rsa.pub by default but you can specify any key on the command line.

ssh-copy-id -i public_key_name user@server

https://linux.die.net/man/1/ssh-copy-id
 
1 members found this post helpful.
Old 03-31-2020, 07:21 PM   #9
usodiario
Member
 
Registered: Jan 2020
Posts: 41

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
ssh-copy-id defaults to id_rsa.pub by default but you can specify any key on the command line.

ssh-copy-id -i public_key_name user@server

https://linux.die.net/man/1/ssh-copy-id

Thanks for the information.

I have read that the permissions recommendation is chmod 700 for .ssh and chmod 600 for authorized_keys

But when I apply it I cannot enter.

It only works with the "user"

-rw ------- 1 user user 1483 Mar 31 23:36 authorized_keys
It works to enter

-rw ------- 1 root root 1483 Mar 31 23:20 authorized_keys
It does not work to enter


Thanks
 
Old 03-31-2020, 08:18 PM   #10
michaelk
Moderator
 
Registered: Aug 2002
Posts: 19,946

Rep: Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316
If I understand what you are posting yes, the authorized_keys file in the users .ssh directory must be owned by that user.

Last edited by michaelk; 03-31-2020 at 08:20 PM.
 
1 members found this post helpful.
  


Reply

Tags
debian, raspberrry pi, raspbian, server, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Persian character are shown reverse and disconnected by C# application running on rasbian jessie OS via MONO Cross Compiler sheelamanatec Linux - Software 7 03-06-2020 11:26 AM
Where does SystemD and bash decide what user to run as? RASBIAN DrunkenTimelord Linux - General 16 12-09-2018 05:29 AM
How to create desktop links in Rasbian dtref Linux - Desktop 1 09-28-2018 03:17 PM
RPi, Rasbian, how to start transmission on boot? bigwheel Linux - Embedded & Single-board computer 9 02-23-2015 09:07 AM
"Enter Key" not working, how to map "Enter Key" functionality to "F9" Key srinihi Linux - Newbie 1 04-03-2009 02:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration