Public / Private key tutorial

How to use Public and Private keys to secure your linux computer login

To password protect your computers is in general a good idea. However, passwords are sent in plain text when using FTP or Telnet, which means that passwords can easily be captured by anybody who has access to your network. So never use FTP or Telnet when using a public WiFi network.

The better alternative to FTP is SFTP and to Telnet it is SSH. But even here, it is insecure to use passwords even though these protocols support passwords. The more secure alternative is to use Public and Private Keys. (Further reading on how private/public key combinations work and why they are more secure than passwords can be found here and here).

Using Public and Private keys often sounds complicated, cryptic and difficult to setup and use. It definitely isn’t, and my personal opinion is that so called experts often unnecessarily over-complicate these things.

To make your (and my! of course) life easier, I added Public-Private Key features to my NetworkToolbox. Keys can now be used for the SSH and SFTP Tools but even better, the App now even contains a tool to generate both keys for you.

The following example demonstrates how easy it is to setup Private and Public keys with a Raspberry Pi and NetworkToolbox.

In this example I am using a Raspberry Pi which was setup with the standard Raspian image. However, the procedure described here is nearly identical to all Linux systems (Server, PC or even your Router if it runs a customizable Linux).

Before going into the details, here is an overview of the general procedure:

  1. Use NetworkToolbox to create a new Public-Private Key combination
  2. Create a regular new user on the Raspberry Pi
  3. Add the Public Key generated by NetworkToolbox to this user
    (This basically just means to copy the key to a file called authorized_keys in a subdirectory called .ssh in the user’s home directory)
  4. Testing

After these steps, you can use SSH or SFTP and the Public Private key combinations, generated by NetworkToolbox to access the Raspberry Pi.

Now, let’s do it step by step:

1. CREATE YOUR KEYS

  • Start NetworkToolbox and open the PKI Tool
  • Below Create new: tap on OpenSSH
  • Enter a Title (for later reference) e.g. Test Keys
  • Enter a Password for this Key e.g. test! (please note the ‘!’ at the end)
  • Press the checkmark at the top to close the screen
  • After a while, the key pair will be generated and you will see a new entry in the list
  • Tap on this newly created entry
  • Select Copy next to the Public key heading
  • Close the PKI tool
Your screen should now look similar to this:

01-generate-keys

 

2. CREATE A NEW USER

(Note: You can omit this if you want to use the Key for an existing user)

  • Now open the SSH Tool (or Telnet if you like) and connect to your Raspberry Pi using the username and password combination for the user pi (or any other admin you normally use)
  • Enter the following unix commands:

    sudo su
    adduser test
  • then enter a new password twice (e.g. test this time without !) leave the other questions blank and just confirm the final question with Y

3. ADD THE PUBLIC KEY

  • Still in the SSH Tool, now enter the following unix commands:

    mkdir /home/test/.ssh
    cat << EOF > /home/test/.ssh/authorized_keys
  • After pressing enter for the last line you have entered, you will see a prompt
  • Now long tap on the screen so that you get the iOS Paste menu and select paste
  • press enter again
  • enter the three letters EOF and press enter again
  • Exit the SSH tool

This is, how the SSH screen should look after entering these commands:

02-paste-keys

 

4. TESTING

That was basically all what was needed so now we can test.

  • Open the SSH tool again
  • Now instead of the user pi, enter test as username
  • Leave the password field blank
  • Tap on Public / Private keys
  • Load your previously generated keys by tapping on Load and select your key
Loading your keys will look like this:

04-load-keys

  • Tap on the checkmark in the upper corner to dismiss the screen
  • Tap on connect and you will be asked for a password like here:

03-ssh-password

  • Enter the password. But please note: Now, this is no longer the login password but the password for the Private key you used before when creating the keys (the one with the ! at the end). Sometimes this password is called “Passphrase” when used along with Private keys but it is not more or less than the password which is used to encrypt the Private key so I keep using the term password here.
  • You should now be connected to your Raspberry Pi by using your Public-Private key combination instead of a password and you should see the following screen:
03-connected

If something goes wrong, you will see an error message. You possibly entered a wrong password, didn’t setup your Raspberry Pi correctly or entered a wrong username for the key.

For your convenience, the PKI Tool contains a Validate button which can be used to double-check your password for a given Private key.

Finally, you can get rid of the Passwords on your Raspberry Pi by either deleting the password for the test user by this command:

sudo passwd -d test

or even better, you can disable passwords completely for SSH connections by adding/changing the following line in the file /etc/ssh/sshd_config :

PasswordAuthentication no

Final notes:

You can, of course also enter the Private Key password in the password field of the SSH Tool. Then, you will no longer be asked for the SSL Password when connecting. However, if somebody stole your device and skipped past the passcode, this person would then also know your Private key.

Instead of generating the Keys by using NetworkToolbox, you can also go the other way around and generate the keys on your Raspberry Pi and copy them back to NetworkToolbox. However, this is insecure as even if you delete the Private keys from your Raspberry, fractions of it may still exist for a while in the swap file or other locations. It is in general bad practice to generate keys on the device you want to connect to.