I like to interact with my Raspberry PIs at home on the shell level for lots of different things and I can't count the number of times I open a remote shell window every day for various purposes. I also like to keep my virtual desktop tidy so I usually close shell windows when I'm done with a specific task. The downside is that I have to type in the server password frequently, which is a pain. So recently a colleague of mine gave me the idea to use ssh client certificates to get rid of the password promts when I open a new ssh session to a remote server. There are a few things that have to be put into place and I thought I'd put together a quick mini-howto as the information I could find on the topic was a bit more confusing than necessary.
Step 1: Create a public/private key pair on the ssh CLIENT machine
- Check that '~/.ssh' exists
- Generate a public/private keypair with: 'ssh-keygen -t rsa'
- The command generates the following two files in '~/.ssh': id_rsa and id_rsa.pub
Step 2: Put the public key part of the client on the ssh SERVER machine
- Check that in the home folder of the user you want to login as that the .ssh directory exists
- Then do the following:
- Add the content of the client id_rsa.pub file to the authorized_keys file on the server side
Step 3: Configure the SSH Daemon on the SERVER machine to accept client certificates
These commands make the SSH daemon accept certificates:
sudo cp sshd_config sshd_config.bak
sudo nano sshd_config
–> make sure the following three lines are uncommented:
- Restart the SSH daemon to finish the process with: 'sudo /etc/init.d/ssh restart'
Once done, ssh can be used the same way as before but there's no password prompt anymore. Great!