Use SSH key stored on GitHub instead of an SSH password to access your WLAN Pi

By default WLAN Pi, and Linux in general, uses a username and password-based SSH authentication. It involves quite some typing, some brain capacity to remember the password, and it is not the most secure method either.

You can create a public and private key pair. Your SSH client automatically logs in using the private key. The SSH server uses the public key to confirm that you possess the right private key. No password needed, and it also is more secure. The private key is never sent over the network, and this method protects you against man-in-the-middle attacks.

The beauty of this GitHub method is that GitHub stores your SSH public key centrally, which you can easily update, and you can install it to the machine you want to SSH to, by a single command ssh-import-id-gh. You can even add this to a startup script so that it automatically updates your trusted keys.

Let’s do this

ssh-keygen is the program that generates a public/private key pair on your local system. The private key is stored in ~/.ssh/id_rsa, and the public key is stored in ~/.ssh/id_rsa.pub.

The security of this method depends on keeping the private key safe and secure. Make sure not to leave the private key behind.

ssh-keygen -t rsa -C "your@email.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/jiri/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/jiri/.ssh/id_rsa
Your public key has been saved in /Users/jiri/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:.....
The key's randomart image is:
+---[RSA 3072]----+
.....
+----[SHA256]-----+

Display the public key, which is a text file at the end of the day, and copy its content to clipboard:

cat ~/.ssh/id_rsa.pub
ssh-rsa
.....

Save this public key to your GitHub account. Browse to github.com, log in, and open Settings:

Click New SSH key, name the key, paste your public key from the clipboard and save it:

To verify that your key has been added you can browse to https://api.github.com/users/jiribrejcha/keys, where jiribrejcha is your GitHub username:

The last step is to SSH into your WLAN Pi or Linux machine and tell it to use this public key from my GitHub, where jiribrejcha is my GitHub username:

ssh-import-id-gh jiribrejcha

If the command isn’t installed, you can fix that by:

sudo apt install ssh-import-id

Passwordless SSH access

When you authenticate to a server using public key authentication, the SSH client offers a copy of the public key to the server and the server then compares it against the keys listed in your ~/.ssh/authorized_keys file. This key was added automatically by the ssh-import-id-gh command. If the key matches, the server indicates that it is able to proceed with the authentication. The private key is then used to sign a message that includes data specific to the SSH session. The server can then use its copy of the public key to verify the signature.

We have just SSH’d to the Pi without a password prompt.

Special thanks

To Colin Vallance for sharing this tip.

Published by

Jiri Brejcha

Jiri is passionate about mobility ranging from Wi-Fi to folding bikes;-) He is a Wi-Fi Technical Solutions Architect at Cisco UK, proud member of the Cisco Live Network Operations Center deployment team, and WLAN Pi development team. If he is not working, he is most likely riding his Brompton bike.

Leave a Reply

Your email address will not be published. Required fields are marked *