It’s 2015; last year I deprecated passwords on my friends-and-family hosted-web-content VM. My message was “Get ssh keys or get out”.

Of course some folks were dragging their feet on this. Come to discover that in at least some cases they were embarrassed to admit that they still use passwords for stuff here in the future. Cobbler’s children and all that.

I wrote up some instructions for an otherwise highly-clued friend who somehow had avoided having the syntax for ssh-keygen burned into the back of his eyelids. These instructions include how to generate the keys, how to use them, and how to convince his raspi to only allow login via ssh key (no passwords, though the account password is still useful for console login and/or sudo access).

From the command line prompt on a Mac or your Linux laptop or whatever (sorry, Windows is out of scope for me) run this:

ssh-keygen -b 2048 -t rsa -C me@example.com

me@example.com should be your real email address, “your full name”, or any other meaningful token for recipients of your public half - it’s truly a comment; it’s not baked into the key like an HMAC-based DNS update, so you can change it at any time with a text editor).

The result should be ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

Send me a copy of ~/.ssh/id_rsa.pub (as an attachment please; don’t cut and paste into email as text/quoted-plain makes getting it back out again a chore).

While you’re at it, put a copy of that .pub file on your raspi in ~pi/.ssh/authorized_keys. File mode on ~pi/.ssh should be 755; authorized_keys should be 644. Both should be owned by pi. sshd checks ownership and mode all the way down from root, so be careful about group-writable in /home or stuff like that (I think raspbian gets this right, but it’s cost me some wasted time in the past).

On your Pi, you should be able to add:

PasswordAuthentication no
KbdInteractiveAuthentication no

to /etc/ssh/sshd_config (search for both config options in the file and comment out if they’re already there - memory tells me that last instance “wins” in that config file format but I’ve only had one shot of espresso so far today). Reboot or restart sshd.

Now, ssh pi@mypi.local should prompt you for your ssh key password and let you in.

To test keys-only, try ssh joe@mypi.local. You should get:

merlot:~ rs$ ssh joe@192.0.2.1 
Permission denied (publickey). 
merlot:~ rs$

Still need a password on the pi account, so that sudo works.