Creating SSH Keys
In this Tutorial you get to learn how to generate ssh keys using puTTYgen and how to launch puTTY using Windows batch. Tested on Raspberry Pi 2 and Windows 7.
Downloads
You will need to download
puTTY & puTTYgen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Also WinPuttyHelper from https://github.com/VeggieVampire/WinPuttyHelper
Pre Key Setup on Server
Login to your Pi using Putty.
Navigate into your account home directory.
Run
mkdir -p .ssh; touch .ssh/authorized_keys
Generate a New Key
Run puTTYgen to generating a new key.
You need to select which type of key you want to generate, and also select the strength of the key.
Then press the Generate button, to actually generate the key.
Once you have generated the key, select a comment field and a passphrase. if you want to type a passphrase every time( I don't)
Now you’re ready to save the private key to disk; press the Save private key button. (it should end in ppk)
Under Key you should see a lot of random text.
Right click and "select all" and "Copy" it into your buffer.
Adding Key to Your Server
Login to your server.
Navigate into your account home directory.
Once there, we are going to echo the key into your authorized_keys file.
Run
echo "YOUR VERY VERY LONG KEY THAT WAS IN YOUR BUFFER" >> .ssh/authorized_keys
Your key pair is now ready for use.
Logout of your server
Optional Setup a One Click Batch File to Login
Open the WinPuttyHelper.rar file.
copy post_login_cmds.txt & setup.bat
Run
setup.bat
After setup is completed you can remove "-m post_login_cmds.txt" from the bat file it generates and it will auto login without logging out of your server.
Why is using SSH key more secure than using passwords?SSH keys are long and complex, far more than any password could be. But they don't expire, and they sit on a disk where they can be stolen from. On the other hand, they don't get transmitted to the remote system (except key forwarding, use Sneakernet ) which passwords need to be. Passwords are generally, predictably, unavoidably weak. While it is possible to have strong passwords, time and again it has been shown that people will use weak passwords and have poor password practices... short, simple, word-based, simple patterns ("p@ssw0rd!"), write them down, use them on multiple sites, base them on their phone number, their children's birthdate, their own name. You point out that keys don't expire, but why do passwords expire? To ensure that a brute-force attack is less likely to crack a password before it's been replaced. Not an issue that impacts keys.And, bad passwords aside, even "good" passwords are vulnerable to brute-force (online or offline) under the right conditions. They have to get transmitted to the other system, or to any other place that the user can be fooled into sending them by mistake.The balance of evidence strongly suggests that passwords are weaker and keys are stronger. - gowenfawr http://security.stackexchange.com/questions/69407/why-is-using-ssh-key-more-secure-than-using-passwords
For more info please check out
https://www.raspberrypi.org/forums/viewtopic.php?f=49&t=133318