How to Setup SSH Keys on a Linux System

SSH

On September 9th, 2015 Chris L. asked…

Hello Matt and the Freedom Penguin staff! I have a question about generating RSA public and private keys under Linux. Is there a Linux/Open Source equivalent to PuTTYgen? A PuTTY GUI is available in Ubuntu GNOME 15.04 (what I am using), but is there a PuTTYgen GUI that I can install over the CLI? If not, can you give a short tutorial on how to do this in the command-line? Congratulations on the site, added to my favorites! I miss you on LAS, but I’m glad you are back with this awesome idea.

Chris (all the way from Japan)


Hi Chris!

Allow me to let you in on a little secret – I have never used PuTTY or PuTTYGen. All of my key generation has always been done in the Linux command line. Lucky for you my familiarity with the latter is going to help you overcome the former.

First, allow me to acknowledge that most documentation is convoluted. Despite interesting details being presented, often it comes across as a wall of text to Linux newcomers or those simply new to certain aspects of Linux.

On the client side, Ubuntu comes with the SSH client already installed. You can’t see it, because it’s not a GUI application. For the server (the remote computer you wish to SSH into), you’ll need to install the SSH server software.

The steps we’re going to be taking break down as follows:

1) Generate a key on your local machine.
2) Install OpenSSH Server on remote machine.
3) Send the key to your remote machine.
4) Lockdown the remote machine by removing the password authentication.

Step #1 – From your local machine, you need to create RSA keys. This provides a private key for your local machine and a public one for your remote machine.

On your local machine, in a terminal:

mkdir ~/.ssh

If it already exists that’s great, let’s make sure the permissions are correct.

chmod 700 ~/.ssh
cd ~/.ssh

Now let’s create our keys.

ssh-keygen -t rsa

This will kick out the following cryptic tidbit:

Generating public/private rsa key pair.

Let’s give the keys a name like this.

Enter file in which to save the key: (/home/USER/.ssh/id_rsa): type-something-clever-here

Next, you’re going to want to provide a pass phrase to protect the private key that resides on your local machine. This isn’t to be confused with the SSH server password or anything related. The entire purpose of this pass phrase is to protect the private key on your local machine in case of theft.

Now if you get an error like the one below, try a longer pass phrase. To do this, type ssh-keygen -t rsa and redo the process.

Error example mentioned above:
passphrase too short: have 4 bytes, need > 4
Saving the key failed:

If everything went correctly, your ~/.ssh should contain the following: somethingclever.pub and somethingclever – to see the ~/.ssh directory, browse to /home/USER/ and type Ctrl+h to make the hidden directories visible.

Step #2 – If the remote machine is a desktop PC, you’ll likely need to sit in front of it and install OpenSSH server yourself. If this is an Ubuntu Server provided by a web hosting company however, you’re most likely already set to go. Here’s a tidbit no one ever talks about. If the remote machine is a desktop PC, the SSH password is your user’s password. Same applies for the server. The difference is with the server. You may be looking at a root user. Do NOT use a root user for SSH. It’s asking for trouble and completely unnecessary. Best to follow this guide (hat tip to Digital Ocean) and setup a regular user with sudo privileges instead.

Regardless of which type of remote machine it happens to be, let’s get OpenSSH Server installed next.

sudo apt-get install openssh-server

This will install the server component and start the service up for you. If for any reason you don’t see ssh start/running or the process appearing, you can manually start up the server. If you’re root, you can forgo the sudo for each command.

Ubuntu 15.04+

systemctl restart ssh

Ubuntu 14.04

 service ssh restart

This will get the OpenSSH server running on your system. Now that we have the server running, we need to send the public key over to the remote machine from the local machine.

Step #3 – Now we need to send your public key to the remote machine. To do this, we need to enter this code from the client machine.

ssh-copy-id username@host

The host is going to be the local IP address for the remote machine. During this process, you will be prompted for a password – it will be the password for the remote machine.

Step #4 – At this point, SSH works to access the remote machine from the local one. The next step is to disable password authentication as it’s very insecure. With the public key installed on the remote machine, it’s time to allow it to handle the SSH authentication.

First, SSH into the remote machine:

ssh username@host

After entering your password again, go ahead and use the nano editor to edit your SSH config on the remote machine. Remember, if you’re NOT root, be sure to use sudo below.

nano /etc/ssh/sshd_config

Scroll down and look for #PasswordAuthentication yes
Next, change the entry accordingly:

#PasswordAuthentication yes

into this

PasswordAuthentication no

At this point, you’re ready to save the file. Type Ctrl-x. When promoted to “Save the modified buffer”, type the Y key. As it presents you with “File name to write”, just hit the enter key. This modifies your SSH configuration and ensures you will only be able to login using your SSH key.

Final words of advice

I imagine this seems like a ton of information. After all, this is all keyboard and no GUI. But once you complete it you will be shocked at how simple it really is.

The only issue you might run into could be the ufw blocking port 22 (both locally and potentially on the remote machine). Use ufw but be aware that if you can’t connect it’s either because you uploaded the public key to the wrong user, you’ve been trying to SSH to the wrong host IP or you simply have port 22 blocked some place. Another issue to consider is trying to SSH into a remote host with an encrypted directory or perhaps your remote machine’s ~/.ssh permissions are screwy. This would mean accessing the machine through other means and adjusting the permissions for the remote machine’s affected directory.

chmod go-w ~/
 chmod 700 ~/.ssh
 chmod 600 ~/.ssh/authorized_keys

I hope this is helpful and best of luck in your Linux SSH adventures!

Do you have Linux questions you’d like Matt to help with? Hit the link here and perhaps you too, can Just Ask Matt!

Schedule FiOS Router Reboots with a Pogoplug

Pogoplug_Mobile

There are few things in life more irritating than having your Internet go out. This is often caused by your router needing a reboot. Sadly, not all routers are created equal which complicates things a bit. At my home for example, we have FIOS Internet. My connection from my ONT to my FIOS router is through coaxial (coax cable). Why does this matter? Because if I was connected to CAT6 from my ONT, I could use the router of my choosing. Sadly a coaxial connection doesn’t easily afford me this opportunity.

So why don’t I just switch my FIOS over to CAT6 instead of using the coaxial cable? Because I have no interest in running the CAT6 throughout my home. This means I must get the most out of my ISP provided router as possible.

What is so awful about using the Actiontec router?

1) The Actiontec router overheats when using wifi and router duties.
2) This router has a small NAT table that means frequent rebooting is needed.

Thankfully, I’m pretty good at coming up with reliable solutions. To tackle the first issue, I simply turned off the wifi portion of the Actiontec router. This allowed me to connect to my own personal WiFi instead. As for the second problem, this was a bit trickier. Having tested the “Internet Only Bridge” approach for the Actiontec and watching it fail often, I finally settled on using my own personal router as a switch instead. It turned out to be far more reliable and I wasn’t having to mess with it every time my ISP renewed a new IP address. Trust me when I say I’m well aware of ALL of the options and this is what works best for me. Okay, moving on.

Automatic rebooting

As reliable as my current setup is, there is still the issue of the small NAT table with the Actiontec. Being the sort of person who likes simple, I usually just reboot the router when things start slowing down. It’s rarely needed, however getting to the box is a pain in the butt.

This lead me on a mission: how can I automatically reboot my router without buying any extra hardware? I’m on a budget, so simply buying one of those IP-enabled remote power switches wasn’t something I was going to do. After all, if the thing stops working, I’m left with a useless brick.

Instead, I decided to build my own. Looking around in my “crap box”, I discovered two Pogoplugs I had forgotten about. These devices provide photo backup and sharing for the less tech savvy among us. All I need to do was install Linux onto the Pogoplug device.

Why would someone choose a Pogoplug vs a Rasberry Pi? Easy, the Pogoplugs are “stupid cheap.” According to the current listings on Amazon, a Pi Model B+ is $32 and a Pi 2 will run $41 USD. Compare that to $10 for a new Pogoplug and it’s obvious which option makes the most sense. I’d much rather free up my Pi for other duties than merely managing my router’s ability to reboot itself.


Installing Debian onto the Pogoplug

I should point out that most of the tutorials regarding installing Debian (or any Linux distro) onto a Pogoplug are missing information, half-wrong and almost certain to brick the device. After extensive research I found a tutorial that provides complete, accurate information. Based on that research, I recommend using the tutorial for the Pogoplug v4 (both Series 4 and Mobile). If you try out the linked tutorial on other Pogoplug models you will “brick” the Pogoplug.

Getting started: When running the curl command (for dropbear), if you are getting errors – leave the box plugged in and Ethernet connected for at least an hour. If you continue to see the error: “pogoplug curl: (7) Failed to connect to”, then you need to contact Pogoplug to have them de-register the device.

Pogoplug Support Email
Pogoplug Support Email

If installing Debian on the Pogoplug sounds scary or you’ve already got a Raspberry Pi running Linux that you’re not using, then you’re ready for the next step.

Setting up your router reboot box

(Hat tip to Verizon Forums)

Important: After you’ve installed Debian onto your Pogoplug v4 (or setup your existing Rasberry Pi instead), you would be wise to consider setting up a common non-root user for casual SSH sessions. Even though this is behind your router’s firewall, you’re still running a Linux box as root with various open ports.

First up, login to your Actiontec MI424WR (or similar) FIOS router, browse to Advanced, click Yes to acknowledge the warning, then click on Local Administration on the bottom left. Check “Using Primary Telnet Port (23)” and hit Apply. This is for local administration only and is not to be confused with Remote Administration settings.

Go ahead and SSH into your newly tweaked Pogoplug. Next, you’re going to want to install a package called “expect.” Assuming you’re not running as root, we’ll be using “sudo” for this demonstration. I first discovered this concept on the Verizon forums last year. Even though it was scripted for a Pi, I found it also works great on the Pogoplug. SSH into your Pogoplug:

cd /home/non-root-username/
sudo apt-get install expect -y

Next, run nano in a terminal and paste in the following contents, edit any mention of your
/home/non-root-username/
and your router’s IP LAN address to match your personal details.

spawn telnet 192.168.1.1
expect "Username:"
send "admin\r"
expect "Password:"
send "ACTUAL-ROUTER-password\r"
expect "Wireless Broadband Router> "
sleep 5
send "system reboot\r"
sleep 5
send "exit\r"
close
sleep 5
exit

Now name the file verizonrouterreboot.expect and save it. You’ll note that we’re saving this in your
/home/non-root-username/ directory. You could call the file anything you like, but for the sake of consistency, I’m sticking with the file names as I have them.

The file we just created accesses the router via telnet (locally), then using hard returns (\r) is logging into the router and rebooting it. Clearly this file on it’s own would be annoying, since executing it just reboots your router. However it does provide the executable for our next file so that we can automate when we want it to run.

Let’s open nano in the same directory and paste in the following contents:

{
cd /home/non-root-username/
expect -f verizonrouterreboot.expect
echo "\r"
} 2>&1 > /home/non-root-username/verizonrouterreboot.log
echo "Nightly Reboot Successful: $(date)" >> /home/non-root-username/successful.log
sleep 3
exit

Now save this file as verizonrouterreboot.sh so it can provide you with a log file and run your expect script.

As an added bonus, I’m going to also provide you with a script that will reboot the router if the Internet goes out or the router isn’t connecting with your ISP.

Once again, open up nano in the same directory and drop the following into it:

#!/bin/bash
if ping -c 1 208.67.220.220
then
: # colon is a null and is required
else
/home/non-root-username/verizonrouterreboot.sh
fi

Save this file as pingme.sh and it will make sure you’ll never have to go fishing for the power outlet ever again. This script is designed to ping an OpenDNS server on a set schedule (explained shortly). If the ping fails, it then runs the reboot script.

Before I wrap this up, there are two things that must still be done to make this work. First, we need to make sure these files can be executed.

chmod +x /verizonrouterreboot.sh
chmod +x verizonrouterreboot.expect
chmod +x pingme.sh
Pogoplug Debian
Pogoplug Debian

Now that our scripts are executable, the next step is to schedule the scripts on their appropriate schedules. My recommendation is to schedule verizonrouterreboot.sh at a time when no one is using the computer, say at 4am. And I recommend running “pingme” every 30 minutes. After all, who wants to be without the Internet for more than 30 minutes? You can setup a cron job and then verify your schedule is set up correctly.

Are you a cable Internet user?

You are? That’s awesome! As luck would have it, I’m working on two different approaches for automatically rebooting cable modems. If you use a cable modem and would be interested in helping me test these techniques out, HIT THE COMMENTS and let’s put our heads together. Let me know if you’re willing to help me do some testing!

I need to be able to test both the “telnet method” and the “wget to url” method with your help. Ideally if both work, this will cover most cable modem types and reboot methods.

Recommended Linux Distro

On August 10th, 2015 Jory asked…

I’ve taken on Linux a few times, tried everything from Ubuntu to Mint, even tried setting up and running Gentoo on my own. In the end however, I always default back to Windows. I don’t know if it’s because I’m an avid gamer and installing games on Linux can be a pain or if it’s because researching problems I run into becomes overwhelming or what. But after reading a bunch of your articles on Datamation, especially the W10 Vs Linux one, I’m tempted to try it again….

My question would be, what do you recommend for distros? I’m a rather tech savvy person myself, I was a computer technician and an internet technician for 4 years, although I understand that hardware/software and fixing windows is a lot different than Linux and I think that’s where my problem lies. I’m all ears and looking for more advice from someone who seems to have an amazing understanding of the systems.

A new fan,

-Jory


Hi Jory,

I totally understand your frustration with trying to make the switch to Linux, while maintaining your sanity as well. Most of the time Linux issues receive a heavy-handed response when the same sort of issue with Windows is usually “allowed” by the masses. I know, I used to do this myself way back when.

With any luck, the following recommendations will help you along your way. First off, allow me to recommend my favorite Linux distribution – Ubuntu MATE.

Why Ubuntu MATE?

My main PC’s Linux distro is Ubuntu MATE 14.04. I found it to be stable to use and highly customizable. I also like the direction the distro is heading in with regard to adding new features. For example, the Ubuntu MATE 15.10 release will provide a new tool called Ubuntu MATE Welcome. This tool will provide a solid starting point where the new user can get needed applications, find support, and even have a place where they can get involved with the project. This is the distribution I recommend hands down.

Now the next consideration when trying out Linux is determining the compatibility of the hardware you’re running. While most things work just fine out of the box, every once in awhile you may have issues with video/audio/wifi. Below, I’ll share some tips on how to tackle these challenges by providing links to support forums with the information they need to be of assistance.

Getting help with potential hardware issues

Before I jump into this, remember the following: When asking for help, never post without being explicit about exactly what you did to get to the error and what hardware you have. Usually, the worst example is “my _____ doesn’t work.” Folks in the forums need to know what sort of hardware you’re dealing with. So if the issue is video related, then video card (model, brand) details are critical. Same applies for audio and wifi issues.

How do you know what hardware you’re running? From a command prompt (terminal), use the following tools to help determine what your hardware is. The following assumes you’re running an Ubuntu based distribution such as Ubuntu MATE.

Network card (even wifi):

sudo lshw -C network

Video card:

sudo lshw -C video

Motherboard:

sudo dmidecode -t 2

Various USB devices:

sudo lsusb

Note that with USB, sometimes the resulting names listed may seem different than the brand you have in front of you. For example, sometimes running lsusb only provides details that don’t make any sense. In the past, I’ve seen Ingram and Jing-Mold Enterprise Co., Ltd listed. Neither of these lsusb results mean anything to me.

However if I run this command instead:

sudo lsusb -v | grep -E '\<(Bus|iProduct|bDeviceClass|bDeviceProtocol)' 2>/dev/null

I’m presented with “iProduct” names: “Ingam” represents my USB Gaming Mouse and “Jing-Mold Enterprise Co., Ltd” represents my USB keyboard. This information is helpful as it identifies which items are hubs, keyboards and mice.

If using the command line isn’t for you, then you can install a program called CPU-G if you have a working Linux desktop environment on the PC in question. For Windows refugees, this will feel very familiar. It provides you with your CPU, Motherboard, RAM, and system details.

To install CPU-G, you’ll need to add the software repository so it can be installed and Ubuntu updates will keep it current with new releases.

In a terminal, paste in:

sudo add-apt-repository ppa:cpug-devs/ppa

(hit enter key, then paste)

sudo apt-get update && sudo apt-get install cpu-g -y

Once completed, CPU-G appears under Applications>System Tools.

Discovering and installing software

The next and perhaps biggest consideration for a new Linux user is software discovery. For Ubuntu MATE users, I recommend installing AppGrid. Some Linux users aren’t fans of it since its source code isn’t open source, however it’s by far easier to use than the alternatives I’ve tried in the past. It provides you with a visual source of software discovery, regardless of it’s software license.

Obviously, there are alternatives if the closed source nature rubs you the wrong way. You’re also welcome to install the Ubuntu Software Center. On Ubuntu MATE, if it’s not already installed, you can get it installed by pasting this into the terminal:

sudo apt-get install software-center

Starting with Ubuntu MATE 15.10, you’ll also have access to a tool called Ubuntu MATE Welcome (mentioned previously) which will help provide a solid launching point for applications most people might consider critical.

Bringing it all home

So Jory, that is a ton of information I dropped into your lap. And while it might seem overwhelming at first, it really breaks down into the following:

  • The importance of providing the correct hardware information.
  • Tools to discover and install software.
  • Which Linux distribution I recommend.

If you follow the advice above, I have no doubt that you’ll have a good time diving into Linux on the desktop and throughly enjoy the experience.

Before taking the next step and installing Linux onto your hard drive, remember this: run a live installation on a USB key first, since it won’t touch your hard drive. Test out playing audio, video and wireless networking. If you’re happy with the results, then you can look into installing it along side Windows so you don’t have to give up any games.

Do you have Linux questions you’d like Matt to help with? Hit the link here and perhaps you too, can Just Ask Matt!

Transcribe Speech To Text With Linux And Google

Sometimes in life, you run into situations where turning a voice recording into a text document is necessary. Perhaps this is from an interview for a news publication or perhaps you need to transcribe a verbal lecture from school. On Windows and OS X, there are a number of software programs that can help with this. Yet for Linux users, the options feel a bit sparse by comparison.

Today’s tip will address this issue. In this tip, I’ll show you how to combine Google’s Web Speech API with the Linux sound management server, PulseAudio.

Ready to get started? Great, here’s what you’re going to do:

1) Install pavucontrol (PulseAudio Control). It’s available from most software repositories.

2) Open pavucontrol (PulseAudio Control), click into the Input Devices tab. At the bottom, set Show to Monitors. Select the monitor that reflects the audio device you’ll be listening from by clicking the box next to the padlock on the right side. In my case, this was the USB speakers.

3) Now goto the Output Devices tab, make sure the matching output device is selected by clicking the box next to the padlock on the right side. Leave this app open, for troubleshooting.

PulseAudio Volume
PulseAudio Volume

4) Install/Open Chrome, browse to Google’s Web Speech API Demonstration page.

5) Now open up your audio player that will play the audio file. Get ready to play the audio file, but don’t hit play just yet.

6) Back on the API Demonstration page in Chrome, click on the microphone icon in the right center of the page.

7) Now in the audio player, hit play.

If everything went well, you should start seeing text appear on the Chrome page. If it isn’t working, re-check your settings. Another reason why it might not work is because of music or other noises in the background making voice audio difficult to detect.

Bonus fun: This also makes for a fun game of Mad Libs, by using a separate tab for YouTube podcasts. Some of the results are quite funny!