This tip describes how you can increase your security level by using public key authentication. The tip is dedicated to Rapsberry Pi SSH users, but can be used by any Linux user (Raspbian is based on Debian). The client side presented is Windows Putty.
Raspberry Pi is a very powerful device,
especially if you are going to use it to control some other hardware
like home automation or robotics. The best way to configure and use
Raspberry Pi is to connect remotely through SSH and execute some
commands. Because SSH allows to take control over the whole device – this
connection should be as secure as possible.
Basically, there is password authentication enabled, but this is not the best option:
Many users leave default password.
- Passwords are vulnerable for brute force and dictionary attacks.
- You have to remember your password.
My proposal is to use public key authentication and disable password authentication.
How Does It Work?
- Generate public and private key pair on your local machine.
- Save your public key on Raspberry Pi.
- Configure your SSH client to use private key.
- Connect without any password.
- Authentication is based on private key, but it is never sent through the network (see more asymmetric cryptography).
1. Reconfigure your Raspberry Pi
Let's start from the point where you have basic Raspberry Pi configuration:
- Is connected to network
- Listens on port 22 (SSH enabled)
- Uses default credentials (user:pi, password:raspberry)
2. Download Putty Package
In this example, client side is based on
Windows operating system. I will use Putty package as a client side
software. Firstly, you have to download Putty package here.
3. Generate Key
After installation, navigate to Putty
directory in your “Program Files”. Execute puttygen.exe. Configure key
to “SSH2 RSA” and set key length to value greater than 1024 bits. I’ve
used value of 4096 just for an example, if you want to know more about
key lengths read more here.
After entering basic settings, click “Generate” and follow the
instructions presented by an application. After key generation, save
your public and private keys in your private folder. It’s important to
keep private key file safe, you can even use TrueCrypt safe container.
4. Upload Public Key
SSH daemon have to know all public keys
of clients that will be entered. Because of that, you have to copy your
public key to Raspberry Pi. We have the ability to connect through SSH, so
why not to use SCP (Secure Copy) ? Full Putty installation has pscp.exe which is SCP client application. It will be used to send public key to
the Raspberry Pi.
pscp <public_key_file_path> pi@<raspberry_pi_ip_address>:/home/pi/.ssh/x
You will be prompted for a password, after
entering it file will be copied to private directory of “pi” user.
Switch to your Raspberry Pi and navigate to home directory. Change name
x” file to “
authorized_keys”, or merge them if it already exists
(text in new line). Make sure that public keys are saved in format (one
key per line):
ssh-rsa <public_key_value>= <key_name>
After all, you should have public key generated in step 3, in file:
5. Configure SSH Daemon
SSH is still configured to use password authentication, let’s change it. Navigate to the following file:
Open it in your text editor and modify flags to the following values:
After all, restart SSH daemon.
sudo service ssh restart
6. Configure Putty Client
Navigate to Putty directory in your
“Program Files” and execute putty.exe. Putty allows to save connection
configuration, to use this you have to fill:
- Raspberry Pi IP address on first screen
- Name of session on first screen
- Private key file on Connection/SSH/Auth screen
After all, click “Save” on first screen and enjoy safe connection.
- 03.05.2013 - Published on mpolaczyk.pl
- 29.05.2013 - Published on CodeProject