Raspberry Pi - SSH Public Key Authentication

Introduction

This tip describes how you can increase your security level by using public key authentication. The tip is dedicated to Rapsberry Pi SSH users, but can be used by any Linux user (Raspbian is based on Debian). The client side presented is Windows Putty.

Raspberry Pi is a very powerful device, especially if you are going to use it to control some other hardware like home automation or robotics. The best way to configure and use Raspberry Pi is to connect remotely through SSH and execute some commands. Because SSH allows to take control over the whole device – this connection should be as secure as possible.

Basically, there is password authentication enabled, but this is not the best option:

• Many users leave default password.
• Passwords are vulnerable for brute force and dictionary attacks.
• You have to remember your password.

My proposal is to use public key authentication and disable password authentication.

How Does It Work?

1. Generate public and private key pair on your local machine.
2. Save your public key on Raspberry Pi.
3. Configure your SSH client to use private key.
4. Connect without any password.
5. Authentication is based on private key, but it is never sent through the network (see more asymmetric cryptography).

Background

• Public Key Cryptography
• SSH
• Original article

How To

1. Reconfigure your Raspberry Pi

Let's start from the point where you have basic Raspberry Pi configuration:

• Is connected to network
• Listens on port 22 (SSH enabled)
• Uses default credentials (user:pi, password:raspberry)

2. Download Putty Package

In this example, client side is based on Windows operating system. I will use Putty package as a client side software. Firstly, you have to download Putty package here.

3. Generate Key

After installation, navigate to Putty directory in your “Program Files”. Execute puttygen.exe. Configure key to “SSH2 RSA” and set key length to value greater than 1024 bits. I’ve used value of 4096 just for an example, if you want to know more about key lengths read more here. After entering basic settings, click “Generate” and follow the instructions presented by an application. After key generation, save your public and private keys in your private folder. It’s important to keep private key file safe, you can even use TrueCrypt safe container.

4. Upload Public Key

SSH daemon have to know all public keys of clients that will be entered. Because of that, you have to copy your public key to Raspberry Pi. We have the ability to connect through SSH, so why not to use SCP (Secure Copy) ? Full Putty installation has pscp.exe which is SCP client application. It will be used to send public key to the Raspberry Pi.

pscp <public_key_file_path> pi@<raspberry_pi_ip_address>:/home/pi/.ssh/x

You will be prompted for a password, after entering it file will be copied to private directory of “pi” user. Switch to your Raspberry Pi and navigate to home directory. Change name of “x” file to “authorized_keys”, or merge them if it already exists (text in new line). Make sure that public keys are saved in format (one key per line):

ssh-rsa <public_key_value>= <key_name>

After all, you should have public key generated in step 3, in file:

/home/pi/.ssh/authorized_keys

5. Configure SSH Daemon

SSH is still configured to use password authentication, let’s change it. Navigate to the following file:

/etc/ssh/sshd_config

Open it in your text editor and modify flags to the following values:

PermitRootLogin no
PasswordAuthentication no

After all, restart SSH daemon.

sudo service ssh restart

6. Configure Putty Client

Navigate to Putty directory in your “Program Files” and execute putty.exe. Putty allows to save connection configuration, to use this you have to fill:

• Raspberry Pi IP address on first screen
• Name of session on first screen
• Private key file on Connection/SSH/Auth screen

After all, click “Save” on first screen and enjoy safe connection.

History

• 03.05.2013 - Published on mpolaczyk.pl
• 29.05.2013 - Published on CodeProject