How to setup SSH Keys on the Raspberry Pi
About: SSH Keys are a secure way of connecting to a server without needing a password. The way it works is a private and public set of keys are generated and the private key is held on our main computer and the public key is put on the server, in this case it would be our Raspberry Pi. The keys generated are a minimum of 512-bits with 1024-bits being the default. The recommended bits to use for a server are 2048-bits but you can go up to 4096-bits.
SSH Keys allow you to login to your server without a password and the client and server will use these keys to authenticate the client allowing it access. This is safer because it prevents brute-force attacks. You can however add a passphrase to your key, meaning that you would need to have a private key as well as a passphrase to connect to the server. Adding a passphrase would really lock-down our server and make it virtually impossible to connect into without the SSH key and passphrase.
Objective: To generate and setup SSH Keys between a client and Raspberry Pi server
Material: You will need the following:
- Raspberry Pi (Click the link to check out the price on Amazon. Usually around $37 with free shipping)
Instructions: First we will start off by generating the SSH key on our main computer that we will be using to connect to our Raspberry Pi. I will assume you are using a Linux based computer. Look up how to generate SSH keys on Windows or MAC if that’s what you are using. I am using Linux Mint so this tutorial will show you how to generate SSH keys using Linux. Start off by opening the terminal on your computer.
Type the following command to generate a SSH key. We will be generating a SSH Key with 2048-bits using the RSA protocol version 2:
ssh-keygen -b 2048 -t rsa
Once you type that command in you should be prompted where you would like to save the keys. Simply hit enter to save the keys in the default location. After that you should get one more question asking you to enter a passphrase. If you do not want to enter a passphrase simply hit enter or enter in your new passphrase.
Entering a passphrase is simply up to you. It will improve your servers security because a hacker would need to steal your private SSH Key first as well as the passphrase. The downside is that you would need to enter in your passphrase every time you connect to your server. This may not be a big deal if you don’t login to your server often, however, if you do lose or forget your passphrase there is no way to recover it remotely. Assuming your server is headless you would need to hookup a monitor and keyboard and generate new keys locally and replace your current keys or delete them..
Your SSH Keys should now be located in ~/.ssh. You can view your key files with the following command:
You should see 2 files located here:
id_rsa.pub : This is your public key and will be transferred to your server.
id_rsa : This is your private key which will remain on your main computer you will be using to connect to your server.
Now go ahead and SSH to your Raspberry Pi and run the following commands to create a ‘.ssh’ folder and an ‘authorized_keys’ file:
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
The mkdir command will create a directory called ‘.ssh’ followed by the cd command to change our directory into the one we just created. We will then use the touch command to create an ‘authorized_keys’ followed by changing the permissions of the files we just created.
Go back to your main computer and type the following command to transfer the public RSA key to the Raspberry Pi. We will be transferring the data from the key into the authorized_keys file we created on the Raspberry Pi earlier:
cat ~/.ssh/id_rsa.pub | ssh -p 22 email@example.com 'cat >>.ssh/authorized_keys'
Note that you will need to change the IP address to match the IP address of your server. Also if you changed your SSH port number you can change the default 22 port number to whatever port number you are using for your server. You will be asked for your password one last time but once you run this command your computer and Raspberry Pi will be linked and you will never have to use your password again, you will have to enter in the passphrase if you chose to use one earlier.
Make sure you are able to login without using a password and you should be complete. For extra security you can remove Password Authentication from the Raspberry Pi. This will disable logging in with a password for any user over SSH. It is important you can login using your keys before disabling Password Authentication.
Removing the Password Authentication is not required but will improve security a step further. If you choose to do this step login to your Raspberry Pi and run the following command to edit the SSH configuration file:
Look for the line that says ‘#PasswordAuthentication yes’. We will need to uncomment this line by removing the # and then changing the yes to no. Save this file by hitting CTRL+X followed by Y for yes.
Now just restart the SSH service with the following command:
sudo /etc/init.d/ssh restart
You should now be able to login to your server using SSH keys. If you have any comments or concerns please let me know in the comments below.