I am sure you know usual authentication is password base.
If you change to public key authentication, you can avoid spoofing because only the person who has private key can login!
– Of course unless private key is stolen.
Let me show how to change public key based authentication.
Creating key pair and deploy
First of all, login the machine you want to login Raspberry Pi from.
– In my case I logged in Chromebook.
Let’s do below command.
# Creating keypair which consists public key and private key $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/yasu/.ssh/id_rsa): (Enter) Enter passphrase (empty for no passphrase): (Passphrase and enter) Enter same passphrase again: (the same passphrase and enter) Your identification has been saved in /home/yasu/.ssh/id_rsa. Your public key has been saved in /home/yasu/.ssh/id_rsa.pub. The key fingerprint is: (snip)
Passphrase is not mandatory but I recommend because it strengthens security.
Next send public key to Raspberry Pi.
# Sending public key with scp command # scp <file path to send> <user name>@<Raspberry Pi IP address or host name>:<file path where you want to send> scp .ssh/id_rsa.pub yasu@192.168.1.123:/home/yasu/ yasu@192.168.1.123's password: id_rsa.pub
To make sure I confirm by ls command.
$ ls -l total 4 -rw-r--r-- 1 yasu yasu 394 Nov 11 13:39 id_rsa.pub
This public key should be recognized by openssh.
To do it let’s perform these commands.
# Moving public key to .ssh directory $ mv id_rsa.pub .ssh/ # Concatenating to authorized_keys $ chmod 700 .ssh $ cat .ssh/id_rsa.pub >> .ssh/authorized_keys $ chmod 600 .ssh/authorized_keys # Original public key can be removed $ rm .ssh/id_rsa.pub
Added 05/30/2022 If .ssh directory is owned root, above shell script fails with "Permission denied". If you face this error you need to change owner by this command. sudo chown -R yasu:yasu /home/yasu/.ssh/ * yasu should be replaced your user name.
Configuring openssh
In this section let’s change openssh configuration.
# Modifying openssh setting file $ sudo vim /etc/ssh/sshd_config Port 12345 # Change port number PermitRootLogin no # Denying root login PermitEmptyPasswords no # Denying empty password # restarting openssh $ sudo service openssh restart
Now if everything is fine you can login by private key.
Let’s verify it.
If you succeed to login after entering password, it is OK.
$ ssh yasu@192.168.1.123 -p 12345 Enter passphrase for key '/home/yasu/.ssh/id_rsa':
Lastly deactivate password authentication.
Please be sure you can login by private key.
If this is not case, you can never login unless you connect display and keyboard to Raspberry Pi!
$ sudo vim /etc/ssh/sshd_config PasswordAuthentication no # Restarting openssh $ sudo service openssh restart
After this if you can login by private key, you made it!
Conclusion
How was it?
There may be risk password will be stolen, but private key is hardly stolen!
In below article I introduce each step how to establish nextcloud on Raspberry Pi 4!
You should be interested in it too!
Comments