How to switch SSH login method from password to public key authentication? 

Raspberry Pi
Reading Time: 2 minutes



I am sure you know usual authentication is password base.
If you change to public key authentication, you can avoid spoofing because only the person who has private key can login!
– Of course unless private key is stolen.

Let me show how to change public key based authentication.

Creating key pair and deploy

 First of all, login the machine you want to login Raspberry Pi from.
– In my case I logged in Chromebook.

Let’s do below command.

# Creating keypair which consists public key and private key
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/yasu/.ssh/id_rsa): (Enter)
Enter passphrase (empty for no passphrase): (Passphrase and enter)
Enter same passphrase again: (the same passphrase and enter)
Your identification has been saved in /home/yasu/.ssh/id_rsa.
Your public key has been saved in /home/yasu/.ssh/id_rsa.pub.
The key fingerprint is:
(snip)



Passphrase is not mandatory but I recommend because it strengthens security.

Next send public key to Raspberry Pi.

# Sending public key with scp command
# scp <file path to send> <user name>@<Raspberry Pi IP address or host name>:<file path where you want to send>
scp .ssh/id_rsa.pub yasu@192.168.1.123:/home/yasu/
yasu@192.168.1.123's password:
id_rsa.pub



To make sure I confirm by ls command.

$ ls -l
total 4
-rw-r--r-- 1 yasu yasu 394 Nov 11 13:39 id_rsa.pub



This public key should be recognized by openssh.
To do it let’s perform these commands.

# Moving public key to .ssh directory
$ mv id_rsa.pub .ssh/
# Concatenating to authorized_keys
$ chmod 700 .ssh
$ cat .ssh/id_rsa.pub >> .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys
# Original public key can be removed
$ rm .ssh/id_rsa.pub
Added 05/30/2022
If .ssh directory is owned root, above shell script fails with "Permission denied".
If you face this error you need to change owner by this command.
sudo chown -R yasu:yasu /home/yasu/.ssh/
* yasu should be replaced your user name.

Configuring openssh

In this section let’s change openssh configuration.

# Modifying openssh setting file
$ sudo vim /etc/ssh/sshd_config
Port 12345 # Change port number
PermitRootLogin no # Denying root login
PermitEmptyPasswords no # Denying empty password

# restarting openssh
$ sudo service openssh restart



Now if everything is fine you can login by private key.
Let’s verify it.
If you succeed to login after entering password, it is OK.

$ ssh yasu@192.168.1.123 -p 12345
Enter passphrase for key '/home/yasu/.ssh/id_rsa':



Lastly deactivate password authentication.
Please be sure you can login by private key.
If this is not case, you can never login unless you connect display and keyboard to Raspberry Pi!

$ sudo vim /etc/ssh/sshd_config
PasswordAuthentication no

# Restarting openssh
$ sudo service openssh restart



After this if you can login by private key, you made it!

Conclusion

 How was it?

There may be risk password will be stolen, but private key is hardly stolen!



In below article I introduce each step how to establish nextcloud on Raspberry Pi 4!
You should be interested in it too!

Comments

タイトルとURLをコピーしました