You can use SSH over the Internet by opening a port in your router configuration just as it is demonstrated in the Synchronizing files over the Internet recipe. When doing so, your Banana Pi's SSH server is accessible over the Internet. This means that everybody is able to log in to your Banana Pi. This is especially risky if you have not changed the default password.
There are several methods to improve the security of your SSH server on the Internet. The three most used methods are:
PermitRootLogin
to no
in the /etc/ssh/sshd_config
file.In this recipe, we are going present the second method. Thus, we generate SSH keys and disable the password login. This will enhance the security of your SSH so that you can use SSH to your Banana Pi over the Internet.
The following ingredients are required on your Banana Pi:
You will have to generate an SSH key pair for your SSH client. Afterwards, we need to store the generated public key on the Banana Pi to be recognizable by the SSH server. After we configured the key authentication on both the Banana Pi and the client, we can disable the SSH password login.
On Windows, you can use the tool PuTTYGen to generate an SSH key pair. The PuTTYGen utility is packed within the putty.zip
we presented in Chapter 2, Administration. Let's see how this can be done:
PuTTYGen.exe
file.bananapi
.private.ppk
./home/bananapi/.ssh/authorized_keys
on your Banana Pi.~/.ssh
directory, if it does not exist right now, and set access permissions for the current user only:$ mkdir ~/.ssh $ chmod 700 ~/.ssh
~/.ssh/authorized_keys
using an editor like nano:$ nano /home/bananapi/.ssh/authorized_keys
~/.ssh/authorized_keys
using nano.exit
command.The public key generated from PuTTYGen is now an authorized key. This means, you can connect using your private key and your passphrase from now on. Configure PuTTY to use the private key as the authentication method by following these steps:
private.ppk
key file you generated previously.bananapi
.You are logged in successfully using the more secure SSH key authentication.
On Linux systems, you can use the ssh-keygen tool to generate a key pair.
$ ssh-keygen -t rsa
bananapi
.~/.ssh/id_rsa
and your public key is stored under ~/.ssh/id_rsa.pub
.ssh-copy-id
command:$ ssh-copy-id bananapi@lemaker
-i
(identity) parameter, to start an SSH connection using your private key:$ ssh -i ~/.ssh/id_rsa bananapi@lemaker
You are logged in successfully using the more secure SSH key authentication. On your client computer, you can now configure the used private key by appending an IdentityFile
option to your host configuration in ~/.ssh/config
:
Host lemaker HostName lemaker User bananapi IdentityFile ~/.ssh/id_rsa
Once we are able to log in to the Banana Pi via the SSH key authentication, we can disable the password login.
Make sure that you are able to log in via your private key; otherwise, you may lock out yourself. In this case, you have to turn off your Banana Pi, insert the SD card into a Linux computer, and restore the default sshd_config
file on the SD card. Therefore, we are creating a backup of the default file in the following steps:
/etc/ssh/sshd_config
:$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
/etc/ssh/sshd_config
:$ sudo nano /etc/ssh/sshd_config
PasswordAuthentication
into the search field and hit Enter.PasswordAuthentication
option.#
character) and change the value to no
. It should look as shown in the next screenshot:$ sudo /etc/init.d/ssh restart
exit
command.You should be able to log in using your private key as the authentication method only.
You can test it by forcing a password login on your Linux computer or removing the private key file in your PuTTY settings, for example:
-o
) parameter:$ ssh -o PubkeyAuthentication=no bananapi@lemaker
Permission denied (publickey)
.$ ssh -i ~/.ssh/id_rsa bananapi@lemaker
You have successfully enhanced security by enabling the SSH key authentication.
In this recipe, we enabled the SSH authentication via an SSH key pair. A key pair consists of a public key and a private key (similar to the key pair we created for the SSL certificate). The client's public key can be stored on multiple SSH servers. The private key will remain on the client's machine.
When a client connects to the SSH server using his private key, the server checks whether the client's public key is stored on the server. If this is the case, the user has to enter the passphrase of his private key to unlock it.
The passphrase provides optional additional security. Imagine an attacker gaining access to your private key file. If you had no passphrase on your key file, the attacker could log in to your Banana Pi by just using that hijacked private key. However, as we secured our private key with the passphrase, the attack must have both your private key file and your passphrase to unlock it.
The private and public keys are generated by utilities such as PuTTYGen on Windows or ssh-keygen on Linux. You can store your public key on every SSH server that you have access to and log in via your private key. The private key, however, should be stored safely on your client's computer.
To log in via the SSH key authentication mechanism, you have to tell your SSH client (that is PuTTY or the ssh
command) to use a private key file (the identity file). On PuTTY, you have to select the private key in the settings. The ssh
command on Linux can take the -i
(identity) parameter or use a host configuration in ~/.ssh/config
.
Once we are able to log in via our SSH keys, we can disable the SSH password login completely. When this is done, you can safely establish a port forwarding in your router to the Banana Pi and log in from the Internet. Keep in mind that you will need to have your private key to log in.
If you want to add another public key, you can only add it if you log in with a previously permitted private key.
3.144.9.179