Using a public-private key pair for authenticating a client to an SSH server (Raspberry Pi), we can secure our Raspberry Pi from hackers. To enable key-based authentication, we first need to generate a public-private key pair using tools called PuTTYgen for Windows and ssh-keygen for Linux. Note that a key pair should be generated by the client and not by Raspberry Pi. For our purpose, we will use PuTTYgen for generating the key pair. Download PuTTY from the following web link:
Note that puTTYgen comes with PuTTY, so you need not install it separately.
Open the puTTYgen client and click on Generate, as shown in Figure 10.9:
Next, we need to hover the mouse over the blank area to generate the key, as highlighted in Figure 10.10:
Once the key generation process is complete, there will be an option to save the public and private keys separately for later use, as shown in Figure 10.11—ensure you keep your private key safe and secure:
Let's name the public key file rpi_pubkey, and the private key file rpi_privkey.ppk and transfer the public key file rpi_pubkey from our system to Raspberry.
Log in to Raspberry Pi and under the user repository, which is /home/pi in our case, create a special directory with the name .ssh, as shown in Figure 10.12:
Now, move into the .ssh directory using the cd command and create/open the file with the name authorized_keys, as shown in Figure 10.13:
The nano command opens up the authorized_keys file in which we will copy the content of our public key file, rpi_pubkey. Then, save (Ctrl + O) and close the file (Ctrl + X).
Now, provide the required permissions for your pi user to access the files and folders. Run the following commands to set permissions:
chmod 700 ~/.ssh/ (set permission for .ssh directory)
chmod 600 ~/.ssh/authorized_keys (set permission for key file)
Refer to Figure 10.14, which shows the permissions before and after running the chmod commands:
Finally, we need to disable the password logins to avoid unauthorized access by editing the /etc/ssh/sshd_config file. Open the file in the nano editor by running the following command:
sudo nano etc/ssh/sshd_config
In the file, there is a parameter #PasswordAuthentication yes. We need to uncomment the line by removing # and setting the value to no:
PasswordAuthentication no
Save (Ctrl + O) and close the file (Ctrl + X). Now, password login is prohibited and we can access the Raspberry Pi using the key file only.
Restart Raspberry Pi to make sure all the changes come into effect with the following command:
sudo reboot
Here, we are assuming that both Raspberry Pi and the system that is being used to log in to Pi are one and the same.
Now, you can log in to Raspberry Pi using PuTTY. Open the PuTTY terminal and provide the IP address of your Pi. On the left-hand side of the PuTTY window, under Category, expand SSH as shown in Figure 10.15:
Then, select Auth, which will provide the option to browse and upload the private key file, as shown in Figure 10.16:
Once the private key file is uploaded, click on Open and it will log in to Raspberry Pi successfully without any password.