Using password-based SSH is dangerous, especially if you want to put your Raspberry Pi on a public network such as the internet. That’s why you should disable the password-based SSH and switch to key-based authentication. In this article, you will learn how to configure SSH key-based authentication on Raspberry Pi.
The process is not as simple as enabling SSH that addressed in the previous article. You need to toy with some configuration files. The overall process is as follows:
- Generate private and public keys on the client machine
- Install the public key on the pi
- Disable the SSH password-based authentication
- Configure SSH on the client machine for easy access (optional)
If you don’t want to read the entire article, you can watch the YouTube video instead 😀
Generate private and public keys on the client machine
First, open the terminal on the client machine and type,
$ ssh-keygen -t rsa
The command asks you for a path. You can either accept the default one (if you don’t have any other key) or give your desired path and name such as ~/.ssh/raspberrypi_rsa
.
After that, you should set a passphrase. That is optional, but it’s highly recommended to provide a passphrase (a strong one).
RSA is the default algorithm and is considered highly backward compatible and relatively safe. The default key length is 3072
bits. Anything shorter is unsafe.
However, if you prefer to be safer, you can increase the key length to 4096
bits as follows:
$ ssh-keygen -t rsa -b 4096
There is another algorithm, ed25519
. It is considered the most secure one. However, it is not compatible with the old SSH client. In case you like to use ed25519
, you can generate a key like this:
$ ssh-key-gen -t ed25519
Now you have the private and public keys generated. To verify it, just run the following command,
$ ls ~/.ssh
You should see at least two files there. One ends with _rsa.pub
and another with _rsa
. Such as raspberrypi_rsa.pub
and raspberrypi_rsa
Install the public key on the pi
To install or copy over the generated public key on the pi, you can use the ssh-copy-id
command as follow,
$ ssh-copy-id -i ~/.ssh/raspberrypi_rsa.pub pi-username@pi-ip-address
SSH to your Raspberry Pi and inspect the ~/.ssh
directory. You should see the authorized_keys
file. That’s the public key file.
To ensure the key-based SSH is working, head to your client and run,
$ ssh pi-username@pi-ip-address
You should be able to SSH to your Pi without providing the password.
Disable the SSH password based authentication
The last mandatory step is to disable password based authentication. Of course, ensure the key-based authentication is already working.
Open sshd_config
file in your Raspberry Pi.
$ sudo vim /etc/ssh/sshd_config
Find the following lines and change them as follows,
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding no
If those lines are commented, uncomment them and set the above values. If they don’t exist, add them at the end of the file.
Finally, reload the SSH daemon so changes can take effect.
$ sudo systemctl reload sshd
Ensure password based authentication is disabled
Head to your client terminal and try to password based SSHing.
$ ssh pi-username@pi-ip-address -o PubKeyAuthentication=no
You should get the Permission denied (publickey)
error.
Root SSH should also be disabled,
$ ssh root@pi-ip-address
You should get the same error message too.
Configure SSH on the client for easy access (optional)
You can now connect to your Raspberry Pi like ssh pi-username@pi-ip-address
. But that’s too much hassle. You need to remember your Pi IP address and type it each time. An easier way is to define an alias.
For that you need to create a config
file under the client ~/.ssh
directory and fill it as follows,
Host pi pi-ip-address
HostName pi-ip-address
IdentityFile ~/.ssh/raspberrypi_rsa
User pi-username
Once you’ve done, you should be able to connect to your Pi by typing,
$ ssh pi
SSH logs
In case you want to check your Raspberry PI SSH logs for auditing purposes, you can use the below command,
$ cat /var/log/auth.log