Raspberry Pi: SSH using public and private keys
Sometimes it’s necessary to leave a publicly accessible SSH connection available on your Raspberry Pi. While a strong password is essential, a much more secure method for authentication is to use a public and private key system. This guide will take you through all of the steps to creating the keys, configuring the Raspberry Pi, and finally configure PuTTY.
Before we begin, this assumes you already have SSH access using a password.
Generating the keys
- The keys will be generated on your PC, not on the Raspberry Pi.
- Run PUTTYGEN (PuTTY Key Generator).
- The default parameters are fine (SSH-2 RSA, 2048).
- Click the Generate button and move your mouse cursor around as instructed.
- Copy / paste the public key into Notepad, we’ll need this in a moment.
- Save the private key to a ppk file on your PC. You can disregard the passphrase pop-up.
Configuring public key for a user
Connect to the device over SSH and login using your (non-root) username and password. For this example, we’ll use the username “darian”. 😉
Enter the following:
cd ~ mkdir .ssh cd .ssh nano authorized_keys
Paste the public key from Notepad into Nano. This key should be a single line in the file.
Ctrl + O to save the file, then Ctrl+X to exit.
Now we will modify permissions for greater security:
sudo chmod 700 ~/.ssh/ sudo chmod 600 ~/.ssh/authorized_keys sudo chown -R darian:darian ~/.ssh/
You can check these settings like this:
ls -l
It should look similar to this:
-rw------- 1 darian darian 398 Feb 14 16:57 authorized_keys
Configuring public key for root user
sudo mkdir /root/.ssh/
sudo nano /root/.ssh/authorized_keys
Paste the public key from Notepad into Nano. This key should be a single line in the file.
Ctrl + O to save the file, then Ctrl+X to exit.
Now we will modify permissions for greater security:
sudo chmod 700 /root/.ssh/ sudo chmod 600 /root/.ssh/authorized_keys
Configure SSH to use keys and disable password login
Warning: Before continuing with this step, reboot the device and verify that login using the key file is working. After this next step SSH passwords will no longer work!
Open the SSH config file for editing:
sudo nano /etc/ssh/sshd_config
Find the following line (usually a page or two down, Ctrl + V):
#PasswordAuthentication yes
Uncomment and modify it to this:
PasswordAuthentication no
Reboot the device, and SSH login should only be possible using the private key file.
Configure PuTTY with private key
Navigate PuTTY settings:
Configuration > Connection > SSH > Auth > Private key file for authentication:
Click the Browse button and point to the private key (.ppk) file we saved earlier.
Note: The command line argument for this is “-i”, e.g.:
putty.exe -i “C:/Some Folder/my-key-file.ppk”
That’s it! Now connecting with PuTTY will use the private key file instead of prompting you for a password. 😀