14 Feb 2016

Raspberry Pi: SSH using public and private keys

Sometimes it’s necessary to leave a publicly accessible SSH connection available on your Raspberry Pi. While a strong password is essential, a much more secure method for authentication is to use a public and private key system. This guide will take you through all of the steps to creating the keys, configuring the Raspberry Pi, and finally configure PuTTY.

Before we begin, this assumes you already have SSH access using a password.

Generating the keys

  1. The keys will be generated on your PC, not on the Raspberry Pi.
  2. Run PUTTYGEN (PuTTY Key Generator).
  3. The default parameters are fine (SSH-2 RSA, 2048).
  4. Click the Generate button and move your mouse cursor around as instructed.
  5. Copy / paste the public key into Notepad, we’ll need this in a moment.
  6. Save the private key to a ppk file on your PC. You can disregard the passphrase pop-up.

Configuring public key for a user

Connect to the device over SSH and login using your (non-root) username and password. For this example, we’ll use the username “darian”. 😉

Enter the following:

cd ~
mkdir .ssh
cd .ssh
nano authorized_keys

Paste the public key from Notepad into Nano. This key should be a single line in the file.

Ctrl + O to save the file, then Ctrl+X to exit.

Now we will modify permissions for greater security:

sudo chmod 700 ~/.ssh/
sudo chmod 600 ~/.ssh/authorized_keys
sudo chown -R darian:darian ~/.ssh/

You can check these settings like this:

ls -l

It should look similar to this:

-rw------- 1 darian darian 398 Feb 14 16:57 authorized_keys

Configuring public key for root user

sudo mkdir /root/.ssh/
sudo nano /root/.ssh/authorized_keys

Paste the public key from Notepad into Nano. This key should be a single line in the file.

Ctrl + O to save the file, then Ctrl+X to exit.

Now we will modify permissions for greater security:

sudo chmod 700 /root/.ssh/
sudo chmod 600 /root/.ssh/authorized_keys

Configure SSH to use keys and disable password login

Warning: Before continuing with this step, reboot the device and verify that login using the key file is working. After this next step SSH passwords will no longer work!

Open the SSH config file for editing:

sudo nano /etc/ssh/sshd_config

Find the following line (usually a page or two down, Ctrl + V):

#PasswordAuthentication yes

Uncomment and modify it to this:

PasswordAuthentication no

Reboot the device, and SSH login should only be possible using the private key file.

Configure PuTTY with private key

Navigate PuTTY settings:

Configuration > Connection > SSH > Auth > Private key file for authentication:

Click the Browse button and point to the private key (.ppk) file we saved earlier.

Note:    The command line argument for this is “-i”, e.g.:

putty.exe -i “C:/Some Folder/my-key-file.ppk”

That’s it! Now connecting with PuTTY will use the private key file instead of prompting you for a password. 😀

About the Author:

Hardware and software engineer with experience in product development and building automation. Director at Cabot Technologies and Product Manager at NEX Data Management Systems.

Leave a Reply

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.