I am using a Raspberry Pi device for experimentation purposes, and I had to temporarily enable SSH on it via the public Internet, which can be a monumentally bad idea if the machine where the service is enabled is not properly secured. The problem is less related to SSH itself, and more to the default configuration which is used by some folks. That is - they use passwords to authenticate.
In addition to the fact that a lot of folks choose easily-guessable passwords, using passwords for authentication also means that you are exposing the machine to bruteforce attacks, where someone will be able to continue hammering away at the prompts until they either give up or find a match.
So, to avoid this problem, I decided to configure key-based access. To do that, I am using a macOS machine, but most of the commands below should be available on Linux as well (even inside Windows Subsystem for Linux).
First, I need to generate the keys that I connect to the target machine with. To do that, I will use a tool called
ssh-keygen, which is part of the SSH protocol suite, and is used to generate authentication key pairs.
When entering this command, the user will be prompted to specify the location of the keys. The default one provided by the OS is generally a-OK, unless the user has a reason to override it.
Next, the user will be asked to provide a passphrase.
Important Security Note
Always specify a passphrase. If a passphrase is not specified, the user is really banking on the fact that nobody will ever be able to get the key from the machine where it is generated. While this might be reasonable in some scenarios (e.g. both machines are on the same network, with no public access, and are managed by the same personnel), the use cases there are quite limited, so a passphrase can be a really useful safeguard against potential malicious use.
When the command finishes execution, two keys will be created - the private one and the public one. The public key can be derived from the private key, but not the other way around. The private key (
id_rsa) should not leave the machine, while the public one (
id_rsa.pub) can be copied to any authorized devices.
Important Security Note
Make sure to backup your keys - you can throw them in your Dropbox account, and have them synced, avoiding the situation where you lost access to your main machine, and now you can't SSH into the Raspberry Pi.
Conveniently, the user can copy the public key (
id_rsa.pub) directly to the Raspberry Pi with the help of the
ssh-copy-id -p YOUR_PORT firstname.lastname@example.org
If for some reason
ssh-copy cannot be used, it’s entirely possible to copy the public key (
id_rsa.pub) onto the Raspberry Pi manually - it needs to be added to
Once the key is on the Raspberry Pi, it’s time to disable password authentication! That can be done by editing
/etc/ssh/sshd_config, and setting
no. In some cases, that line might be commented out, so removing the pound sign in front of it (
#) is needed too. I recommend testing that you can log in with the key first, before you commit the changes, to prevent the situation where you are locked out from the Raspberry Pi - it’s less of a problem if the machine is next to you, and a whole different class of issues to resolve if the Pi is thousands of miles away.
The last step is applying the changes by restarting the SSH service:
sudo /etc/init.d/ssh restart
Nice! Now I am able to use a key instead of a password to log into my little remote box.
Have any thoughts? Let me know on Twitter!