Whenever you log in to your Raspberry Pi, you need to supply a username and password. Let’s assume what happens if someone sniffing your traffic? You are going to expose your login credentials to him. Then it’s you who knows the amount of damage that will happen if someone steals your password. You can stop authenticating your Pi using a password by enabling key based authentication. In this article, we will be covering what is key based authentication? How does it work? And, how to enable key based authentication on Raspberry Pi.
Please check out our posts “How to set up a Raspberry Pi for the first time?:” if you are working on the Pi for the first time.
Key based authentication is a type of authentication used as an alternative to password based authentication. In which you need not enter the password to prove your identity. This type of authentication is more often in remote server logins over the internet. Most of the domestic users don’t really care about this. Because they just work within their home network. We will encourage you to enable this authentication if you are going to connect your Pi over the internet or VPN. Please read these blogs to know more about connecting the Raspberry Pi over the internet and VPN “How to setup Open VPN on Raspberry Pi:” and “Five easiest ways to connect Raspberry Pi remotely in 2021:”.
To understand this key based authentication, you need to be aware of Cryptographic concepts. Cryptography is a very vast topic to discuss. Keep that topic out of the discussion. Just you need to remember that key based authentication inherits the concept from asymmetric encryption, which works on public and private keys. We hope it is clear now that it requires two keys to work. A Public Key and a Private Key. In this process, the user uses his private key as a password to login to the remote server on which the public key has stored.
Public Key: It’s a common key need to be on the remote server to which you are going to log in. That is the Raspberry Pi in this scenario.
Private Key: It’s a unique key used by the client to prove his identity for login. It should be stored on a client computer from which you are going to login to Pi. That is your desktop computer.
It’s not necessary to know about the background work which happens during the process of key based authentication. The purpose of including this is to keep you away from being wondered about how a private key will work as a password. Let’s break this complex concept into a few simple steps:
First and foremost, you need to create a pair of keys. Public and Private keys. There are several ways to create a key pair.
Keep the private key on your computer (The computer you want to login from) and transfer the public key to the remote computer you want to login to.
When you attempt to log in, the server will check for the public key and then generate a random string and encrypt it using this public key. This encrypted message can only be decrypted with the associated private key.
The server will send this encrypted message to your computer. Upon receipt of the message, your computer will decrypt it using the private key and send this message back to the server. If everything matches up, it lets you log in.
There are several ways to generate a key pair. On windows, keys can be easily created using a small program called ‘Putty gen’. But, most Linux and Mac users use a command line tool called ssh-keygen, which we are going to use in our Pi for demonstration.
To create a key pair, type ‘ssh-keygen’ on your terminal. See how simple to create key pairs. This one command lets you create a RSA key pair under a hidden directory ‘/home/pi’/.ssh. If you want to protect keys using a password, you can type your password or just hit enter on your keyboard, leaving it blank.
$ ssh-keygen
If you see what is inside the hidden directory /home/pi/.ssh You will see two files created. id_rsa which is a private key and id_rsa.pub a public key.
Let’s say, you have only a private key. You lost your public key for some reason. What you should do? Well, there is no doubt about the generation of a new pair of keys. What if you have multiple users which were using multiple unique private keys. You may need to share keys with all other users which are never be treated as a best practice because there is a chance of falling your keys into the wrong hands. If you really lost your public key we recommend generating a public key from your private key. Just for the demonstration reason, we are going to delete the public key to pretend it’s lost. And, we will show you how to generate the key back.
To recreate the public key, you need to use the same ssh-keygen tool with -y and -f flags and pass the private key as a parameter. That’s all.
$ ssh-keygen -y -f id_rsa > id_rsa.pub
After you created a key pair. Now, it’s time to configure the public key on the Pi which allows using the private key for login. There are two ways to do that.
You need to copy the content of the public key and paste that into the file called ‘authorized_keys’ under the ‘.ssh’ hidden directory using any text editor.
$ cat id_rsa.pub
$ sudo nano authorized_keys
Or you can use ssh-copy-id command as like here.
$ ssh-copy-id -i /home/pi/.ssh/id_rsa.pub pi@<pi _ip_address>
Once after setting up the public key. Your Pi will no longer ask password when you log in from your desktop computer using SSH. But, this key is only good for connecting as the Pi user. Since that’s the home directory where the keys are copied into it. Always bear in mind. If you lost your keys you can’t log in to the Pi using SSH. Make sure you keep them safe and available.
You can create as many keys and add them to the authorized_key file as you have clients that want to connect. If you want you can go further and set up your Pi to accept only key based authentication and stops accepting ssh passwords anymore. If you want to expose your Pi to the internet. Using SSH keys is a good way to go. But, you probably archive the same goal by simply setting up a VPN connection with your Pi. You can visit this post to know how to connect a Pi using a VPN “How to setup Open VPN on Raspberry Pi:”. It’s optional to choose.
As been said earlier, you can configure the Pi only to accept key based logins. All those settings exist in the ‘sshd_config’ file. Edit the file using a text editor.
$ sudo nano /etc/ssh/sshd_config
Scroll through the file to set these following values:
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
At last, restart the SSH service by issuing ssh reload.
$ sudo service ssh reload
If everything goes well you no longer be able to log in to Pi from a computer that doesn’t have a private key which is half of the key pair. If you attempt to login, your Pi will reject the connection. Now your Pi will only talk to the computer which has a private key which is half of the key pair.
This completes the step by step procedure to enable SSH key authentication on Raspberry Pi. This is a universal way to configure SSH keys on Linux and Mac. You can apply this procedure to other Linux and Mac systems too.
Thank you for reading this article. Please visit the below links to read more such interesting articles. Peace leave your comments here below and let us know your feedback. This helps us to bring more such articles.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.