Setting up a Raspberry Pi (4)
Part 4, Setting up SSH, Encrypted Key, Disable Password use, SSH Alias.
Now to make your Raspberry Pi a bit safer/secure, specifically in the way someone can connect to the Raspberry Pi with SSH, no longer using a password, but with an encrypted key.
This way only you, or who you has the encrypted key, can connect to the Raspberry Pi over SSH, and no one else, brute forcing or guessing the password is no longer an option.
Downside is that you need to have the key copied to all devices, you might want to use to connect via SSH to the Raspberry Pi.
This is less suited for situations, where you want to SSH on public/school devices, or with many people being able to SSH into the Raspberry Pi.
For those situations you might want to skip this Part.
- Step 1: SSH Key setup.
- a. Reconnect to your Raspberry Pi with SSH using the PowerShell.
Is having to type your password over and over already bothering/annoying you, or did you just set a weak one? - b. We need to install some software to create the actual key you are going to use, to do so type:
sudo apt install openssh-server
–sudo
> Superuser do.
–apt
> Utility for managing packages/software on Raspberry Pi OS.
–install
> the option for installing new software/app/package on the Raspberry Pi.
–openssh-server
> OpenSSH: “is a powerful collection of tools for the remote control of, and transfer of data between, networked computers……..”
we will use it to create the encrypted key with the included key generator. - c. Before we create the key we need to setup the environment for it by creating a SSH directory/map in your home directory/map, making sure you are in your home directory, type:
cd ~
–cd
> Change Directory.
–~
> Home directory location shortcut. - d. Creating an new directory by typing:
mkdir .ssh
–mkdir
> MaKe DIRectory
–.ssh
> The name of the new directory. The “.” in front of the name will make it a “hidden” directory.
- e. We do have to change the the rights for this new directory with typing:
chmod 700 .ssh
–chmod
> CHange MODe, is the utility used to change access rights for files and directories in Linux (based) systems like Raspberry Pi OS.
–700
> How to set/change the rights, with the digits locations representing user/group/others and the value for the actual rights:
0=none (—/000)
1=execute only (–x/001)
2=write only (-w-/010)
3=execute and write (-wx/011)
4=read only (r–/100)
5=read and execute (r-x/101)
6=read and write (rw-/110)
7=read, write and execute (rwx/111)
so in this case we are giving:
– all rights (7/rwx/111) to the us the User (pi),
– no rights (0/—/000) to other users in the same group as us,
– no rights (0/—/000) to all other users.
Now only we (user “pi”) can access this file/directory and nobody else that logs into the Raspberry Pi, even if they would be able to get into our home directory.
–.ssh
> Is the name of the file or directory we want to change access rights to, in this case the just created directory, where we are going to save the key. - f. we want to save/create the key in the directory/map we just created so we need to get into it first, by typing
cd .ssh
–cd
> Change Directory.
– .ssh > Name of the directory/map you want the change to.
- g. Now we are going to create a key by typing:
ssh-keygen -t rsa -b 4096 -f rpi_key
–ssh-keygen
> the SSH utility that will generate a key for us that can than be used to log into the Raspberry Pi.
–-t rsa
> Specify the Type of algorithm that will be used, to create the key, in our casersa
.
–-b 4096
> How big/long/many Bits are in the key, in our case the recommended4096
bits
–-f rpi_key
> The name of the file containing the key, we want to use, you can use a different name here if you want, but I named itrpi_key
, just because the guide I used named it that way. - h. you will be asked to set a
passphrase
just leave it empty and press [Enter] and [Enter] again on the question to repeat it.
Your should end up in a screen with something like:
- a. Reconnect to your Raspberry Pi with SSH using the PowerShell.
Generating public/private rsa key pair.
The key fingerprint is: SHA256:KGJHGkJ…………………….
The key’s randomart image is:
+—[RSA 4096]—-+
| … ..oo..|
| . . . .o.X.|
| . . W. ..+ B|
| . o.o .- ..|
| ..o.S o.- |
| . %o= . |
| @.B… D . |
| o.=. o. . . .|
| .oo E. . .. |
+—-[SHA256]—–+
pi@raspberrypi:~/.ssh $ ▄
- Step 1 (cont.):
- i. If we now type:
ls
,
it should return:rpi_key
rpi_key.pub
(or 2 files with the name you choose in step g. with one of them with the.pub
extension.)
–ls
> LiSt, command/utility to show the contents of a directory/map.
If you do not like or find it hard to read how the list command returns the contents of a directory, you might want to add some options.
I tend to usels -alh
witha
> All so including hidden files and directories,l
> List form so each item has it’s own line, but you can also see the assigned rights, the owner info, if it is a directory or a file (the d at the start of the line)h
> Human readable form it changes the file size to a better understandable form, with Kilo/Mega/Giga.
- j. Now we have to tell the SSH server to start using this key, we do that firstly, by copying the
.pub
key to a file calledautorized_keys
, by typing :cat rpi_key.pub >> authorized_keys
–cat
> ConcATenate command/utility reads data from the file, and gives their content as output. It helps to create, view, concatenate files.
–pi_key.pub
> Name of the file to read.
Use the filename you used in step g when creating the keys.
–>>
> Write output to.
–authorized_keys
> Name of the file to put the output into.
If the output file does not exists like in our case it will be created now, you could check that withls
. - k. Now this is done, the key can be used by the SSH server to authenticate you, but you do not have the key on your PC right now so you can not authenticate yourself with it, so we need to copy it to the PC. to do so we need to disconnect the SSH connection with typing:
exit
–exit
> Command that closes current connection/shell/… - l. To copy the key we are going to use SCP, secure copy is a command/utility to copy files between local and remote directories.
In our case we want to copy therpi_key
(without the.pub
)from the Raspberry Pi,/home/pi/.ssh/
map to ourpc
,.ssh
map.
but first you have to make sure you are in your own home directory on your PC, look at the command line in your PowerShell it should sayps c:\users\"your name">
If this is not the case, close PowerShell, and open it again, it should start there. and now type:scp [email protected]:/home/pi/.ssh/rpi_key ./.ssh/rpi_1_key
Fill in the password when you are prompted for it.
–scp
> Secure CoPy, the secure copy command/utility.
–pi
> Username, of the user you are going to use to log into the remote system.
–@192....
> At IP address, the Rasperry Pi IP address.
–:/home/pi/.ssh/rpi_key
> Path and name of the file we are going to copy.
Remember to use your file name if you used a different one.
–./.ssh/rpi_1_key
> Path and name of the file where we are going to copy to.
note: we are using a different name for the file at the destination, this is so you can name the key on your Raspberry Pi always the same. But if you have more than one Raspberry Pi, and believe me your will have moaaare (insert the manically laughter again) than one, they can all have a different named key on your PC.
- m. Now lets see if we can connect to the Raspberry Pi using key, by typing:
ssh [email protected] -i ./.ssh/rpi_1_key
–ssh
> SecureShell, command/utility
–[email protected]
> connect as userpi
to device on192.168...
.
–-i
> use a Identity_file, from which a identity key is read.
–./.ssh/rpi_1_key
> Your key file, change it if you used a different destination name in the last step.
- i. If we now type:
You should now be connected to your Raspberry Pi, and were not asked to enter a password.
I know, I know it is way more hassle to type this command, even with having to type the password, we will get to that in Step 3.
But first we will have to disable the possibility to log into the Raspberry Pi via SSH with a password, thus making the Raspberry Pi way more secure.
- Step 2: Disable SSH using a password to login.
- a. You can easily disable the use of password login for SSH by editing 1 line in a config file on your Raspberry Pi, lets do that by typing:
sudo nano /etc/ssh/sshd_config
–sudo
> SuperUser Do
–nano
> launch the Nano text editor, I know there are other text editors out there and even included with Raspberry Pi OS, but I like this one, so if you got an other one you like just use that, but than again I’m asking myself why are you using this guide for you clearly know way more than me on Linux etc…
–/etc/ssh/sshd_config
> Name of the configuration file we need to edit. - b. Use the [↑] and [↓] keys to go find the the line:
#passwordauthentication yes
and change it to:passwordautentication no
The line was#
(hashed) out because the yes option is the default, so SSH does not need to read the line, but now we are wanting to change it, SSH needs to read the line, that is why we remove the#
.
You want the option to beno
,so password authentication is no longer allowed.
Press [CTRL] + [s] to save the change.
Press [CTRL] + [x] to close the Nano text editor. - c. To have the changes go into effect, you need to restart the SSH service and you do that with typing:
sudo service ssh restart
–sudo
> SuperUser Do.
–service
> Command/utility to operate/manipulate services.
–ssh
> The SSH server/client service.
–restart
> Restarting the specified service, and in our case with a changed configuration file. - d. Lets test if it is all working as you want, type
exit
than try to log in the old way, by typing:ssh [email protected]
– this should fail with a, “..something ..something (pubkey..)
” message
but if you log in with the key, by typing:ssh [email protected] -i ./.ssh/rpi_1_key
– you should now get connected to the Raspberry Pi without a problem.
- a. You can easily disable the use of password login for SSH by editing 1 line in a config file on your Raspberry Pi, lets do that by typing:
Okay I mentioned a few times we are going to make it much simpler to log in with having to type complex ssh ....
. commands every single time you want to log into your Raspberry Pi, and we are finally here.
You are going to crate aliases for SSH to use.
- Step 3: SSH alias setup
- a. Use “Windows File Explorer” go to the directory/map:
this PC > Windows (C:) > Users > "your username" > .ssh
If you can not see the directory, select the tab [View] in “File Explorer”, and check the box for [Hidden Items], you should see it now. - b. Right click in the
.ssh
folder/directory/map,
Select:New > Text document
.
Name it:config
without the extension, so remove the “.txt
” part.
If you do not see the.txt
, select at the top of the “File Explorer” “View”, look for the checkbox [File name extensions] and check it, you should now see the extensions of files like the.txt
. - c. Open the file with notepad and add the code :
- a. Use “Windows File Explorer” go to the directory/map:
add: Host pi1
HostName 192.168.100.100
User pi
IdentityFile ~/.ssh/rpi_1_key
Change the following:pi1
, to what ever short name/alias you want to use, so you easily know which Raspberry Pi you want to connect to.192.1.....
, to the IP address for that Raspberry Pi.rpi_1_key
, to the file name you gave the key file, when you copied it to the PC from that Raspberry Pi.
Once you have set up your next Raspberry Pi you can simply add its alias to this file as well
- Step 3 (cont.):
- d. save and close notepad.
- e. Now you should be able to simply connect to your Raspberry Pi by using the alias by typing:
ssh pi1
It should now connect you to your Raspberry Pi as userpi
on IP address192.168.100.100
and authenticate using the key you created.
And finally we got thru it all and I only needed 4 parts, many steps, loads of words.
You should now have, a working Raspberry Pi, with the latest EEPROM firmware, up to date software, possibly booting form a USB device, connected to it with SSH in a windows PowerShell, using an encrypted key as authentication method, and made easy to use by an ssh-alias.
Darn that was a mouth full, all that is left now is “Part 5: Cheat sheet and Index”, that will lists all the steps, and commands you can copy paste for your next Raspberry Pi, without having to plough thru all the explanations and fluff, neatly in one place.
If you liked this guide, have comments or questions feel free to use the comment sections below the posts.
<< Part 3: Updating the Raspberry Pi, and setting up for USB boot.