Step by Step Procedure to Enable Key Based Authentication on Raspberry Pi:

Whenever you log in to your?Raspberry Pi, you need to supply a username and password. Let’s assume what happens if someone sniffs your traffic. You are going to expose your login credentials to him. Then it’s you who knows the amount of damage that will happen if someone steals your password. You can stop authenticating your Pi using a password by enabling key-based authentication. In this article, we will be covering what key-based authentication is. How does it work? And how to enable key-based authentication on Raspberry Pi.

Please check out our post “How to set up a Raspberry Pi for the first time?:” if you are working on the Pi for the first time.

Contents

1. What Is Key Based Authentication?

2. How Does Key Based Authentication Happen?

3. How To Setup SSH Keys On The Raspberry Pi?

4. How To Generate A Public Key From A Private Key Using ssh-Keygen Tool?

5. How To Configure The Public Key To Use The Private Key For Login?

6. How to setup only SSH key authentication?

What Is Key Based Authentication?

Key-based authentication is a type of authentication used as an?alternative to password-based authentication. In which you need not enter the password to prove your identity. This type of authentication is more often in remote server logins over the internet. Most domestic users don’t really care about this. Because they just work within their home network. We will encourage you to enable this authentication if you are going to connect your Pi over the internet or?VPN. Please read these blogs to learn more about connecting the?Raspberry Pi?over the internet and VPN “How to setup Open VPN on Raspberry Pi:” and “Five easiest ways to connect Raspberry Pi remotely in 2021:”.

To understand this key-based authentication, you need to be aware of Cryptographic concepts.?Cryptography?is a very vast topic to discuss. Keep that topic out of the discussion. You just need to remember that key-based authentication inherits the concept from asymmetric encryption, which works on public and private keys. We hope it is clear now that it requires two keys to work. A Public Key and a Private Key. In this process, the user uses his private key as a password to log in to the remote server on which the public key has been stored.

1. Public Key: It’s a common key need to be on the remote server to which you are going to log in. That is the Raspberry Pi in this scenario.
2. Private Key: It’s a unique key used by the client to prove his identity for login. It should be stored on a client computer from which you are going to login to Pi. That is your desktop computer.

How Does Key Based Authentication Happen?

It’s not necessary to know about the background work which happens during the process of key-based authentication. The purpose of including this is to keep you away from being wondered about how a private key will work as a password. Let’s break this complex concept into a few simple steps:

1. First and foremost, you need to?create a pair of keys. Public and Private keys. There are several ways to create a key pair.
2. Keep the?private key on your computer?(The computer you want to login from) and transfer the?public key to the remote computer?you want to login to.
3. When you attempt to log in, the?server will check for the public key?and then?generate a random string and encrypt it using this public key. This encrypted message can only be?decrypted with the associated private key.
4. The server will send this?encrypted message to your computer. Upon receipt of the message,?your computer will decrypt it using the private key?and send this?message back to the server. If everything matches up, it lets you log in.

How to Setup SSH Keys on the Raspberry Pi?

There are several ways to generate a key pair. On windows, keys can be easily created using a small program called ‘Putty gen’. But, most Linux and Mac users use a command line tool called ssh-keygen, which we are going to use in our Pi for demonstration.

To create a key pair, type ‘ssh-keygen’ on your terminal. See how simple to create key pairs. This one command lets you create an RSA key pair under a hidden directory ‘/home/pi’/.ssh. If you want to protect keys using a password, you can type your password or just hit enter on your keyboard, leaving it blank.

$ ssh-keygen

If you see what is inside the hidden directory /home/pi/.ssh You will see two files created. id_rsa, which is a private key, and id_rsa.pub, a public key.

How to Generate a Public Key From a Private Key Using Ssh-Keygen Tool?

Let’s say you have only a private key. You lost your public key for some reason. What you should do? Well, there is no doubt about the generation of a new pair of keys. What if you have multiple users who were using multiple unique private keys? You may need to share keys with all other users who are never treated as a best practice because there is a chance of falling your keys into the wrong hands. If you really lost your public key, we recommend generating a public key from your private key. Just for the demonstration reason, we are going to delete the public key to pretend it’s lost. And we will show you how to generate the key back.

To recreate the public key, you need to use the same ssh-keygen tool with -y and -f flags and pass the private key as a parameter. That’s all.

$ ssh-keygen -y -f id_rsa > id_rsa.pub

How to Configure the Public Key to Use the Private Key For Login?

After you create a key pair. Now, it’s time to configure the public key on the Pi, which allows using the private key for login. There are two ways to do that.

1. You need to copy the content of the public key and paste that into the file called ‘authorized_keys’ under the ‘.ssh’ hidden directory using any text editor.

$ cat id_rsa.pub

$ sudo nano authorized_keys

2. Or you can use the ssh-copy-id command as like here.

$ ssh-copy-id -i /home/pi/.ssh/id_rsa.pub pi@<pi _ip_address>

Once after setting up the public key. Your Pi will no longer ask password when you log in from your desktop computer using SSH. But, this key is only good for connecting as the Pi user. Since that’s the home directory where the keys are copied into it. Always bear in mind. If you lost your keys, you can’t log in to the Pi using SSH. Make sure you keep them safe and available.

You can create as many keys and add them to the authorized_key file as you have clients that want to connect. If you want, you can go further and set up your Pi to accept only key-based authentication and stops accepting ssh passwords anymore. If you want to expose your Pi to the internet. Using SSH keys is a good way to go. But, you probably archive the same goal by simply setting up a VPN connection with your Pi. You can visit this post to learn how to connect a Pi using a VPN “How to set up Open VPN on Raspberry Pi.” It’s optional to choose.

How to Setup Only SSH Key Authentication?

As been said earlier, you can configure the Pi only to accept key-based logins. All those settings exist in the ‘sshd_config’ file. Edit the file using a text editor.

$ sudo nano /etc/ssh/sshd_config

Scroll through the file to set the following values:

PermitRootLogin no

PubkeyAuthentication yes

PasswordAuthentication no

ChallengeResponseAuthentication no

UsePAM no

At last, restart the SSH service by issuing an ssh reload.

$ sudo service ssh reload

If everything goes well, you no longer be able to log in to Pi from a computer that doesn’t have a private key which is half of the key pair. If you attempt to log in, your Pi will reject the connection. Now your Pi will only talk to the computer, which has a private key which is half of the key pair.

This completes the step by step procedure to enable SSH key authentication on?Raspberry Pi. This is a universal way to configure SSH keys on Linux and Mac. You can apply this procedure to other Linux and Mac systems too.

This post is originally published at?thesecmaster.com.

We thank everybody who has been supporting our work and request you check out?thesecmaster.com?for more such articles.