You’ve used password authentication to connect to your Pi via SSH, but there’s a more secure method available: key pair authentication. In this section, you’ll generate a public and private key pair using your desktop computer and then upload the public key to your Pi. SSH connections will be authenticated by matching the public key with the private key stored on your desktop computer – you won’t need to type your account password. When combined with the steps outlined later in this guide that disable password authentication entirely, key pair authentication can protect against brute-force password cracking attacks.
Generate the SSH keys on a desktop computer running Linux or Mac OS X by entering the following command in a terminal window on your desktop computer. (A new MAC terminal. Not your session in Pi.) PuTTY users can generate the SSH keys by following the windows specific instructions in the Use Public Key Authentication with SSH Guide. Type in:
ssh-keygen
The SSH keygen utility appears. Follow the on-screen instructions to create the SSH keys on your desktop computer. To use key pair authentication without a passphrase, press Enter when prompted for a passphrase.
Two files will be created in your \~/.ssh directory: id_rsa and id_rsa.pub. The public key is id_rsa.pub – this file will be uploaded to your Pi. The other file is your private key. Do not share this file with anyone!
Upload the public key to your Pi with the secure copy command (scp) by entering the following command in a terminal window on your desktop computer. Replace USERNAME with your username, and 192.168.178.39 with your Pi’s IP address. If you have a Windows desktop, you can use a third-party client like WinSCP to upload the file to your home directory.
scp ~/.ssh/id_rsa.pub USERNAME@192.168.0.2:
Go back to your Pi terminal session and create a directory for the public key in your home directory (/home/USERNAME) by entering the following command on your Pi:
sudo mkdir .ssh
Move the public key in to the directory you just created by entering the following command on your Pi:
sudo mv id_rsa.pub .ssh/authorized_keys
Modify the permissions on the public key by entering the following commands, one by one, on your Pi. Replace example_user with your username.
sudo chown -R example_user:example_user .ssh
sudo chmod 700 .ssh
sudo chmod 600 .ssh/authorized_keys
The SSH keys have been generated, and the public key has been installed on your Pi. You’re ready to use SSH key pair authentication! To try it, log out of your terminal session and then log back in. The new session will be authenticated with the SSH keys and you won’t have to enter your account password. (You’ll still need to enter the passphrase for the key, if you specified one.)
Disabling SSH Password Authentication and Root Login
You just strengthened the security of your Pi by adding a new user and generating SSH keys. Now it’s time to make some changes to the default SSH configuration. First, you’ll disable password authentication to require all users connecting via SSH to use key authentication. Next, you’ll disable root login to prevent the root user from logging in via SSH. These steps are optional, but are strongly recommended.
Here’s how to disable SSH password authentication and root login:
Open the SSH configuration file for editing by entering the following command:
sudo nano /etc/ssh/sshd_config
Change the PasswordAuthentication setting to no as shown below. Verify that the line is uncommented by removing the # in front of the line, if there is one.:
PasswordAuthentication no
Change the PermitRootLogin setting to no as shown below:
PermitRootLogin no
You could eventually change the SSH port as well in this config file (Port 22 to 2256 for ex.).
Save the changes to the SSH configuration file by pressing Control-X, and then Y.
Restart the SSH service to load the new configuration. Enter the following command:
sudo service ssh restart