How to connect to your Raspberry Pi using SSH key pairs

Using an SSH key to log on to your Raspberry Pi has a number of advantages over the tradition password-only method. Amongst others:

  • A password is not transmitted over the network, preventing interception by eavesdropping.
  • The risk posed by brute force password attack is reduced considerably.
  • Automatic login is possible without having to continuously enter your password (if you use an SSH agent such as Pageant).

In the instructions below, we will create a key pair. One of the keys is known as a public key, and the other a private key. The private key must be closely guarded, but the public key can be distributed freely.

As stated, the private key must be kept secure, so that only you have access to it, and typically it will be strored in encrypted form, requiring a passphrase to open it. In the scenario I present below, the private key will be stored on your PC in encrypted form. A piece of software called Pageant is used to manage this key (and any others you have), and will challenge you for a passphrase when you try to open the key. Once the key is open in Pageant, you will not need to enter the passphrase again unless you exit Pageant or close the key.

The public key will be copied to the Raspberry Pi, and saved in a directory owned by the user “pi”. This directory (/home/pi/.ssh) will be protected by permissions to prevent unauthorised users from placing their own public keys here and thus gaining access with their own key pairs.

With the two keys in place, and Pageant acting as the SSH agent for the private key, Putty software can be used to connect to the Raspberry Pi as user “pi” over SSH.

In order to create the keys in the first place, there are many ways we can do this, but here we will use yet another piece of software, called Puttygen.

Create the keys using PuTTYgen

  • Download PuTTYgen to your PC from http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
  • Run the PuTTYgen.exe file you just downloaded to display the “PuTTY Key Generator” window.
  • Select SSH-2 RSA as the “Type of key to generate” and leave the “Number of bits in a generated key” set to 2048.
  • Click “Generate” and then move the cursor around the blank grey area of the “Key” pane to randomly generate a unique key. On completion, you will see information about the key.
  • Don’t touch the “Key fingerprint” or “Key comment” fields, but enter a passphrase in the “Key passphrase” and “Confirm passphrase” fields. This will encrypt the key on the PC disk and prevent unauthorised access.
  • Click “Save public key” and you will be prompted for the name and location of the public key. Let’s call it “MyPi.pub”, and save it somewhere sensible on your PC.
  • Click “Save private key” and you will be prompted for the name and location of the public key. Let’s call it “MyPi.ppk”, and save it to the same location as your public key.
  • You can now close PuTTYgen.

Copy the public key to your Raspberry Pi

  • Use PuTTY (available from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe) to log on to your Raspberry Pi as user “pi”
  • Create a directory for the public key and move into it:

    mkdir -p ~/.ssh
    cd ~/.ssh
  • Open the authorized_keys file for editing (assuming it doesn’t already exist):

    sudo vi ~/.ssh/authorized_keys

    …and copy and paste the content of the MyPi.pub key into it. It has to be EXACTLY the same as the original, otherwise it won’t work. You can add multiple keys to the authorized_keys file if necessary, but each one will be on a new line in the file. Save and exit the file.
  • Secure the keys file with:

    sudo chmod 644 ~/.ssh/authorized_keys
    sudo chown pi:pi ~/.ssh/authorized_keys
    sudo chmod 700 ~/.ssh

Test that the key pair works

  • Open the sshd configuration file for editing with:

    sudo vi /etc/ssh/sshd_config

    …and add to the end of the file:

    UsePAM no
    PermitRootLogin no
    AllowUsers pi
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    PasswordAuthentication yes
  • Restart the ssh service with:
    sudo service ssh restart
  • Exit your PuTTY session, and download the Pageant software from http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe
  • Run the Pageant software you just downloaded, and click “Add Key”. Select the private key file you just created (“MyPi.ppk”) and enter your passphrase when prompted.
  • Now open PuTTY again and try to connect to the Raspberry Pi as user “pi”. You shouldn’t be prompted for a password. If you are, the keys are not matched, or there is a problem with the /etc/ssh/sshd_config file.
  • If all is well, you can continue on to the final step

Disable password authentication on the Raspberry Pi

Now that we have confirmed that we can connect to the Raspberry Pi using keys, we can turn off password authentication altogether for added security.

  • Open the sshd configuration file for editing with:

    sudo vi /etc/ssh/sshd_config

    …and change:

    PasswordAuthentication yes

    …to:

    PasswordAuthentication no
  • Restart the ssh service with:
    sudo service ssh restart
  • Exit your PuTTY session, and then open a new PuTTY session. You should connect immediately without being challenged for authentication.

When you have finished working on the Raspberry Pi

Remember to close down Pageant when you have finished working on the Raspberry Pi, otherwise other users with access to your PC willl be able to connect to your Raspberry Pi without being challenged.

Advertisements

3 thoughts on “How to connect to your Raspberry Pi using SSH key pairs

  1. Pingback: Offloading computing tasks to another computer with SSH – getting started using a raspberry pi – David Hewlett

  2. Thanks for this article. Every time I set up a new pi, I have trouble remembering the exact steps to go through to get passwordless SSH working.

    One change I had to make, however, was that pasting the public key I saved from Putty into the authorized_keys files on the pi did not work. Rather, I had to paste the text from the box labeled, “Public key for pasting into OpenSSH authorized keys file:” Not quite sure why Putty gives two very different strings for purportedly the same use – the public key.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s