Raspberry Pi: Upgrade command-line security with SSH keys

Allowing logins to your Raspberry Pi using a username and password is vulnerable to a "man-in-the-middle attack" or spoofed server that allows the capture of your password. SSH keys work by generating a public and private key pair and then passing an unforgeable signature instead of a password. You can read more about how SSH works here.

I will explain how to configure SSH keys using the free open-source terminal emulator PuTTY for Windows as the SSH client. It can also be done with other clients of your choice and the procedure will be similar. You can download PuTTY here.

Generate an SSH key

Full details for generating keys can be found in the documentation here. I recommend using the following steps:

Run PuTTYgen. I am using Release 0.67 in this example.

Choose Parameters-->SSH-2 RSA. Change the "Number of bits in a generated key" to 4096.

Click on the "Generate" button and move your mouse around as prompted.

Once you have generated enough "randomness", PuTTYgen will generate the public key.

Add a passphrase, which will be used to encrypt the key on disk. If you do not encrypt the key then anyone who gains access to the key can use it to log in.

Choose "Save private key" and enter a name for the private key file.

Leave the PuTTYgen window open and continue to the next step.

Add public key to Raspberry Pi

Log into your Raspberry Pi using PuTTY.

Make the ssh directory if needed:

MuhUser@MuhPi:~$ mkdir ~/.ssh 

Edit or create the authorized_keys file:

MuhUser@MuhPi:~$ vi ~/.ssh/authorized_keys 

Go back to the PuTTYgen window and select the contents of the "Public key for pasting..." window, then Right click-->Copy.

Go to the PuTTY window and press i to insert. Right click to paste the key. Save the file with :wq!.

Configure PuTTY session with the SSH private key

Open PuTTY again and choose (or create) the session for your Raspberry Pi.

Choose Connection-->SSH-->Auth-->Browse for "Private key file for authentication" and choose the private key file you saved earlier.

Save your PuTTY session.

Choose "Open" to connect to your Raspberry Pi.

Test login with ssh keys

Enter your user name

login as: MuhUser

Enter your passphrase:

Authenticating with public key "rsa-key-20170412"
Passphrase for key "rsa-key-20170412":

Now you are logged in:

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Thu Apr 13 02:25:11 2017 from x.x.x.x

Disable the ability to log in to SSH with a password

Now that you have configured SSH keys and tested that they work, remove the ability to log into your Raspberry Pi with a password.

MuhUser@MuhPi:~$ sudo vi /etc/ssh/sshd_config

Find and modify the following line. Be sure to remove the '#' at the beginning of the line:

PasswordAuthentication no

Save the file :wq!

Restart the ssh service:

MuhUser@MuhPi:~$ sudo service ssh restart

Verify the change by attempting to log in to the server without providing the private key:

MuhUser@MuhPi:~$ ssh localhost
Permission denied (publickey).