In the last post we’ve talked about what a Raspberry Pi is and what you can do with it. I have given you my hardware recommendations and we have set up our Raspberry Pi.
This post will focus on what SSH means and how to enable SSH access for the Raspberry Pi. It will be also on increasing the security of SSH access by securing the SSH access with a kind of computer fingerprint. Only certain computers will be able to connect to the Raspberry Pi SSH.
SSH and RSA
What is SSH?
Shell is the textual interface from where you can control the entire computer. Everything you see on your screen is just the graphical user interface. In reality, everything happens at the shell level.
SSH (SecureShell) is called the encrypted connection, whereby you can connect externally to the server (Raspberry Pi) and give him commands. You can install, uninstall, start, close, create or modify, delete files and so on …
What is an RSA key?
An RSA key is a password of hundreds of characters, which is randomly generated and therefore unique. So it’s something like a fingerprint , because the probability that the same string will happen again is almost impossible.
So we’ll make a fingerprint and tell our Raspberry Pi that only this fingerprint we call can connect to the Pi. This generates a private and a public key .
The private key is your fingerprint. It’s your ID and that’s why you should never give it out. The public key is a cryptic password, which is been generated from your private key.
This (public key) is gonna be stored on the Raspberry Pi. When you connect to the Raspberry Pi, he looks at your private key and matches it with the public key. If it matches positively, the connection is allowed. Otherwise not. I hope that was understandable. In practice it is much easier to understand.
If you give your private key to someone, they can log in with your name on the Raspberry Pi.
Enable SSH access on the Raspberry Pi
On the Raspberry Pi, open the console , type sudo raspi-config , and confirm it with Enter . After that you have to do the following:
You can restart with the following command:
From now on you can connect to the Raspberry Pi via SSH, via the IP address of your Raspberry Pi. You can find out the IP address by entering the following into the console:
Once you have done that, the IP address will be displayed. Do not close this window. We will still need the IP address later on.
Make an SSH connection
To build an SSH connection, you first have to download and install MobaXterm. Then you open MobaXterm and click on Session. The configuration window opens. There you click on SSH (far left) and enter your access data to the Raspberry Pi.
Under “Remote host” you enter your IP address , which we have shown before. You must put a check mark on Specify username and enter your username there. If you have not changed them, this is pi by default. At the end you enter a name for this Connection under bookmark settings and click on okay. A connection is made by a doubleclick on the bookmark name.
Once connected, you can unplug your Raspberry Pi from the monitor and all other devices and stow it where it should be for the rest of the time.
Generate RSA keys
Our Raspberry Pi is currently publicly accessible with its IP address. To increase security, we will allow the connection to our Raspberry Pi only for certain computers. For this we have to generate an RSA key. This is how it’s done:
After you have generated a key, you should save both keys (public and private) on your hard drive and secure them as good as possible. We can leave this window open because we will need the public key (yellow in the screenshot).
Deposit your RSA key in the Raspberry Pi
In the command line of MobaXterm enter the following command:
mkdir .ssh && cd .ssh && ssh-keygen -t rsa && sudo nano ~/.ssh/authorized_keys
This command creates the .ssh folder in the root directory of your Raspberry Pi, creates a file called authorized_keys and opens it for editing. The authorized_keys file contains all public keys that are allowed to connect to your Pi via SSH .
You now copy your public key from the window where you generated the key and insert it here. Then you close the text editor ( Ctrl + X ) and confirm the changes . Once the file is saved, you can close the window with the public key.
If you want to add more public keys, they must be added line by line. One key per line.
Restrict SSH access to your RSA key
After we are done with the above steps, we can move on. Currently you can log in to your Raspberry Pi with a username and password. However, we want to change that so you can only log in with an RSA key.
The following command opens the SSH configuration of the Raspberry Pi:
sudo nano /etc/ssh/sshd_config
In this file, you should only follow the instructions and then close it. Here you should not experiment with ill-considered changes!
In this file you will see that many lines are commented out. Commented out settings have a diamond (#) at the front. This means that these settings are currently not active. You should now look for the settings below and, if they are commented out, enable them by removing the # at the beginning of the line.
If you can not find these settings after a careful search, you can also write them by hand.
PasswordAuthentication no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys
As soon as you have finished, close the editor (Ctrl + X) and confirm the changes. Then you have to restart the SSH service with the command:
sudo /etc/init.d/ssh restart
If your connection to the server breaks down and you can no longer connect, that’s normal. That’s what we care about now.
Log in to the Raspberry Pi using the RSA key
If you are still connected to the Pi, this connection will break the command
In MobaXterm you can see your connections on the left side. In between is also your connection to the Raspberry Pi. There you right-click and click Edit Session. The following window opens:
Click on Advanced SSH settings (green) to open the advanced settings for this connection. There you just need to check Use private key (blue) and open your private key that you had previously saved .
With a click on OK the settings are saved and you can connect to your Pi again. Thus, your Raspberry Pi is only accessible to this computer. If you want to add more computers, simply add their public key to the authorized_keys file.
In the next part, we will be making a remote desktop connection with our Raspberry Pi to have a graphical user interface as well.