3

I access my Raspberry via ssh user@raspberrypi.local from my Mac. When doing this, I enter the password of the Pi user.

I have tried to find ways to make my Raspberry more secure, and stumbled across some posts suggesting that I generate SSH keys.

Is using SSH keys more secure than simply running the command above when I wish to connect?

I'm not quite understanding if SSH keys mainly are used for password-less access, or if they are chiefly used to prevent computers that don't have the private key (id_rsa) to access them. If it's the latter, then I presume that this increases security compared to allowing anyone to start a SSH tunnel in as long as they can break the password.

Also, if I choose to use SSH keys, should I generate id_rsa on my Mac and give id_rsa.pub to my Raspberry, or the other way around?

P A N
  • 331
  • 1
  • 4
  • 14

1 Answers1

5

SSH keys provide additional security over a password because of their length compared to a password, they also tend to have higher entropy. You can chose to allow passwords, SSH keys or both, SSH keys will provide the highest level of security for the reasons stated above. If you only allow SSH keys authentication you will have passwwordless logins (sort of). To ensure the security of your private key you should use a passphrase when generating the key. So you will need a passpharse (aka password) to use the (private) key. You can set this up to only ask you once per session (though this does have security implications).

As for generating the keys (public and private) you would do that on your mac and then copy the id_rsa.pub key to the Pi. If running headless make sure to have another session open in case of mistakes - that can lock you out of your system.

There are a few other things that you can do to make SSH (and hence your Pi) more secure. disable root logins, limit login attempts, limit the accepted IP address/hosts and run SSH on a non-standard port.

Steve Robillard
  • 34,158
  • 17
  • 102
  • 108
  • The generated file "id_rsa.pub" should contain one line of text. This line has to appear as line in file ~/.ssh/authorized_keys on your PI (as only line or as one of several lines, if also other public keys are in this file). You might have to create this file. It might be necessary the only the user (but not "group" or "others" has read access on this file (i.e. chmod go-r ~/.ssh/authorized_keys). – user1364368 Jul 26 '16 at 09:54
  • It should be noted that disabling `root` logins only really improves security when you also disable `sudo` for all SSH users. – Dmitry Grigoryev Sep 23 '19 at 07:09