-
Notifications
You must be signed in to change notification settings - Fork 123
Secure SSH with Putty
PINN's headless access via SSH and VNC is meant to be used on a local LAN only. If your Pi is open to the internet, anyone can gain access to PINN as the only security is a well-known username/password for SSH and VNC has no security at all. IF you do want to access PINN over the internet, it is necessary to secure these protocols. To secure SSH it is necessary to switch from password based to public key based authentication.
Installing Putty also installs a program called PuttyGen to create key pairs. Open this APP and ensure the RSA key type is selected with 2048 bits. Press the Generate button to generate a new Key Pair.
The public key will appear in a box at the top of the dialog box, beginning with 'ssh-rsa' and ending with a comment such as 'rsa-key-20230625'. This can be cut & pasted to a text file to be used later. Do not by click on the "Save public key" button as it saves the public key in a different format. The public key is the one that should be stored on your PINN RPi (see below).
Here is an example of a public key:
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCN7yEGsUIZ78ElLDe14/D6I2hoxFAdgUKmNgWeYXA9tXO5gL/Rst12UPzjckN+kuythQ+v6VUBWV3IkMEdyAhdvIXx1R5pPe9rhZt/IF4KPs4ZzVuu1wOgyn94rxI5LC09BJGrZ4deidxB61R70qZ3waSoF2/ZM9bl7X4dZXwWkYxihsR16WsYuMWQHpTdrzA0f20fWlKlr2mzYtfMEIicuZN4s3YOIMTBO+lT0gsGHV+JMBCuTAdzmaP+fnT1LmbcuP/3y0AoVT7eYUynmMq0jXCgYSShJPvPDPATgc6uASY/mLMByEZNk5oLctVMwz8IdHwT28xsoyQocxitG7zh rsa-key-20230113"
Click the "Save private key" and provide a filename with a ".ppk" extension to save the private key. The private key should be kept secret and stored on your PC where Putty is. Remember its filename and where you stored it.
Here is an example of the private key (which is probably specific to Putty):
"PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230625
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQDDkTlRWSjrrIGMTPSw4QQgjWYrXTsZFvGf
nwZZLzQ0wR8++U0E4+kEaohDuqxVf1zPAxUNMWiJoLfAotoOAmXfjS6sxIyHC4p6
9uzINBoKCff9ss6mZM8SzLcg3dL0A8zTB4AER6/Fmo/82lvVRJp87XtR03dDN2es
3KmG6JH0dGgvv9/YNT8UDdZyloUFa/lBOjob6ZZ1UOwpE82Q3Wpf3jfcHo8nODGf
OFdBiLllk1uU7Q9NpbOV7mN8NUGEBPycpAFPjG7B05AixpGiqV7Pit2wdgasYRuz
R4V/LGVe25lQHhgThYiz15cgaolJFCrzGhe6NOLH3UxI4jp9Qxwz
Private-Lines: 14
AAABADk0Z5G2BNQ7F4HUmNaMW0qyUappkPnbzj2kpJS9zAWKX/tprO+7QtO53bYC
CprPsHQVMLk1NKDdVCKTADmM1gO4Jmj+7SQragxh4g0FwIAjPlkFTpE5d6DGJOMG
P8iEvAsWbInT9kRU271YmfgeIxpb1PCwbHhK4pabzTLbIKZiS5LwHRsLiAHiKH7C
eFfKPu6YADQL7rcIqLlvlncjZp3BqYdDSWG2x5IYDZrTnjHFclrlprwgLhgjJJ3T
SI2/NHCVpQfHyjibAEXR4iLN2CzLN9CLHQertjh/2ZlMPSMDvkEHey4rfL0UtqgZ
TnYUv7acsqXSaybwz+M4YKen/xEAAACBAOQQBej9Glsc86gP2Gk8STCugg2PhzPs
5B52dyBWw3/mALC3OUP6HNOXmSNMmym0jB0Js8cVVW+QK0Z2aVSnu3eYoybsjbmK
aj4/RyzddCZSU6IJb1vrH55uh66rgMMbqcTBJsUEeOowNhMBtbDGyXRPI+P460+3
ZovSBa3kcozPAAAAgQDbhihE9mR8GqYgzjskfTkFnggFgAQ6RTwrtcJqvXR17oz1
Tc1T3qmE2iR7XP6IwWfES39X2Oz2AMci4rP9TJKQh58GfWzhR6/s1v768UbqThw5
AvGnOAt8hJTdMd+Fv3UC/noqhSUZQiY0+NxyYlvxbydbAmo50DsMJ80WMrn7XQAA
AIAMPf4DWw0mfZDj4/B2pCNanN4v+4VtPs6mcGYAg8fkU5blQhtzvl7zAf13vkCb
9EQRBVnyG194fAJabph2QxekWJD1o4dNjQjwV5ccoJpGUFgS+X2l+8jEJ0FkMNs2
6PUYQHqoWN46fwrNmQo1MZdHuvd+0Fueu8CFqSHD/9YAfw==
Private-MAC: 55ac33033cf7759232ec74d0e81c3337dedc99ed17ad5aa33dd6f5654aebeaaf"
In Putty, create a new Session. in the left hand pane, open the category to Connection/SSH/Auth. The last entry on the right hand side provides the opportunity to enter your Private key file for Authentication. Click the browse button and selet your previously saved private keyfile.
Copy the public key into /settings/.ssh/authorized_keys on your RPi. Check the permissions of these files and adjust as required to match below: drwx------ 2 root root 1024 Jun 25 17:31 .ssh/ -rw------- 1 root root 797 Jun 25 17:42 authorized_keys
Test your key by logging in to SSH on PINN with your new Putty Sesstion. After entering the 'root' login, you should be automatically logged in without having to enter a password If it works, you can then disable password authentication by creating /settings/dropbear/dropbear with the following contents:
DROPBEAR_ARGS="-s -g"
You may now open a port in your router and map it to port 22 on your Pi to allow remote access. Be aware that opening such a port will also open it for any other OS you may switch to, so you should be careful to secure port 22 in each of your OSes.