The aim of this post is to set up a key-based ssh login to the R1. Key-based authentication is a vital part in the securing of your system, specificity against attackers how are trying to gain access using a brute force attack.
The first thing i did on my R1 was to set up a new sudo-user. On bananian 15.01 the sudo package isn’t installed by default, so the first thing to do is to run apt-get install sudo. when sudo is installed it’s time to add a new user, and the way to do this is to run adduser <username>. To turn the new user in to a sudoer the only thing that has to be done is to add it to the sudo user group, this is done by running adduser <username> sudo. Now its time to test if the new user can use sudo to run commands with root-privileges. Run su <username> to run a shell as the new user. Then try to run a command that needs root-privileges like ifconfig, this should result in that the command doesn’t run. Then try to run the same command with sudo, sudo ifconfig. If all is well you should get a printout of the network interfaces that are up.
Commands to run on the banana:
- apt-get install sudo – installs sudo
- adduser <username> – adds a new user
- adduser sudo – adds the new user to the user group sudo
- su <username> – runs a shell as the new user
- ifconfig – needs root-privileges should fail
- sudo ifconfig – with sudo the command should run as expected
Now it’s time to set up a key-based login via ssh for your new user. If you haven’t used key-based login before you will probably need to generate a new set of keys. This is as simple as running the command ssh-keygen -t rsa, one important thing when generating new keys is to choose a strong passphrase. The strength of your passphrase has nothing to do with the strength of your key , but it protects your key if it falls in the wrong hands. Now its time to transfer your public key to the banana pi, there is two main ways of doing this. The first is to run: ssh-copy-id <username>@<the-ip-of-the-R1> on your client machine, this will work as long as you can login to the R1 over ssh with username/password. The other way is to move your public key from the client to the R1 with a flash drive, and concatenate it to the authorized_keys file manually. The authorized_keys file is located in the /home/<username>/.ssh/ directory so the command to do this should look something like this cat /path/to/your/id_rsa.pub >> /home/<username>/.ssh/authorized_keys.
Commands to run on the client machine:
Now its time to take a look at the file on the banana pi. sshd_config is the general configuration file for the ssh server and can be found in the /etc/ssh/ directory. Note that there is a file named ssh_config (no d) in the same directory, this file is the configuration file for the ssh client installed on the banana pi. So make sure that you are editing the right file (sshd_config). To edit the file open it with your favourite editor. On my banana pi i only changed two of the lines:
- PermitRootLogin yes to PermitRootLogin no – root can no longer login over ssh
- PasswordAuthentication yes to PasswordAuthentication no – can no longer login with only username/password