SSH with key ONLY, block ssh with credentials


#1

What's the problem?
I can easily ssh into my OctoPi using my password-protected key or the user credentials of the admin account. What I want is being only able to log in with key over ssh for added security and simplicity.

What did you already try to solve it?
I've followed a few guides which usually just say to change PermitRootLogin to "no" or "without-password", but these don't work, as both login methods still work. I suspect some other configuration somewhere in the OctoPi installation which does something similar, but I don't know.

Additional information about your setup
Linux octopi 4.14.79-v7+
OctoPrint version : 1.3.10
OctoPi version : 0.16.0


#2

You can probably find tutorials via google searching openssh key authentication only
To set up key only you will need a openssh key pair. I assume you have these already, if not do a man or google on ssh-keygen.
For keys to work you need the private key on your laptop or where ever you are sshing from and the public key on the Pi in the users /home/usrename/.ssh dir.
This dir must be owned by the user with permissions 700.
You need your public key in a file under .ssh called authorizied_keys it must be owned by that user and have permissions of 644 and be ONE CONTINUOUS LINE.

In /etc/ssh you must edit sshd_config and have the following lines which is in there but has a # sign in front and is set to yes as that is the default.

PasswordAuthentication no

I would make sure you have one or 2 open connections before restarting the daemon in case something goes wrong. If you do get locked out you can always hook up a k/m/monitor and login to the console

Restart ssh daemon to re-read the config change
service ssh restart
If in as root or
sudo service ssh restart
if in as someone else.
I am a Unix/Linix admin and typically just work as root but add sudo where needed.

You should now be able to ssh to the box and be prompted for your PassPhrase that you is set for your private key.
If you try and ssh as another user that has no key it will not let you in.

Hope this is what you needed!


#3

Set "PasswordAuthentication no" in /etc/ssh/sshd_config and restart ssh service.