Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Harden RPi with SSH keys

In this chapter we will harden the Raspberry Pi access through the use of SSH keys and disabling password login. This ensures that only devices with authorised SSH keys can access the RPi.

Setup SSH keys

If you do not have SSH key generated for your machine, generate them with:

ssh-keygen

Copy these keys to the RPi with

ssh-copy-id -i <path to key>.pub admin@immich.local

Now you can log into the RPi without needing typing the password.

Tip

If you have issues using ssh-copy-id you can manually copy your public SSH key to the ~/.ssh/authorized_keys path on the RPi.

Disabling password authentication

Locate and uncomment this code in configuration.nix.

  services.openssh = {
    # Disables remote password authentication.
    settings.PasswordAuthentication = false;
    # Disables keyboard-interactive authentication.
    settings.KbdInteractiveAuthentication = false;
  };

Caution

Once password authentication is disabled, only devices with the matching private keys will be able to access the RPi. Make sure to save authorised SSH keys in your password manager in case those devices fail.