This post shows how to enable key-based authentication into your Librem 5. This allows you to ssh and scp into the Librem 5 using a private/public key-pair, and to disable password-based authentication into your device. Using private/public key-pair is considered much safer than using password-based authentication.
When the instructions say On computer, they mean your laptop/desktop.
When the instructions say On Librem 5, that means either using the Librem 5 via ssh, or using it directly via keyboard (virtual or physical).
These instructions will also work with a Unix/Linux-based server, or the Pinephone.
- Enable ssh access to your Librem 5.
- On computer, generate the public/private RSA keys.
- Open a Terminal session your computer
- Type the following command:
ssh-keygen -t rsa
- On computer copy the contents of the id_rsa.pub key onto the Librem 5. The following command will log into your Librem 5, and configure the keys to grant access via the authorized_keys file.
ssh-copy-id -i ~/.ssh/id_rsa.pub purism@host
- You will be asked for your password into the Librem 5 in this step.
- Only your public key is copied. Always keep your private key private.
Restart your phone.
On computer, login to your phone using key-based authentication
ssh purism@host (ex. ssh email@example.com)
- On Librem 5, disable password-based authentication
- Use an editor like Nano or Vim to edit the following /etc/ssh/sshd_config using admin rights.
sudo nano /etc/ssh/sshd_config
Find the following line:
And change it to:
If there is a # (means commented out) at the beginning of that line, remove it.
Save the file after making these changes and restart the SSH service using this command:
systemctl restart ssh
- To test that password-based authentication is actually disabled, from computer, try to ssh into the Librem 5 using a different (or non-existent) id:
You should get the following error:
otherid@host: Permission denied (publickey).
- That’s it. You have successfully disabled password based authentication in ssh.