To password protect your computers is in general a good idea.
However, passwords are sent in plain text when using FTP or Telnet,
which means that passwords can easily be captured by anybody who has
access to your network. So never use FTP or Telnet when using a public WiFi network.
The better alternative to FTP is SFTP and to Telnet it is SSH.
But even here, it is insecure to use passwords even though these
protocols support passwords. The more secure alternative is to use
Public and Private Keys. (Further reading on how private/public key
combinations work and why they are more secure than passwords can be
found here and here).
Using Public and Private keys often sounds complicated, cryptic and
difficult to setup and use. It definitely isn’t, and my personal opinion
is that so called experts often unnecessarily over-complicate these
To make your (and my! of course) life easier, I added Public-Private
Key features to my NetworkToolbox. Keys can now be used for the SSH and
SFTP Tools but even better, the App now even contains a tool to generate
both keys for you.
The following example demonstrates how easy it is to setup Private and Public keys with a Raspberry Pi and NetworkToolbox.
In this example I am using a Raspberry Pi which was setup with the
standard Raspian image. However, the procedure described here is nearly
identical to all Linux systems (Server, PC or even your Router if it
runs a customizable Linux).
Before going into the details, here is an overview of the general procedure:
After these steps, you can use SSH or SFTP and the Public Private key
combinations, generated by NetworkToolbox to access the Raspberry Pi.
Now, let’s do it step by step:
Your screen should now look similar to this:
(Note: You can omit this if you want to use the Key for an existing user)
cat << EOF > /home/test/.ssh/authorized_keys
This is, how the SSH screen should look after entering these commands:
That was basically all what was needed so now we can test.
Loading your keys will look like this:
If something goes wrong, you will see an error message. You possibly entered a wrong password, didn’t setup your Raspberry Pi correctly or entered a wrong username for the key.
For your convenience, the PKI Tool contains a Validate button which can be used to double-check your password for a given Private key.
Finally, you can get rid of the Passwords on your Raspberry Pi by either deleting the password for the test user by this command:
sudo passwd -d test
or even better, you can disable passwords completely for SSH connections by adding/changing the following line in the file /etc/ssh/sshd_config :
You can, of course also enter the Private Key password in the password field of the SSH Tool. Then, you will no longer be asked for the SSL Password when connecting. However, if somebody stole your device and skipped past the passcode, this person would then also know your Private key.
Instead of generating the Keys by using NetworkToolbox, you can also go the other way around and generate the keys on your Raspberry Pi and copy them back to NetworkToolbox. However, this is insecure as even if you delete the Private keys from your Raspberry, fractions of it may still exist for a while in the swap file or other locations. It is in general bad practice to generate keys on the device you want to connect to.