Only allow ssh key login on Raspberry Pi

This is the followup of Opening a Raspberry Pi to the outside world On the internet bots constantly try to hack servers. The Raspberry Pi is popular target. That’s why by default ssh is disabled nowadays.
To make this more secure we will only allow login by ssh key instead of a password. Ssh keys are a lot safer and you also won’t need to type/paste the password on login.

⚠️ Always test in a new terminal tab/window.
This guide has the potential to log yourself out of your pi.
If you always keep one loggedin window open you can always revert everything there.

Generate ssh keys

Generate keys on the Raspberry Pi: ssh-keygen -t rsa -b 4096 -C "pi-webserver"
Just press enter for both the location and password.
This key can be used for git authentication, log in to other machines and more. You might never need them, but it never hurts.

Add your own ssh key

On your own local machine also generate ssh keys. Check this github guide.

Once you’ve your own ssh keys. login on the pi and open File: nano ~/.ssh/authorized_keys

Paste your public key here and save.
For linux/mac you can find your public key with: cat ~/.ssh/

Open a new terminal window and try to login.

Disable Passwords

Open file: sudo nano /etc/ssh/sshd_config

Look for PasswordAuthentication
remove the # at the front and change the value to no.

PasswordAuthentication no

As a fall-back we will allow login in from the home network. So at the bottom of the file add. (the 4 spaces in front of the line matter)

Match address 192.168.*.*
    PasswordAuthentication yes

Restart the ssh service. sudo service ssh restart

Try to login in a new window. you should not need to enter a password.
If that works try login in outside of your home network easiest is probably to connect a smartphone tethering.