How to Secure Your Raspberry Pi - SSH Protocol Security
This article will introduce several methods to secure your SSH remote connection to Raspberry Pi from common security flaws.
Harden SSH Configuration to Secure Remote Access on Raspberry Pi
The SSH is a common method for accessing remote hosts for system administration or other tasks.
It’s often utilized to access Raspberry Pi devices on the local network remotely. So, it’s essential to secure the SSH authentication method and some of its configuration parameters to ensure that the attacker does not access your device.
If you have just heard of SSH remote access protocol, we suggest you review our introduction article on this topic first and then proceed with the following instructions.
SSH connection uses a username/password authentication scheme by default, which attackers can brute-force. Therefore, it’s recommended that you change to public-key authentication and even make it mandatory for all sessions.
At first, you need to generate a public key pair if you don’t have one for the host machine that will access the Raspberry Pi using SSH. The latter can be done using the ssh-keygen
command-line utility, which is included on most Linux/BSD systems as part of the OpenSSH toolkit.
The following command generates ed25519
key pair, and it’s considered as one of the safe algorithms for the time being:
ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')"
The previous command will ask you to specify a key file name, but you can press Enter to use the default name if you’re generating public keys for the first time.
It will prompt you to enter a passphrase, which is highly recommended if you want to make the attacker’s job harder. The specified passphrase will be used to verify your identity on each new remote access session.
Note that this passphrase is not saved in a file automatically. Hence, you must remember it if you need to use the generated public key pair in the future.
By default, two generated key files are located in the ~/.ssh/
directory, named as id_ed25519
and id_ed25519.pub
. You must not share the contents of id_ed25519
with anyone but will usually copy id_ed25519.pub
contents to any machine (e.g., Raspberry Pi) where you need to establish an SSH connection.
Next, you can log into a Raspberry Pi console and configure the SSH server parameters. Note that the following instructions assume you have previously enabled the SSH server on Pi.
At first, we need to copy the contents of the id_ed25519.pub.
to the /home/pi/.ssh/authorized_keys
file on Raspberry Pi. The latter file may not exist on the Pi, so you might need to create it manually.
Alternatively, you can copy the file using the scp
command on the host machine from where you have SSH access to the Pi.
Notice that you should modify the Pi’s IP address in the following command and change the source filename if you specified a custom key filename on the ssh-keygen
command prompt.
scp ~/.ssh/id_ed25519.pub pi@192.168.0.12:/home/pi/.ssh/authorized_keys
Once copied successfully, you can move on to editing the /etc/ssh/sshd_config
file on the Raspberry Pi OS. This step will require sudo
privileges for each command.
Open sshd_config
file using any text editor (with sudo
) you’re comfortable with and uncomment/insert the following lines as shown and save the changes:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
PasswordAuthentication no
ChallengeResponseAuthentication no
After the config file modification, you can restart the sshd
service with the following command for the changes to take effect:
sudo systemctl restart sshd.service
Now you can reconnect to the Pi using SSH, and it should automatically log you into the system. Although, you will still be prompted for a public key passphrase if you specified it during the ssh-keygen
command.
Change the Default Port for SSH Server on Raspberry Pi OS
Another useful security measure is to change the default service port 22
for the SSH. You can modify the default port in the /etc/ssh/sshd_config
file we edited in the previous steps.
This time, we will uncomment and change the following line:
Port 60001
You can choose the port number from the private service ports in the range - 49152-65535. It’s unlikely to conflict with other services running on the system.
Notice that the previous lines are usually included in the sshd_config
file already but are commented out using the #
character as a prefix. You can uncomment any of them by deleting this prefix.
Also, don’t forget to save the changes to the file and restart the SSH service with the systemctl restart
command as shown in the previous steps. Additionally, you will need to add the port number to your ssh
command for accessing the Raspberry Pi from other hosts as follows:
ssh pi@192.168.0.12 -p 600001
Founder of DelftStack.com. Jinku has worked in the robotics and automotive industries for over 8 years. He sharpened his coding skills when he needed to do the automatic testing, data collection from remote servers and report creation from the endurance test. He is from an electrical/electronics engineering background but has expanded his interest to embedded electronics, embedded programming and front-/back-end programming.
LinkedIn Facebook