How to Secure Your Raspberry Pi - SSH Protocol Security

This article will introduce several methods to secure your SSH remote connection to Raspberry Pi from common security flaws.

Harden SSH Configuration to Secure Remote Access on Raspberry Pi

The SSH is a common method for accessing remote hosts for system administration or other tasks.

It’s often utilized to access Raspberry Pi devices on the local network remotely. So, it’s essential to secure the SSH authentication method and some of its configuration parameters to ensure that the attacker does not access your device.

If you have just heard of SSH remote access protocol, we suggest you review our introduction article on this topic first and then proceed with the following instructions.

SSH connection uses a username/password authentication scheme by default, which attackers can brute-force. Therefore, it’s recommended that you change to public-key authentication and even make it mandatory for all sessions.

At first, you need to generate a public key pair if you don’t have one for the host machine that will access the Raspberry Pi using SSH. The latter can be done using the ssh-keygen command-line utility, which is included on most Linux/BSD systems as part of the OpenSSH toolkit.

The following command generates ed25519 key pair, and it’s considered as one of the safe algorithms for the time being:

ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')"

The previous command will ask you to specify a key file name, but you can press Enter to use the default name if you’re generating public keys for the first time.

It will prompt you to enter a passphrase, which is highly recommended if you want to make the attacker’s job harder. The specified passphrase will be used to verify your identity on each new remote access session.

Note that this passphrase is not saved in a file automatically. Hence, you must remember it if you need to use the generated public key pair in the future.

By default, two generated key files are located in the ~/.ssh/ directory, named as id_ed25519 and id_ed25519.pub. You must not share the contents of id_ed25519 with anyone but will usually copy id_ed25519.pub contents to any machine (e.g., Raspberry Pi) where you need to establish an SSH connection.

Next, you can log into a Raspberry Pi console and configure the SSH server parameters. Note that the following instructions assume you have previously enabled the SSH server on Pi.

At first, we need to copy the contents of the id_ed25519.pub. to the /home/pi/.ssh/authorized_keys file on Raspberry Pi. The latter file may not exist on the Pi, so you might need to create it manually.

Alternatively, you can copy the file using the scp command on the host machine from where you have SSH access to the Pi.

Notice that you should modify the Pi’s IP address in the following command and change the source filename if you specified a custom key filename on the ssh-keygen command prompt.

scp ~/.ssh/id_ed25519.pub pi@192.168.0.12:/home/pi/.ssh/authorized_keys

Once copied successfully, you can move on to editing the /etc/ssh/sshd_config file on the Raspberry Pi OS. This step will require sudo privileges for each command.

Open sshd_config file using any text editor (with sudo) you’re comfortable with and uncomment/insert the following lines as shown and save the changes:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

PubkeyAuthentication yes
AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2

PasswordAuthentication no
ChallengeResponseAuthentication no

After the config file modification, you can restart the sshd service with the following command for the changes to take effect:

sudo systemctl restart sshd.service

Now you can reconnect to the Pi using SSH, and it should automatically log you into the system. Although, you will still be prompted for a public key passphrase if you specified it during the ssh-keygen command.

Change the Default Port for SSH Server on Raspberry Pi OS

Another useful security measure is to change the default service port 22 for the SSH. You can modify the default port in the /etc/ssh/sshd_config file we edited in the previous steps.

This time, we will uncomment and change the following line:

Port 60001

You can choose the port number from the private service ports in the range - 49152-65535. It’s unlikely to conflict with other services running on the system.

Notice that the previous lines are usually included in the sshd_config file already but are commented out using the # character as a prefix. You can uncomment any of them by deleting this prefix.

Also, don’t forget to save the changes to the file and restart the SSH service with the systemctl restart command as shown in the previous steps. Additionally, you will need to add the port number to your ssh command for accessing the Raspberry Pi from other hosts as follows:

ssh pi@192.168.0.12 -p 600001