This article will introduce several methods to secure your SSH remote connection to Raspberry Pi from common security flaws.
Harden SSH Configuration to Secure Remote Access on Raspberry Pi
The SSH is a common method for accessing remote hosts for system administration or other tasks.
It’s often utilized to access Raspberry Pi devices on the local network remotely. So, it’s essential to secure the SSH authentication method and some of its configuration parameters to ensure that the attacker does not access your device.
If you have just heard of SSH remote access protocol, we suggest you review our introduction article on this topic first and then proceed with the following instructions.
SSH connection uses a username/password authentication scheme by default, which attackers can brute-force. Therefore, it’s recommended that you change to public-key authentication and even make it mandatory for all sessions.
At first, you need to generate a public key pair if you don’t have one for the host machine that will access the Raspberry Pi using SSH. The latter can be done using the
ssh-keygen command-line utility, which is included on most Linux/BSD systems as part of the OpenSSH toolkit.
The following command generates
ed25519 key pair, and it’s considered as one of the safe algorithms for the time being:
ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')"
The previous command will ask you to specify a key file name, but you can press Enter to use the default name if you’re generating public keys for the first time.
It will prompt you to enter a passphrase, which is highly recommended if you want to make the attacker’s job harder. The specified passphrase will be used to verify your identity on each new remote access session.
Note that this passphrase is not saved in a file automatically. Hence, you must remember it if you need to use the generated public key pair in the future.
By default, two generated key files are located in the
~/.ssh/ directory, named as
id_ed25519.pub. You must not share the contents of
id_ed25519 with anyone but will usually copy
id_ed25519.pub contents to any machine (e.g., Raspberry Pi) where you need to establish an SSH connection.
Next, you can log into a Raspberry Pi console and configure the SSH server parameters. Note that the following instructions assume you have previously enabled the SSH server on Pi.
At first, we need to copy the contents of the
id_ed25519.pub. to the
/home/pi/.ssh/authorized_keys file on Raspberry Pi. The latter file may not exist on the Pi, so you might need to create it manually.
Alternatively, you can copy the file using the
scp command on the host machine from where you have SSH access to the Pi.
Notice that you should modify the Pi’s IP address in the following command and change the source filename if you specified a custom key filename on the
ssh-keygen command prompt.
scp ~/.ssh/id_ed25519.pub firstname.lastname@example.org:/home/pi/.ssh/authorized_keys
Once copied successfully, you can move on to editing the
/etc/ssh/sshd_config file on the Raspberry Pi OS. This step will require
sudo privileges for each command.
sshd_config file using any text editor (with
sudo) you’re comfortable with and uncomment/insert the following lines as shown and save the changes:
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 PasswordAuthentication no ChallengeResponseAuthentication no
After the config file modification, you can restart the
sshd service with the following command for the changes to take effect:
sudo systemctl restart sshd.service
Now you can reconnect to the Pi using SSH, and it should automatically log you into the system. Although, you will still be prompted for a public key passphrase if you specified it during the
Change the Default Port for SSH Server on Raspberry Pi OS
Another useful security measure is to change the default service port
22 for the SSH. You can modify the default port in the
/etc/ssh/sshd_config file we edited in the previous steps.
This time, we will uncomment and change the following line:
You can choose the port number from the private service ports in the range - 49152-65535. It’s unlikely to conflict with other services running on the system.
Notice that the previous lines are usually included in the
sshd_config file already but are commented out using the
# character as a prefix. You can uncomment any of them by deleting this prefix.
Also, don’t forget to save the changes to the file and restart the SSH service with the
systemctl restart command as shown in the previous steps. Additionally, you will need to add the port number to your
ssh command for accessing the Raspberry Pi from other hosts as follows:
ssh email@example.com -p 600001
- MySQL in Raspberry Pi
- Setup a Raspberry Pi File Server
- DNS Server on Raspberry Pi
- Dropbox on Raspberry Pi
- Plex Media Player on Raspberry Pi
- Chromium OS on Raspberry Pi