How to toughen up your Pi’s SSH access

I access all of my Raspberry Pis remotely using SSH. While reading about a server operator’s experience of being hacked, I decided to explore ways to make my Pis more secure.

Every Pi starts out with SSH access bound to port 22, which is the standard for SSH communications. The problem is, hackers know this and so it’s the first place they look when they’re attempting to access a machine. I want to change that.

Don’t forget, most attacks are scripted: they run through ranges of IP addresses and port numbers just to see what might be accessible. No, they won’t be targeting you specifically, but yes, you might be targeted among a wider haul.

Accessing a Pi with SSH also centres on using your password for authentication. Even with a long password, that’s not as secure as the use of an encrypted key available only on the two or three machines that are communicating, so I want to switch to that too.

Of course, adding all these options will make the ssh command more complex, so I thought I’d try and simplify this by using SSH’s configuration file to simplify what I enter to establish a connection to the Pi.

Here’s the procedure I researched and used. I use a Mac as a main machine, but the following steps should also work on a Linux box. I haven’t tried any of this on a Windows computer, however.

  1. Fire up your Raspberry Pi and SSH in in the usual way
  2. Make sure you’re in your home directory (enter: cd ~)
  3. Create a ‘.ssh’ directory: mkdir .ssh
  4. Set the new directory’s permissions: chmod 700 .ssh
  5. Switch to the new directory: cd .ssh
  6. You need to generate your RSA access key pair: one private, one public.
    Enter: ssh-keygen -t rsa
    You’ll be asked for a filename — just hit enter to keep the one that’s suggests. You’ll also be asked to enter a passphrase — just hit enter again, and once more when you’re asked to confirm your choice, so that no passphrase is applied.
  7. You now have two keys, id_rsa.pub and id_rsa, which will be used for access authorisation. The first of these will be used on this side of the authorisation transaction. Enter: cat id_rsa.pub >> authorized_keys
  8. The second key file needs to be sent to each client machine from which you’ll be SSH-ing into your Pi.
    If you’ve already used SSH to access a Pi from your main machine, you will have a ‘.ssh’ directory in your home folder already. To check, open a second Terminal window or tab on your main computer and enter ls -la. You’ll see .ssh listed. If not, create one using steps 3-5 above.
    At this point, I turned Remote Login on on my Mac (Apple’s System Preferences front end for SSH). On the Pi I entered:
    scp id_rsa <username>@<hostname>.local:~/.ssh/pi_rsa
    You’ll need to replace <username> and <hostname> with those from your own machine. You’ll be asked for your client password, and then the file will copy over. You can transfer the file using a shared drive or a USB stick, but it’s worth getting to grips with SCP.
  9. You’re now going to set up an entry for your Pi in your main computer’s ‘.ssh’ directory’s config file. Enter: cd ~/.ssh and then: nano config
  10. Enter the following. Note the single-space inset for all lines after the ‘Host…’ line:
    Host <A_NICKNAME>
     Hostname <YOUR_PI_HOSTNAME>.local
     User <YOUR_PI_USERNAME>
     Port 22000
     IdentityFile ~/.ssh/pi_rsa
     StrictHostKeyChecking yes

    So you can see how it works, here’s my entry as an example:

    Host pz
     Hostname pizero.local
     User zarJaz4
     Port 22000
     IdentityFile ~/.ssh/pi_rsa
     StrictHostKeyChecking yes

    Why add this entry? With all this in place, all I need key in to access my pi is ssh pz. Without it I would have to enter ssh -p 22000 -i ~/.ssh/pi_rsa zarJaz4@pizero.local every time.

  11. Back on the Pi, we need to set the new SSH port and, while we’re at it, block root login. So enter sudo nano /etc/ssh/sshd_config Make sure you do this on your Pi, not your main machine!
  12. Look through the open file for the ‘Port 22’ line and change it to ‘Port 22000’
  13. Look through the file file for ‘PermitRootLogin without-password’ and add a # at the start
  14. Save the file with Ctrl-X then Y. Now restart your Pi: sudo shutdown -r now
  15. To test it all works when the Pi is back up after a couple of minutes, on your main machine enter ssh followed by the nickname you chose in your config file.
  16. You’ll connect and be asked for your password, then you’ll be logged in. You don’t want to authenticate by password in future, re-edit /etc/ssh/sshd_config and look for the line ‘#PasswordAuthentication yes’ and change it to ‘PasswordAuthentication no’. Note the removal of the initial #
  17. Finally restart your Pi. Now when you log in, you won’t be asked for your password — you’ll go straight in, your authorisation having been granted by your key.

Only someone else with that key can now connect. You’ve set this up on your main machine, and you’ll need to copy the same id_rsa key to any other computer from which you want to access your Pi.

Of course, this might seem overkill if you’re only accessing your Pi locally on the same network, and you’re behind a router’s firewall, but you may eventually choose to expose your Pi to the Internet so you can, for example, SSH in from work or some other location. This procedure allows you to do so securely by (a) obscuring the port on which you connect (and you can make this more obscure by picking a less obvious port number above 10,000, eg. 18713) and (b) allowing access only to clients with the correct RSA-encrypted certificate.

Review: the PiFace Real-Time Clock

Unhook a Raspberry Pi from the mains and it forgets the time and date. It’ll only get them back again if you re-connect it to the Internet or enter the data manually. As a Pi user who doesn’t keep his kit connected – I usually wire and power it up when I need it – and doesn’t always bother with the Ethernet cable when he does, I’ve been after a decent real-time clock (RTC) add-on for quite a while. An RTC allows your Pi to keep time, even when the Pi’s power is cut.

PiFace RTC

Continue reading

Review: the GrovePi+ Starter Kit

When it comes to hacking hardware there’s an easy way and there’s a hard way.

The hard way involves connecting peripherals direct to one of the standard buses supported by your Raspberry Pi, Arduino, Beaglebone or whatever. Buses like I²C, SPI, UART and 1-Wire. You’ll need to take care with your wiring: have you got the right pull-up or pull-down resistor? Is there too much capacitance in the line?

GrovePi+ Starter Kit

Dexter Industries and Seeed Studios’ GrovePi+ Starter Kit

Continue reading

(Retro) Review: Raspberry Pi B+

Better late than never. An edited version of this review appeared in The Register in August 2014. I intended to reproduce the original here, but never got round to it. At long last – and a tad late now the Pi 2 is out, of course – here for the record…

You might think that were you a purveyor of a nifty compact computer selling by the millions, you’d consider two years after the debut of your first offering that it was high time you tempted back buyers with a go-faster, more capacious and shinier model. Heck, Apple and others don’t even wait that long: they upgrade products year in, year out.

Raspberry Pi B+

The B+

Continue reading

Review: Pimoroni/Cyntech Pibrella

There is no shortage of clip-on boards designed for the Raspberry Pi, almost all designed to make the tiny computer’s GPIO pins more accessible in order to ease the connection of devices to it, particularly ones that operate at voltages that are not Pi friendly.

Pibrella

Electronics kit: Pimoroni/Cyntech Pibtrella

Continue reading

The Sinclair ZX81: a Raspberry Pi retro restyle – Part 2

Previously on ‘ZX81: a Raspberry Pi retro restyle’: I used a headerless Arduino Leonardo to connect a ZX81 microcomputer keyboard to a Raspberry Pi via USB, using code to handle normal, shifted and function-shifted key presses.

After some searching on eBay, I found an old ZX81 going cheap because it lacked cables, though when it arrived, I found the computer itself to be in excellent condition. Possibly it has never been used, though how if that were the case the cables were lost and the box got so tatty is a mystery I will probably never solve.

ZX keyboard controller

A new ZX keyboard connected to the USB controller – an Arduino Leonardo

Continue reading