• Disable SSH by password

    Laz05/12/2015 at 21:37 0 comments

    The last step to help secure your RPi is to disable password authentication for SSH altogether. That means anyone without a key will not even be presented with an opportunity to log on. To do that, you'll need to SSH into your pi, which you can now do using the SSH key. To do that, you'll need to modify the SSH config file on your raspberry pi. The command to edit the file is:

    sudo nano /etc/ssh/sshd_config

    "sudo" is required because the config file is owned by the root user, and the user pi doesn't have the credentials to edit it. "nano" is the program you use to edit the file. You can use your editor of choice for this action.

    There is a line in the config file that is commented out:

    #   PasswordAuthentication yes
    To uncomment the line, delete the leading hash sign. Then change the command to no. It should look like this:
       PasswordAuthentication no

    Finally, the usePAM setting should be changed to no:

    UsePAM no
    With that file edited, you need to save it and close it. In order for the changes to take effect, you need to restart SSH (or just reboot your Pi altogether).

  • Sending your public key

    Laz05/12/2015 at 21:19 0 comments

    So, now that you have a pair of keys on your computer, you need to get the key to your raspberry pi. There are a few ways that you can do this. You can SSH into the machine and append your public key to its authorized_keys file, but that's complicated. You can use the command "ssh-copy-id" to send your public key over ssh to the right location automatically.

    ssh-copy-id pi@<RPI.IPADDRESS>
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
pi@<RPI.IPADDRESS>'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'pi@<RPI.IPADDRESS>'"
and check to make sure that only the key(s) you wanted were added.
    It's that easy. It even prompts you how to check to make sure it works. When you follow the recommendations, you will not be asked for the user pi's password. Instead, if you set up your ssh keys with a passphrase (and you should), you'll be prompted to enter that. Once you enter your passphrase, you'll be able to log in directly, with no need to remember a password for the raspberry pi (because it really, really shouldn't be "raspberry").

    So now that you can authenticate without using a password, it's time to configure SSH on the raspberry pi to disallow connecting with a password at all.

  • Generate SSH Keys

    Laz05/12/2015 at 21:09 0 comments

    So one thing that you'll need to do prior to disabling password log in of the RPi is to set up SSH keys. You'll want to do this on whatever computer you want to use to connect to the pi. If you will want your pi to connect to other computers using SSH keys, you'll need to generate SSH keys for the pi as well. To create a key use the following command:

    ssh-keygen -t rsa -C "your_email@example.com"
    The -t option specifies RSA key generation, which is a technical detail beyond this tutorial. You'll be prompted to save the key file into a location. You can press enter to accept the default, which is recommended until you are more proficient. After giving a path to save the keys, you'll be prompted for a passphrase for the key. It is recommended to use a passphrase, as it will protect your key for a limited time if your private key gets stolen. The complete key generation step will look like this:
    $ ssh-keygen -t rsa -C "your_email@example.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_http://rsa.pub.
The key fingerprint is:
2f:dd:77:64:48:a3:aa:51:f8:01:6b:73:10:00:fb:92 your_email@example.com
The key's randomart image is:
+--[ RSA 2048]----+
|    .....        |
|     .   .       |
|    .   o     o  |
|     o   =   o o |
|    E . S + . . o|
|     . . B +   o |
|        o = . . .|
|         +   . . |
|        .        |
+-----------------+


    The fingerprint and randomart are cryptographic details that aren't necessary to understand to be able to use the keys. By default, the keys will be saved to your ~/.ssh folder. To see the keys, use the following commands:

    pi@sshpi ~ $ cd .ssh
pi@sshpi ~/.ssh $ ls
id_rsa  id_http://rsa.pub

    You will see there are two keys: a public key and a private key. The math is beyond this tutorial, but the system works by giving away the public key to any server you want to SSH into, such as your RPi. It is used by the SSH server to encrypt messages. If your private key can decrypt the message, then your are assumed to be the user who matches that public key. You are authorized, and no passwords are required. The next step is to get your public key onto the raspberry pi.

  • Log in the first time

    Laz05/12/2015 at 20:54 0 comments

    Your raspberry pi is running headless for the first time. To log in for the first time, you need to find its IP address. Assuming that your raspberry pi is on your local network, you can use your router to identify its ip address. If you're not sure, you can use tools like "nmap" to find its ip address. Once you have the IP address for your pi, you can SSH in for the first time. In a unix environment, you can use the terminal to connect. If you use windows, you'll need a program like Putty to connect. With your RPi's IP address, you can connect using the following commands. SSH using the username "pi" at the IP address. You'll be prompted for the password.

    ssh pi@<RPI.IPADDRESS>
pi@<RPI.IPADDRESS>'s password:

    The first time you SSH into the RPi, you'll be prompted to run raspi-config. There are lots of tutorials for that. For headless operation, there are two key settings. First, you'll want to make sure that SSH is enabled. By default, raspi-config will disable SSH. Second, if you're interested, you can change the hostname of the RPi. If your network supports that, you'll be able to SSH into the RPi by name instead of by IP address. All the guides will tell you that you should change the default password, also, but this guide will show you how to disable logging in via password altogether.

  • Load your image

    Laz05/12/2015 at 20:26 0 comments

    When your have your raspberry pi 2 hardware all set up, the first thing you need to do is load your image to the SD card. This tutorial will assume that you are using Raspbian and using it in a headless fashion. The first time you load up Raspbian, SSH will be enabled. By default, the user will be "pi" and the password will be "raspberry". Therein lies the danger. If you leave your raspberry pi with the default user and the default password, then with SSH enabled, anyone will be able to log in and make changes. Until raspi-config is run, SSH will be enabled and your raspberry pi will be at risk! This tutorial assumes you will want to have SSH enabled, so just turning off SSH isn't enough.

    So, your image is loaded and your raspberry pi has SSH running. Now you need to log in and make changes!