Communicating securely with a Raspberry Pi via SSH
Being able to execute commands on a Raspberry Pi via another computer makes you able to use the Raspberry Pi without it being connected to a screen. These are notes I wrote for myself to remember how I set up a Raspberry, and for that reason it might be a bit sparse even though I've fletched them out a bit to be useful for more people. It will also use a quite specific set up, and it won't deal with setting a static IP for the Raspberry via the router, which is preferable but not possible in my case.
The way I set it up necessitates that you can connect the Raspberry Pi to a screen in order to connect it to the Wi-Fi. It also assumes that the computer you're using to communicate with the Raspberry Pi is running Linux. The following steps will be taken:
- Download an OS and add SSH file
- Create new user and add sudo privileges
- Lock Pi user (and eventually delete it)
- Connect to wi-fi and set the IP to static
- Check SSH-connection from other computer
- Create SSH-key
- Turn off the password for SSH-connection
1 - Download an OS for the Raspberry Pi (in my case Raspberry Pi OS Lite). Use Etcher to flash it to a microSD card. In the "boot" directory of the microSD card, create an empty file called "SSH" (without a file extension).
2 - Put the card into the Raspberry, boot it up and log in with the default username "pi" and password "raspberry" (if you’re on Raspberry Pi OS). Since we'll have it open for SSH-connections, we should change the username and password right away. This is done by creating a new user and locking/deleting the default user. Run
sudo adduser <new username> to create the new user, and give it sudo privilege with
sudo usermod <new username> -aG sudo. Run
sudo reboot and make sure you can log into the new user.
3 - Then, you can lock user "pi" with
sudo passwd --lock pi. If you're sure everything's in order with the new user you can run
sudo deluser --remove-home pi to delete the default user.
4 - Run
sudo raspi-config and select the network you want to connect to. Then, run
hostname -I to see the Raspberry's IP. Run
ip r | grep default and the first IP being displayed is your router's gateway address. Run
sudo nano /etc/resolv.conf and here you'll find the DNS IP address next to "nameserver" (which is usually the same as the router’s gateway IP). Run
sudo nano /etc/dhcpcd.conf and add the following to the bottom of it:
interface wlan0 static ip_address=<Raspberry’s IP> static routers=<router’s gateway IP address> static domain_name_servers=<DNS IP>
Save, close the file and reboot the Raspberry.
5 - On the other Linux computer that is to communicate with the Raspberry, run the following command to check that you can connect:
ssh <Raspberry Pi username>@<Raspberry Pi's IP>. You'll be asked to enter the password for the user. You should now be logged in, and can exit by running
6 - On the same computer, generate the SSH-key pair which you'll use to communicate more securely with the Raspberry Pi, by running
ssh-keygen and write the path to save it to, including its name (or just press enter to use the default). Enter a passphrase if you want one (if you want to automate things, skip this). This will create two files, one without an extension (private key) and one with the extension .pub (public key).
Now, to transfer the public key to the Raspberry, run
ssh-copy-id -i <path to public key> <Raspberry Pi username>@<Raspberry Pi's IP>,
which might look something like this:
ssh-copy-id -i home/victor/.ssh/pi_key.pub firstname.lastname@example.org
Now, to log in to the Raspberry using the SSH-key, you need to run
ssh -i <path to the private key> <Raspberry Pi username>@<Raspberry Pi's IP>
To make this more convenient so you don’t have to run this long command every time you want to log in, run
nano ~/.ssh/config and add the following:
Host <shortcut-name> HostName <IP of Raspberry Pi> User <username on Raspberry pi> IdentityFile <path to private key>
Host screenless_pi HostName 220.127.116.111 User new_pi_user IdentityFile /home/victor/.ssh/pi_key<\p>
Now you can simply run
ssh screenless_pi, since all the information that was previously supplied in the command (i.e. IP, Pi username and the path to the key) are now stored with
7 - To disable the ability establish SSH-connection with a password instead of the keypair (since it's less secure), run the following command on the Raspberry Pi:
sudo nano /etc/ssh/sshd_config, and edit the file so it contains
PasswordAuthentication no and