Securing SSH

SSH is probably the best way to interact with the Raspberry Pi, especially if it is a headless machine. As a way in to your machine, it can also present a security hazard and needs to be properly configured.

nano /etc/ssh/sshd_config

And add / change the following

Port RANDOMPORT
PermitRootLogin no
PubKeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
X11Forwarding no
IgnoreRhosts yes
MaxAuthTries 3
AllowUsers USERNAME

If necessary, create the directory and file for your authorized keys and ensure that only you can read it.

mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

You can test your configuration with ssh -t. When ready, restart the SSH daemon with service ssh restart. I suggest allowing password authentication until you are certain that your public key works. I also recommend protecting your key with a password. Sure, a password-less key is still more secure than a simple password, but if anyone else gains access to your key then they can access your machine without issue. A password on your key will help to prevent this and allow you to revoke the lost keys (hopefully) before that password can be cracked. And the failed authentication attempts will be a good indicator that the key may have been compromised.

Generate your keys either in BASH or with PuTTYGen (which is what I used), insert the public key into the authorized_keys file (ensuring to use the proper format), and make sure that it works.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.