Brief instructions fro setting up a raspberry pi using DDNS so you can logon remotely from the internet using an SSH key.
Following instructions assume you have installed Raspbian and are using the default username 'pi' and the dafult hostname 'raspberrypi'
Step 1 - enable SSH on raspberry pi
Enable SSH by eithera) Login and run sudo raspi-config and enable SSH; or
b) create a file called 'ssh' (no file extension) in the boot partition. This is handy approach if performing a headless setup
 |
| Create a file named 'SSH' to enble SSH |
Step 2 - check SSH (and change default password)
Next check you can log in via SSH using a username and password from a client device on the same local network before setting up an SSH key.On a windows PC you can use PuTTY to connect via SSH.
The default settings on the raspberrypi are:
- Host Name: raspberrypi
- Port: 22
- Connection type: SSH
- login as: pi
- password: raspberrypi
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
 |
| Change default password |
This is really good advice. Change the default password before making your Raspberrypi accessible from the Internet. Do this even if you plan on disabling the use of clear text passwords for SSH as one tiny mistake and you risk getting hacked.
Step 3 - create SSH key
Create an SSH public and private key for each client machine that you will be connecting from. The private key is used by the client to identify itself and the raspberrypi uses the public key to authenticate the client.For a windows PC you can use PuTTY and its SSH Key Generator PuTTYgen to generate an SSH key
Set a key passphrase to protect the private key and save both the public and prive key on the client machine
Step 4 - add the SSH public key to raspberrypi authorized_keys
Import the SSH public key into the user's authorized_keys file ~/.ssh/authorized_keys on the raspberry pi.There are a number of ways to do this, for example
- use WinSCP to edit the SSH public key file ~/.ssh/authorized_keys
- Copy and paste the public key into the file. The text should look something like
ssh-rsa AAAAB3NzaC1yc2E.....
NB if using PuTTY Key Generator copy the 'public key for pasting into the openSSH authorised keys file' not the saved public key
Step 5 - test SSH login
Test you can now remotely log in using the SSH key.Step 6 - disable SSH login using clear text passwords
Now increase security by disabling the ability to log in using SSH clear text passwords and restricting which accounts can log in via SSH.
Firstly, create a backup copy of the default config file in case you mess up
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
Edit the sshd_config file
sudo nano /etc/ssh/sshd_config
Make the following changes
Change
#PasswordAuthentication yes
to
PasswordAuthentication no
Add the line
AllowUsers pi
Restart the SSH server for the changes to take effect
service ssh restart
Finally, check you can SSH connect using the cert and cannot SSH using a clear text password (username pi & password).
NB view the SSH log using journalctl -u ssh.service
Step 7 - Create DDNS
Sign up to a DDNS service such as no-ip and register a DNS name for the raspberrypiStep 8 - Enable DDNS on your router
Enable DDNS on your internet router so that if your IP address changes the DNS record will be updated with your new IP address.On my BT HomeHub the DDNS setting is under Settings > Advanced > Broadband > DDNS
Enter the DDNS details and confirm the connection to the DDNS serivce
