Smart Cities - Setting up Raspberry Pi for Secure Shell Remote Access

From Sensors in Schools
Jump to navigation Jump to search

Setting up a Raspberry Pi for Secure Shell (SSH) Remote Access

  • This tutorial will show you how to set up a home network so that you can access your Raspberry Pi securely from the internet using Secure Shell.
  • Secure Shell (SSH) allows the user to interact with a computer using the Terminal (text commands only).
  • Secure Shell gives full access to the computer without the use of a Graphical User Interface (GUI).
  • This means that you can install the Raspberry operating system Lite version without a desktop environment (no GUI).
  • Running without a GUI Desktop environment means that you can use an older computer to run projects.
  • The tutorial was created by Adam S and Edmond L.

Installation of Raspberry Pi Operating System (OS)

  • Open the Raspberry Pi imaging software on a computer.

  • In the Choose Operation system selection
    • select either the Raspberry Pi OS (32 bit) - Recommend operating system with Desktop interface, or
    • under Raspberry Pi OS (other) select Raspberry Pi OS Lite (64 bit). Note that this OS will not have a GUI interface (no desktop environment), only the Terminal

  • Then choose a the Storage device for the Operating system
  • 16 GB is required when using a GUI interface
  • 8 GB is large enough if using the Lite OS version (no GUI)

  • Click on the cog symbol to do some more configuration.

  • Click on Enable SSH
  • Ensure that Use password authentication is selected

  • Enter a secure password for the pi user.
  • Keep user as pi.

  • You can configure details for your local WiFi network.
  • But in this example we will add these details later.

  • Set Local settings

  • Click on Save

  • Now write all settings and the new OS to the Micro SD card.

  • If a warning message pops up answer Yes to commit changes.

  • It will take several minutes for the OS image to be copied to the SD card.

Home Router configuration for Static IP Address

  • To make it easier to access a Raspberry Pi within a home network or remotely it is necessary to set up a static IP address for the Raspberry Pi.
  • A static IP address will never change. The home router will reserve this IP address for a specific device based on the MAC address.
  • A MAC (Media Access Control) address is setup by the manufacturer of the device and is associated with the WiFI hardware or other communication hardware.
  • One device may have multiple MAC and WiFi addresses.

Access Home Router Configuration Software

  • Each Home router will have a designated address on the home network reserved for Administrative access.
  • For a TP-Link router the Admin page can be accessed using the following URLs.
  • Just do an Internet search to find out the best access or have a look on the router itself.
  • The home page of your router will look similar to the following.
  • You can see that there are 17 Wireless clients on the home network and 0 Wired clients.

  • On the newly imaged Raspberry Pi (after logging in) enter the command ifconfig to find the IP and MAC addresses for the Pi. The information will in the paragraph starting with wlan0 (Wireless LAN 0)
  • The IP address of my Pi is 192.168.1.104
  • The MAC address is b8:27:eb:e4:f5:80 - the MAC address has the word ether in front.
  • On the Home Router it is possible to find a listing of all the Wireless clients.
  • In the screen capture below you can see the Raspberry pi computer associated with IP address 192.168.1.104
  • On the home network a second Raspberry Pi computer is also connected.

  • To set up a Static IP address on a TP-link router click on:
    • Advanced
    • Network
    • LAN Settings
  • Scroll down the page and there is a Table named Address Reservation
  • Click on the Add button to add the IP and MAC address of the newly imaged Raspberry Pi.
  • Currently there are two reserved addresses on this router.

  • Enter all the details relevant to your Raspberry Pi and press OK

  • The new Raspberry Pi with reserved IP address should now be visible in the table.
  • There is no need to restart your home router for these changes to take effect because the assigned IP address has not changed.

Port Forwarding Configuration on the Home Router for SSH remote access

  • Every communications port on a computer on a network has its own unique IP address.
  • If a computer has more than one WiFi modem then it will have a different IP address for each WiFi modem.
  • In addition to the assigned IP address, programs running on computers have an assigned port number.
  • Port numbers can run from 0 to 65353.
  • Port numbers from 0 to 1023 are called well-known ports (common TCP/IP applications). For example:
    • Port 20 and 21: FTP data and FTP control, respectively
    • Port 22: Remote login protocol Secure SHell (SSH) - we will be using SSH soon
    • Port 25: Simple Mail Transfer Protocol (SMTP) used by e-mail servers
    • Port 80: web based servers (HTTP)
  • For security reasons it is sometimes best not to use the assigned port numbers.
  • We can instead choose a port number above 1023.
  • In this example we will choose the Port 2000.
  • To set this up correctly we need to do the following:
    • We need to configure our Raspberry Pi to listen for SSH requests on Port 2000.
    • We also need to tell the Home router to forward any SSH requests on Port 2000 coming from outside the home network to be directed to our newly imaged Pi (IP address 192.168.1.104) to Port 2000. Routers can also be asked to change Port assignments. in this case we will keep the Port assignment the same (Port 2000).
  • On the TP-Link home router navigate to:
    • Advanced
    • NAT Forwarding (Network Address Forwarding)
    • Virtual Servers

  • Enter the following details using the example below as a guide.
  • Replace the IP address with the IP address of your Pi
  • Use Port 2000 for SSH.
  • Add SSH for Service Type or leave blank

  • Click OK to save the changes

Creating Public and Private Keys on the Raspberry Pi for SSH remove access

  • To improve security for remote access computers can use Public and Private keys to ensure that communications are encrypted and limit access by unknown persons.
  • First we need to create Private and Public keys.
  • Then the Private key needs to be copied to the Raspberry Pi. The Private key should never be revealed to anyone.
  • Open the Terminal or Command line on a computer. This example uses a Mac.
  • This will open to the user's home address.
  • You can confirm the path using the command pwd
  • Enter the command ssh-keygen -t ecdsa -b 521
  • You will be prompted to enter the following:
    • Enter the file in which to save the key. The file name entered was remote_test
    • Enter passphrase (empty for no passphrase). A Passphrase is an additional layer of securing in addition to a password. We wont need this so just press the Enter key.
  • The public/private ecdsa (Elliptic Curve Digital Signature Algorithm) keys will now be created.

  • The public and private keys are found in the same folder as the user home directory.
  • Enter the command ls to display them.
  • Two files should be present:
    • remote_test - this is the Private key
    • remote_test.pub - this is the Public key

  • Before we can use these files they need to be copied to the hidden .ssh directory.
  • To see if the .ssh directory already exits enter the command ls -a which lists All files and directories, even hidden ones.
  • Hidden files and directories have one or more dots (full stops) in front of their name.
  • In this example the .ssh directory already exists.

  • To have a look inside the .ssh directory enter the commands cd .ssh to Change Directories and then enter the command ls -a to list all contents. The command ls or ls -l (list in long format) will also work.

  • Return to the user home directory by entering one of the following commands:
    • cd ~ - the tidle symbol takes you directly to the user home directory
    • cd .. - moves back up one directory ('Relative Path)
    • cd /Users/edmond - which is an explicit reference to an Absolute Path

  • To copy both files to the ~.ssh directory (/Users/edmond/.ssh) we use the Linux command mv (move).
  • We can copy the files one at a time, or both together.
  • To copy the files one at a time enter the commands:
    • mv remote_test ~/.ssh
    • mv remote_test.pub ~/.ssh
  • Or we can move both of them using one command if we use the asterisk placeholder:
    • mv remote_test* ~/.ssh



Copying files from user computer to Raspberry Pi using Secure Copy (SCP)

  • The Public key needs to be copied to the Raspberry Pi.
  • Secure Cope (scp) is a Linux command that will copy the file to the Raspberry Pi securely.
  • This operation must be done securely to limit any potential exposure to the Public key.
  • Make sure that you have navigated to the directory with the Public key.
  • Also ensure that the Public key has a recognisable name. You can change the name if required.
  • To copy the Public key enter the command scp -P 2000 remote_test.pub pi@192.168.1.104:/home/pi
    • scp - the command for secure copy
    • -P 2000 - specification of the Port number to use (Port 2000). Note the capital P
    • remote_test.pub - the name of the Public key file
    • pi@192.168.1.104 - username and IP address for the Raspberry Pi
    • /home/pi - pathway on the destination computer (Raspberry Pi) where the file will be coped to
  • You will be prompted to continue with the connection. Answer yes
  • Then enter the password for the newly imaged Raspberry Pi and press Enter. The password entry will be hidden.

  • The Public key file should now have been copied to the Raspberry Pi.
  • Use the List command (ls) on the Raspberry Pi to see if you can see the file.

Copying Public key on Raspberry Pi to .ssh directory

  • On the Raspberry Pi we need to copy the remote_test.pub key to a .ssh directory.
  • On the Raspberry Pi check to see if the directory exists with the command ls -a
  • If the hidden directory is present it will appear.
  • If not, create the directory with the command mkdir .ssh

  • Copy (move) the remote_test.pub file to the .ssh directory with the command mv remote_test.pub ~/.ssh
  • Check that the file has been moved (commands cd .ssh and ls)
  • Create a new file named authorized_keys with the command touch authorized_keys
    • Note the z in authorized.

Configuring Secure Shell (SSH) on the Raspberry Pi

  • Before you can use SSH to remotely access the Raspberry Pi there are some final configuration changes.
  • On the Raspberry Pi enter the command cd /etc/ssh to navigate to the ssh directory
  • Enter ls to list all the contents of the directory.
  • There will be a file named sshd_config

  • Edit this file with the command sudo nano sshd_config
  • Make the following changes:
    • #Port 22 - comment out the default Port 22
    • Port 2000 - add Port 2000 on a new line
    • PermitRootLogin no - add this line
    • PassswordAuthentication no - add this line
    • UsePAM no - change from yes to no
  • Then exit (Ctrl-X) and save changes to the same file name.

  • For the configuration changes to take effect enter the following commands
    • service sshd reload
    • service sshd restart
  • When reloading and restarting services you may be asked for authentication. Enter the Raspberry Pi password.

Using SSH on a Remote computer to access the Raspberry Pi

  • Now that the set up is complete it is easy to login to the Raspberry Pi.
  • Enter the command ssh -p 2000 pi@192.168.1.104 -i /users/edmond/.ssh/remote_test
    • ssh - Linux command
    • -p 2000 Port 2000
    • pi@192.168.1.104 - username and IP address for Pi computer
    • -i /users/edmond/.ssh/remote_test - points to the file with the Private key
  • To exit the SSH session enter exit and press Enter.


Fun things to do using SSH in the Terminal

  • There are lots of useful and fun commands in Linux [1].


  • Do normal updates with sudo apt-get update

  • Print the current date with the command date

  • find / -name edmond_pi_104 - Search the entire Pi computer (/ root directory) for the file named edmond_pi_104 and lists all directories where the file is found.

  • df -H disk usage in human readable form

  • cat /sys/class/thermal/thermal_zone0/temp CPU temperature

  • iwconfig to check the wireless network

Retrieved from "http://www.waterwaysinwhittlesea.org/index.php?title=Smart_Cities_-_Setting_up_Raspberry_Pi_for_Secure_Shell_Remote_Access&oldid=5666"