Discopter Pi Guide

Chapter 3: Installing an OS and Configuring SSH (Part 2)

At this point, you can pop the SD card into your Pi and power it on. The Pi and your host machine should be on the same network and connected to the same router, whether via Wi-Fi or directly plugged in. In this chapter, we'll finish up configuring our Raspberry Pi to accept secure SSH connections from a host machine. This is the last chapter where steps differ based on the OS of your host machine. After this, all commands will be done exclusively through the SSH session on your Raspberry Pi. In Chapter 2, we created a public and private key pair. If you used raspberry Pi Imager, the public key was configured as part of the OS installation. If using an already installed OS, the public key was copied over to the Raspberry Pi. In this chapter, we'll configure our SSH client.

The below instructions are essentially the 'default' methods of starting an SSH session for each OS. There are many cross-platform SSH applications (Termius is one I like in particular) that you may prefer. Feel free to skip the instructions dealing with your OS if you have a different method in mind.

Finding the Raspberry Pi's IP Address

Before we can SSH into our Pi, we must know what its IP address is. This can range from easy if your Pi is connected to a router that you own and control to difficult if you are in a classroom full of people all connecting their Pi's to a shared network. Regardless of how you get the Pi's IP, all of the steps below assume that the Pi is indeed on the same local network as your host machine. If you installed your OS on a different network, you'll need your Pi to be plugged in directly to the router via an ethernet cable, with your host machine connected to that router's network.

Option 1: Accessing Router DHCP Settings (All Operating Systems)

1. Open a web browser on your computer.
2. Enter the router's IP address in the address bar and press Enter. Common router IP addresses include 192.168.0.1, 192.168.1.1, or 192.168.8.1.
3. Log in to the router's web interface using the administrator credentials (username and password).
4. Navigate to the DHCP settings or DHCP client list section, usually located under LAN settings or Network settings.
5. Look for the host name you specified for your Pi or some indication that a device is a Raspberry Pi. Note down its IP address.

Option 2: Using Applications or Commands

If you don't own the router (you're configuring this in your home or other public setting) and you don't have a travel router, you'll have to discover the IP address from your host machine, without the use of administrator tools. Some of these tools and commands don't always work well, depending on how the local Wi-Fi network is configured. If one doesn't work, try another.

Using Command Prompt (Windows/Mac)

1. Open Command Prompt on your Windows computer.
2. Enter the following command:
   arp -a
3. Look for an entry with the Raspberry Pi's MAC address. Note down the corresponding IP address.
4. To determine which MAC belongs to your pi, look for a MAC that starts with one of the following:
• 28:cd:c1
• 2c:cf:67
• 3a:35:41
• b8:27:eb
• d8:3a:dd
• dc:a6:32
• e4:5f:01

Using Advanced IP Scanner (Windows)

1. Download and install Advanced IP Scanner on your Windows computer.
2. Run Advanced IP Scanner and click on the "Scan" button.
3. It will scan your network and list all devices connected to it along with their IP addresses.
4. Look for a device named "raspberrypi" or the hostname that you set. Note down its IP address.

Using Network Utility (Mac)

1. Open Finder and go to Applications > Utilities.
2. Open Network Utility.
3. Switch to the "Ping" tab.
4. Enter the hostname or IP address of the Raspberry Pi in the "Enter the network address to ping" field.
5. Click the "Ping" button.
6. The IP address of the Raspberry Pi will be displayed in the "Result" column.

Using nmap (Linux)

1. Open a terminal on your Linux machine.
2. Type the following command and press Enter:
   sudo nmap -sn 192.168.0.0/24
3. Replace 192.168.0.0/24 with your actual network range.
4. Look for an entry with a hostname or MAC address corresponding to the Raspberry Pi. Note down its IP address.

Using netstat (Linux)

1. Open Terminal on your Linux machine.
2. Type the following command and press Enter:
   sudo netstat -rn
3. Look for an entry in the routing table that corresponds to the Raspberry Pi's subnet. The IP address of the Raspberry Pi should be listed there.

On the Pi itself (Raspberry Pi OS):

1. Open a terminal window on your Raspberry Pi.
2. Type the following command and press Enter:
   ifconfig
3. Look for the network interface associated with your connection (often named eth0 for Ethernet or wlan0 for Wi-Fi).
4. The MAC address (also sometimes labeled the Hardware Address or HWaddr) will be listed under the corresponding network interface. It typically looks like XX:XX:XX:XX:XX:XX, where each X represents a hexadecimal digit.

Using GUI (Raspberry Pi OS):

1. If you're using Raspberry Pi OS with a desktop environment, you can also find the MAC address through the graphical interface.
2. Click on the network icon in the system tray (usually located in the top-right corner of the screen).
3. Select "Wi-Fi" or "Ethernet" depending on your connection type.
4. Click on "Network Preferences" or "Connection Information".
5. The MAC address should be listed somewhere in the network settings or connection information window.

Windows

We're going to use PuTTY to remote into our Raspberry Pi. If you followed the recommendations in this guide and used Raspberry Pi Imager to generate your SSH key pair, you'll have to do one more thing before you can use PuTTY. PuTTY uses its own file format, .ppk. We'll need to convert the private key that we got from Raspberry Pi Imager.

Step 1: Prep Private Key for PuTTY (only needed if you used Raspberry Pi Imager)

1. Go to the PuTTY website and download the latest version of PuTTY. Make sure you get the full package version, which includes PuTTYgen.
2. Open PuTTYgen.
3. Click Load. Change filetype to All Files.
4. Navigate to C:\Users\<your username>\.ssh and select id_rsa.
   • NOT id_rsa.pub; that's the public key, which is already on our Pi.
5. Set a password. It can be the same as the password you set for your user account.
6. Click “Save private key”. This is the file you will use to authenticate your SSH session.

Step 2: Configure PuTTY Session

1. Open PuTTY.
2. The first screen will prompt you to enter a hostname or IP address and port number. Enter the IP address of your Pi. Unless you've already changed the default SSH port, keep it at 22.
3. On the left side navigation pane, click SSH > Auth > Credentials.
4. Click Browse and navigate to the folder where you saved id_rsa.ppk (or whatever you named it) in Step 1 and select that file.
5. Go back to the first screen by click Session at the top of the navigation pane.
6. Save the settings as a profile. The next time you open PuTTY, you can just load these settings, or even make them the default when you launch the application. Otherwise, you'll have to load your private key every time you launch PuTTY. Unless you have a specific security scenario in mind where that wouldn't be advised, it'll make establishing a connection much faster.
7. Click connect. You will be prompted for your username and SSH key passphrase. These can also be saved into your profile, if you wish, for even easier connections, though at the risk of making it easier to access your Pi if your host machine is ever compromised.

Mac/Linux

All you need to do is open a terminal and enter the command:

Replace <IP address> with that belonging to your Pi. For example, trying to connect to 192.168.1.100 with default port 22 is as simple as:

If you've changed the SSH port, you'd first add a -p flag and then specify the port number before the IP address. If you've set the SSH port to 1234, for example, you would enter:

Once entered, you'll be prompted for the username and SSH key passphrase.

Other Devices

If you want to be able to establish an SSH connection through another device, you'll have to first copy the private key. On mobile devices, for example, there are a number of SSH applications that you can download (Termius was already mentioned previously). Follow the instructions above for the OS on the new host machine. On mobile devices, follow the directions for the particular app you've downloaded. Most will work similarly to the PuTTY instructions in Windows, in that you'll create a profile in the app's GUI, specify the hostname and port, and load the private key.

Where Are We in the File System?

From this point on, we are done with particulars of operating systems. Whether you are on Windows, Mac, Linux, iOS, Android, or anything else, everything will be the same as they will be commands on the Raspberry Pi itself or referring to the SSH session on your host machine, whatever it may be.

With our SSH session open, we should be seeing a mostly empty terminal. You should have a prompt for entering commands, showing something like:

The username and hostname should be obvious. The $ symbol is the typical convention for indicating you are logged in as a normal user rather than a super user, i.e., with full administrative rights. We can still run commands with elevated administrative privileges, but will have to prepend sudo, or “super user do” before running them. Per the “principle of least privilege,” you want to be at a lower level of privilege whenever possible, particularly when altering the file system or installing applications.

The key symbol though in the command prompt is the tilde, ~. It's possible that your command prompt is instead displaying /home/<username>. If so, that's because ~ is an alias for your username's home directory. This is generally a good place to be when running commands, especially when installing applications. Most installation scripts handle file placement for you and will automatically put files into your home directory, if that's where they belong, but it's good practice to have this as your default location. Without a GUI, it can be easy to accidentally delete the wrong file. So long as you are in your home directory, you won't do too much damage. See Appendix QQQ for more on the Linux file structure and basic commands, but if you ever get lost in the file system and want to make your way back to your home directory, just enter the command cd ~

Configuring SSH Settings

Now that we're oriented in the filesystem, we're going to change the SSH settings to disable password authentication (if not already done through Raspberry Pi Imager) and change the SSH port to something other than 22.

SSH configurations are contained in the sshd_config file (no file extension). Why sshd_config and not ssh_config? Any time you see a trailing “d” in the name of a service on Linux, it is short for “daemon.” A daemon (a term from Greek Mythology, properly pronounced “dee-min”, but often pronounced “day-mon” or “dai-mon”) is a program that runs as a background process, rather than being under the direct control of an interactive user. You made the SSH connection on your host machine, your Raspberry Pi accepted it and maintains it without you having done anything on the Pi itself. Configuring what exactly the Pi will do when it gets an SSH request is thus adjusted in this sshd_config file.

We've already discussed why you're disabling passwords and relying on a key file. We're changing the port number for a couple of reasons as well.

• Reduced Visibility: By using a non-standard port for SSH, you reduce the likelihood of automated bots and scanners detecting your SSH service. Many attackers target port 22 by default, so changing the port makes your Raspberry Pi less visible to these automated scanning tools.
• Mitigation of Brute Force Attacks: Changing the SSH port can help mitigate brute force attacks, where attackers attempt to guess usernames and passwords to gain unauthorized access. While changing the port alone doesn't prevent brute force attacks, it can reduce the volume of automated attacks since attackers would need to specifically target the custom port.
• Protection Against Script Kiddies: Script kiddies, or inexperienced attackers, often target default services like SSH on port 22. Changing the port can deter these attackers who rely on basic scanning tools and techniques.
• Enhanced Security Through Obscurity: While security through obscurity is not a foolproof security measure, it can add an additional layer of defense by making it harder for attackers to identify and exploit vulnerabilities. Changing the SSH port is one aspect of this approach.

A dedicated, competent malicious actor can still find your SSH port by scanning for all open ports on your system. But if we can at least frustrate the script kiddies, why not do so?

Step 1: Change the Port Number

1. Run the following command:
   sudo nano /etc/ssh/sshd_config
   We're using sudo to have super user privileges as we won't be able to save the file without those. nano is our text editor, /etc/ssh/ is the directory and sshd_config is the file itself.
2. Look for the line Port 22.
3. Modify the Port directive to specify the desired port number. Choose a port number between 1024 and 65535.

Step 2: Disable Password Authentication and Empty Passwords

1. Look for a line referring to password authentication.
2. If it looks like this:
   #PasswordAuthentication yes
3. then password authentication is enabled. Delete the first # character and change yes to no. It should now look like this:
   PasswordAuthentication no
4. If you used Raspberry Pi Imager to generate the key file before you even switched your Pi on, then just take note of that line and confirm it is set to no.
5. It's redundant, as passwords have been disabled, but just for security hygiene, we're also going to forbid empty passwords, just in case there is a user account that accidentally gets created without a password and somehow password authentication gets turned back on. Change the #PermitEmptyPasswords yes line to PermitEmptyPasswords no.
6. Press ctrl+X. It will ask for a file name. Press enter to accept the current name. It will ask if you want to overwrite the current file. Press ‘Y'.
7. Back on your host machine, if you're using an SSH application that saves profiles, such as PuTTY, update the profile to use the new port number.

Step 3: Restart the SSH Daemon

1. Enter the following command:
   sudo systemctl restart ssh
systemctl or “System Control” is used to start/stop/restart daemons.
2. Restart the Pi just to really make sure everything took effect, and so we have a clean slate to test our new SSH configuration. Enter the following command:
   sudo reboot now
3. Give your Pi a minute or so to power on. Once on, start an SSH session with the new port number. As a reminder, on Mac/Linux, you'll need the -p flag in the command, like this:
   ssh -p 1234 192.168.1.100
4. If you have another device on the same network available, one that does not have the private key, try to start an SSH session with it. On PuTTY, you can also just clear the Credentials line that holds the private key. The connection should be refused. Now, no one can get into your Pi unless they have the private key file AND know the passphrase associated with it. We're not done yet. Later, we'll lock it down even more.

Step 4: Update and Upgrade

1. Now that we're finally logged into the Pi, we'll make sure all its software is up to date.
2. Run the following commands:
   sudo apt update
sudo apt upgrade
apt or “Advanced Package Technology” is the command set used in Debian-based Linux distributions to acquire and keep up to date much of the Linux software. First, we update where the Pi will look to get the latest versions of its applications. Then we upgrade by downloading and installing that software.