This post is a reference for me and others who wants to improve their InfoSec hygiene. As a software engineer who deals with lots of servers, accounts, and IoT devices, one common task that is a daily routine is to SSH into various computers. SSH commonly is based on username and password. For Raspbian, the default is:
raspberrypi login: pi Password: raspberry
Which is convenient for starting out with a new board, or for new users. But this is not the most secure, especially when enabling SSH to connect into your devices remotely (even if just for engineering and development). I've never been guilty of forgetting to change the default login on the devices I leave connected to my network. 🙄 Having those devices around on your engineering and development network makes a great pivot for attackers (see Mirai).
Let's start with a Raspberry Pi device.
- Connect to your Raspberry Pi device over the serial port, or by using a monitor and keyboard and log in.
- Use the raspi-config to configure Wi-Fi or plug in Ethernet cable.
- Enable SSH
- Upload your SSH public key using ssh-copy-id. This automatically creates the .ssh directory with the correct permissions and puts your public key in the authorized_keys file.
NOTE: Sometimes, if you are using a key-manager like Krypt.co you will not have the typical
.pub file to copy, in which case using
ssh-copy-id -f option will force it to copy anything close to a public key and this works for me.
- Disable the password/challenge-response login so that only your SSH key will work. (But first, make a backup in case you make a mistake! If you do make a mistake, you will have to connect directly to the UART or have a local mouse/monitor/keyboard to fix it and the backup file will be super handy)
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sudo vi /etc/ssh/sshd_config
Uncomment and/or set the following parameters in the sshd_config.
ChallengeResponseAuthentication no ... PasswordAuthentication no ... UsePAM no
Then restart the ssh server.
sudo systemctl reload ssh
Now, once you disable password/challenge response login, you get the benefits of increased security that no-one can access your pi without being in the authorized_keys file. However, if you ever lose your SSH private key, you can no longer get into your Pi remotely. But, with commodity hardware like raspberry pi, you can always pull the SD card and manually edit the authorized_keys file, or just reflash the card and start again, or connect using a local keyboard/monitor/mouse or via the UART console.