This is a compilation of guides and tutorials that are tailored to my specific case and preferences. You may need to take into consideration your own conditions and settings. If you encounter any problems, please feel free to post a comment below [debugging tips]. Have fun! 🙂
How to install OS to run your Raspberry Pi
Follow the installation instructions for your OS (Linux, Mac OS, Windows). On Linux, you’ll need to format your SD card (FAT32) and then restore the Raspbian image with the default Disk Image Writer. [link1, link2, link3]
How to assign a static IP address
As ModMyPi aptly explains:
To log in to your Raspberry Pi remotely, you’ll need the IP of the Raspberry Pi – this is basically like your house address and tells the host computer where to look for it on the network. By default, the Raspberry Pi will be given an IP automatically by the router (called Dynamic IP and denoted by DHCP) when you connect to a network. However, this can change whenever you remove the Pi from the network e.g. turn it off.
Having a static IP isn’t essential, however it will make repeated access to the Raspberry Pi via SSH much simpler, as you’ll always know that the Raspberry Pi has the same address. Imagine how much trouble your postman would have if your house constantly changed location 🙂
If you have access to the router, the easiest way to assign a static IP to your Raspberry Pi is via the router’s admin page. By default, most router manufacturers use 192.168.0.1 or 192.168.1.1 as the default LAN IP address. This is the address you would enter into your browser’s address bar to access the router configuration page. If you’ve changed the default address or this was not the default, you can find the router’s IP address by entering your Network settings, where router’s IP address will be listed as Default Gateway or Default Route. The same result can be achieved via Terminal using commands like [link1, link2, link3]:
$ arp -a $ netstat -nr $ route -n $ ip route $ ip route | grep default default via 192.168.2.1 dev wlo1 proto static metric 600
Based on your output (mine was 192.168.2.1) change the IP below:
$ sudo nmap -sP 192.168.2.0/24
Another method to determine the IP is via
ping command. If you know the computer’s network name you can ping it in the Terminal. And since every Raspberry Pi comes with a default hostname raspberrypi, you can simply write:
$ ping -c 4 raspberrypi
For additional info, check out these sites [link1, link2, link3, link4, link5], YouTube tutorials [video1, video2], and also this site [archive] proved to be useful when clearing up my initial confusion between LAN and WAN IP addresses.
Otherwise, if you’re already connected to your Raspberry Pi directly, you can find out your current IP address with one of the following commands:
$ hostname -I $ ifconfig
How to connect remotely via SSH & first setup
$ ssh firstname.lastname@example.org
The default login & password are (consider changing these afterwards):
raspberrypi login: pi Password: raspberry
$ sudo apt-get update && sudo apt-get upgrade $ sudo apt-get install rpi-update $ sudo rpi-update $ sudo raspi-config
Reboot to make changes:
$ sudo reboot
Follow this guide to configure SHH access on your Pi:
$ sudo apt-get install openssh-server
After installing OpenSSH server, you’ll need to configure it by editing the sshd_config file in the /etc/ssh directory.
First, make a backup of your sshd_config file by making a read-only copy in /etc/ssh:
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults $ sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
Creating a read-only (chmod 444) backup in /etc/ssh means you’ll always be able to find a known-good configuration when you need it.
Once you’ve backed up your sshd_config file, you can make changes with nano:
$ sudo nano /etc/ssh/sshd_config
On the host computer (Raspberry Pi), make sure that the /etc/ssh/sshd_config file contains the following lines, and that they are uncommented;
PubkeyAuthentication yes RSAAuthentication yes
Key-based authentication uses two keys, one “public” key that anyone is allowed to see, and another “private” key that only the owner is allowed to see. To securely communicate using key-based authentication, one needs to create a key pair, securely store the private key on the computer one wants to log in from (your PC), and store the public key on the computer one wants to log in to (Raspberry Pi).
The first step involves creating a set of RSA keys (aka SSH keys) for use in authentication. This should be done on the client (your PC). To create your public and private SSH keys use the following commands (learn more in this guide):
$ mkdir ~/.ssh $ chmod 700 ~/.ssh $ ssh-keygen -t rsa -b 4096
You will be prompted for a location to save the keys, and a passphrase for the keys. This passphrase will protect your private key while it’s stored on the hard drive:
$ Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Your public key is now available as .ssh/id_rsa.pub in your home folder.
Recommendation: Make a backup of your keys to a secure flash drive (the following commands will only copy your keys to /Documents directory).
$ mkdir ~/Documents/raspberrypi_keys/ $ chmod 700 ~/Documents/raspberrypi_keys/ $ cp ~/.ssh/id_rsa ~/Documents/raspberrypi_keys/ $ cp ~/.ssh/id_rsa.pub ~/Documents/raspberrypi_keys/
The main problem with public key authentication is that you need a secure way of getting the public key onto a computer before you can log in with it. If you will only ever use an SSH key to log in to your own computer from a few other computers (such as logging in to your PC from your laptop), you should copy your SSH keys over on a memory stick, and disable password authentication altogether. If you would like to log in from other computers from time to time (such as a friend’s PC), make sure you have a strong password. Learn more about hardening security of your Raspberry Pi [link1, link2, link3, link4, link5]
Transfer client key (Public RSA key) to host (raspberrypi). If you can log in to a computer over SSH using a password, you can transfer your RSA key by doing the following from your own computer:
$ ssh-copy-id <username>@<host>
Where <username> and <host> should be replaced by your username and the name of the computer you’re transferring your key to. In my case:
$ ssh-copy-id pi@raspberrypi
$ ssh-copy-id email@example.com
You can make sure this worked by trying the SHH access:
$ ssh firstname.lastname@example.org
You should be prompted for the passphrase for your key:
$ Enter passphrase for key '/home/<username>/.ssh/id_rsa':
Enter your passphrase, and provided host is configured to allow key-based logins, you should then be logged in successfully. Although, after several re-installations of Raspbian, you may face the following issue with SSH connection:
Failed to add the host to the list of known hosts (/home/username/.ssh/known_hosts). sign_and_send_pubkey: signing failed: agent refused operation
$ rm /home/<username>/.ssh/known_hosts $ ssh-add
If your are still experiencing problems, try using SSH with the -v or -vv flag to see verbose error messages.
$ ssh -vv email@example.com
To disable password authentication, look for the following line in your sshd_config file:
replace it with:
To log more information about malicious SSH traffic increase the LogLevel:
and change it to:
Now all the details of ssh login attempts will be saved in your /var/log/auth.log file, which can be easily checked via terminal:
$ cat /var/log/auth.log
$ sudo apt-get install ufw $ sudo ufw status $ sudo ufw allow 22 $ sudo ufw allow from 192.168.0.0/24 $ sudo ufw --force enable $ sudo ufw status
It’s possible to limit the rate at which one IP address can establish new SSH connections by configuring the uncomplicated firewall (ufw). If an IP address is tries to connect more than 10 times in 30 seconds, all the following attempts will fail since the connections will be DROPped. The rule is added to the firewall by running a single command:
$ sudo ufw limit ssh $ sudo reboot now
On a single-user or low-powered system, the number of total simultaneous pending (not yet authorized) login connections to the system can also be limited. This example will allow two pending connections. Between the third and tenth connection the system will start randomly dropping connections from 30% up to 100% at the tenth simultaneous connection. This should be set in sshd_config:
To add a banner that will be displayed before authentication, find this line:
and uncomment it by removing #:
This will display the contents of the /etc/issue.net file, which you should edit to your taste. If you want to display the same banner to SSH users as to users logging in on a local console, replace the line with:
To edit the banner itself edit these files in nano:
$ sudo nano /etc/issue.net $ sudo nano /etc/issue
To apply the changes reboot your Pi:
$ sudo reboot now
Connecting remotely outside your LAN network
(1) There is a great variety of routers, but typically you will need to set the following values in the port forwarding (virtual servers) section of the router’s admin page:
- IP Address: This is the IP of your Raspberry Pi, e.g. 192.168.2.102
- Internal/Local Port: Set this to Pi’s application port, e.g. SSH runs on port 22
- Protocol: Set this to ALL (TCP/UDP) unless specified
- Status: Set this to enabled
(2) Once you got the “green light” and the port is open, proceed to arranging a static public IP address. Your ISP (Internet Service Provider) may assign one to your router, but most probably they’ve provided you with a dynamic IP. In that case, the easiest way how to connect to your Pi is by setting up DDNS (Dynamic DNS) [wiki]. This service will allow you to stay connected even if your external IP changes.
First, create an account on No-IP.com and register a hostname: myhostname.ddns.net. Your public IP address will appear automatically in the registration form.
On the Raspberry Pi, you will need to install an application (DUC) that automatically sends updates about any changes in your IP address. Execute the following commands in terminal:
$ cd /usr/local/src $ sudo wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz $ sudo tar xzf noip-duc-linux.tar.gz $ cd noip-2.1.9-1/ $ sudo make install
During the installation you will be asked to:
- enter the email and password for your NoIP account,
- in the next step, you can leave the default update interval of 30 minutes,
- and finally, you can set something to run whenever the IP changes (if you choose yes, you will be asked to enter the script/program name).
After the installation, edit the rc.local file by adding a new line just before the last line exit 0. This ensures that noip will automatically start on reboot. To do this enter the following commands:
$ sudo nano /etc/rc.local
Enter the following line right above the exit 0 line.
Use ctrl+O (to save) and ctrl+X (to exit)
You can start noip client with the following command:
$ sudo /usr/local/bin/noip2
Check the status with the following command:
$ sudo /usr/local/bin/noip2 -S
One remaining thing to be done, is the DDNS setup on the router/modem, where you’ll provide your noip’s hostname and password. By now, you should be able to connect to your Pi via domain name instead of an IP.
$ dig +short myip.opendns.com @resolver1.opendns.com
Installation of additional packages may be need:
$ sudo apt-get install dnsutils
Connecting with your Android smartphone
If you want to connect your Android phone with Raspberry Pi using RSA keys, you’ll need to generate them on your Linux system:
$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): /home/username/.ssh/id_rsa_android Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa_android. Your public key has been saved in /home/username/.ssh/id_rsa_android.pub.
Now copy the public key to your Raspberry Pi:
$ ssh-copy-id firstname.lastname@example.org /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added.
Connect your phone with the PC using USB cable or AirDroid app, so that you can upload the private key (id_rsa_android) to a new folder (e.g. RSA). Finally, you will need to install JuiceSSH [Google Play]. Here you will set up a New Identity, filling in Pi’s username, password, and importing the uploaded private key. I would recommend renaming the id_rsa_android file to id_rsa_android.key, since the app didn’t seem to recognize the private key as a valid file. Based on this identity, you will be able to set up a New Connection. Just specify the type (SSH) and port (22), enter your static IP address or DDNS (e.g. myhostname.ddns.net), and select your newly created identity. Now you can send commands to your Raspberry Pi via smartphone!