Future-proofing the Raspbian SSH Server

Lead Image © Martin Malchev, 123RF.com

Enable SSH

Recent versions of Raspbian turn off SSH in the default configuration. You'll need to start it manually if you're planning on remote access.

Manufacturers of routers and other network devices are notorious both for creating devices with security vulnerabilities and for ignoring new ones discovered during their life cycle. This often includes bugs in key modules such as the Linux kernel, which is embedded into a large number of systems.

One typical security flaw is to use the same login password for all devices. Raspberry Pis running Raspbian fall into this category. On your first install, the default user is always pi and the password is raspberry. You can easily change this using the command passwd, but it's not mandatory, so most Raspberry Pi users don't do this.

As such, if you link a Raspberry Pi to a public network, an attacker can easily locate and connect to it, especially because the Pi promptly responds to ARP scans (Listing 1).

Listing 1

Rasp Pi Response to ARP Scan

$ sudo arp-scan --localnet | grep Raspberry  b8:27:eb:76:1e:16  Raspberry Pi Foundation  b8:27:eb:e4:e1:30  Raspberry Pi Foundation

SSH Gateway

Until recently, the SSH server was enabled by default on Raspbian images, allowing you to connect to a Pi headlessly. This greatly simplified setting up a Raspberry Pi server because there's no need for a mouse, keyboard, or monitor. However, in light of the numerous IT security disasters in recent months, the Raspberry Pi Foundation has brought this to an end [1] (see also the "Security Through NAT?" box).

Security through NAT?

Outside the comforting four walls of your home lurks the internet usually via a WLAN router, which links your local network [2] to the world. The router stores the source address of outbound data packets from your devices on your local network and forwards them to the internet. When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine the device on the internal network to which to forward the reply using a NAT table. [3].

If a computer on the Internet sends unsolicited data to your router, there'll be no corresponding entry for the data packets in the NAT table. The router will return the data to the sender saying "Address Unknown". For this reason, a Raspberry Pi behind a WLAN router is secure in theory, even if the default password hasn't been changed.

The only way to get around this is to use port forwarding. This involves manually configuring the router via its network interface or using Universal Plug and Play [4] (UPnP), which is automatic. The router will then forward requests to the specified ports to certain devices on your network. In this way, you can access your Raspberry Pi via SSH over the internet or even run a website from it.

With Raspbian 2017-04-10, the latest Raspbian image released in April, the developers have decided to err on the side of caution. By default, there are no open outgoing ports. You must proactively choose to enable the SSH server from now on, and you will receive a warning if the password is still set to the default. What was previously the work of a few minutes with a monitor and keyboard, now poses users of headless Raspberry Pis with something of a challenge.

Enable SSH

If you've a keyboard, mouse and monitor plugged into your Pi, setting up SSH is fairly trouble-free. Simply go to Raspberry Pi Configuration from the Preferences menu. Go to the Interfaces tab (Figure 1), then select Enabled besides SSH. Close the dialog by selecting OK.

Figure 1: In Raspbian, you must now specifically choose to enable SSH.

Alternatively, use the console-based Raspberry Pi Configuration tool. Open a terminal window and run sudo raspi-config. Go to Interacting Options, then navigate to and select P2 SSH (Figure 2). This method also works with Raspbian Lite, which doesn't come with a graphical desktop environment. After activating this option, you can access the Pi immediately via SSH without restarting.

Figure 2: You can also enable SSH via raspi-config in the terminal.

During the process of enabling SSH you'll also see another new feature. Provided the password for the default user pi is still raspberry, Raspbian will display an annoying alert each time you log on, urging you to change the default password as soon as possible (Figure 3).

Figure 3: Another new feature: Raspbian asks you to change the password for the default user if SSH is enabled.

Continue your login as normal, then use the terminal command passwd to change the default password. Keep in mind that Raspbian won't display any asterisks or other placeholders as you type in your new passphrase. You can also change the password via raspi-config.

Buy this article as PDF

Express-Checkout as PDF

Pages: 4

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content