If you set up ssh, you will be able to access your server remotely.
On server
Make sure that openssh-server is installed on your computer.
First, the ssh server setting need to be changed to improve security. These 3 configurations below are recommended in general.
1. Type sudo pluma /etc/ssh/sshd_config and execute it
2. Under # What ports, IPs and protocols we listen for, change Port 22 to Port 39485 (it can be any number, but you have to remember this)
3. Under # Authentication:, change PermitRootLogin prohibit-password to PermitRootLogin no

You don't need to proceed further if you are OK with username/password authentication. Below are 2 more authentication methods for you to explore: private/public key and Google/Microsoft Authenticator App
Depend on the authentication that you like, you might need to follow a specific instruction.
If you want to use private/public key to authenticate yourself, follow the instruction below:
1. In /etc/ssh/sshd_config, uncomment #AuthorizedKeysFile    %h/.ssh/authorized_keys
2. Under # Change to no to disable tunnelled clear text passwords, uncomment PasswordAuthentication yes and change it to PasswordAuthentication no
3. Change ChallengeResponseAuthentication yes to ChallengeResponseAuthentication no
On client
1. Open a terminal, execute ssh-keygen. When you see Enter passphrase, please enter a strong passphrase so that users cannot use this key without this passphrase.
2. When done, copy id_rsa.pub to the server.
Back to server
1. Append all texts in id_rsa.pub (the public key copied from client) to (Home directory, like /home/david)/.ssh/authorized_keys (if this file is not exist, create it)
Hint: You can also follow this article to copy the public key to server.
Please proceed to Connect to server.
Note: In this method, you are only able to connect to the account on server that has your public key. You will not able to use password of accounts on server to authenticate yourself, and you will not unlock the key pair if you forget the password to unlock the private key.
If you want to use account password on server and the temporary code from Google/Microsoft Authenticator App (similar to two-step authentication), follow these steps below.
On the server
1. In terminal, execute sudo apt install libpam-google-authenticator qrencode to install dependencies.
2. Now, switch to the user that you want to have Google/Microsoft Authenticator configured (for example, user david on server), and execute google-authenticator to generate secret key.
When prompted Do you want authentication tokens to be time-based (y/n), you might need to choose y. If you choose n, you might experience some problems when authenticating yourself in the future.

Please note: Raspberry has no real time clock, hence it needs to synchronize time with a network time server every startup.

3. Now, open Google/Microsoft Authenticator on your phone and scan the barcode in terminal.
4. Then, add auth required pam_google_authenticator.so to /etc/pam.d/sshd
5. Change ChallengeResponseAuthentication no to ChallengeResponseAuthentication yes in /etc/ssh/sshd_config
6. If you want to turn off Public Key Authentication, change PubkeyAuthentication yes to PubkeyAuthentication no in /etc/ssh/sshd_config
Please proceed to Connect to server.
Note: In this method, you are only able to connect to the account on server with the password of account on server and the temporary code from the Authenticator App.
Connect to server
Restart ssh by restarting server to make sure that ssh only accept the authentication that you want.
Make sure the client and Raspberry Pi are connected to a same network, open a terminal on a client, type ssh -p 39485 -X david@ (ip address for Raspberry Pi, replace david to the user you are login to on Raspberry Pi) if you change the port previously, make sure the port numbers are same. If you wish not to have X window forwarding, omit -X. If you are experience problems with X forwarding (especially on Mac), try replace -X with -Y.
When typing password and Verification code (if applicable), you will see nothing as you type, this is normal.
The Google/Microsoft Authenticator method is adapted from Google Authenticator.
Back to Top