/ raspberry

Secure public ssh-access to your Raspberry

Provide public ssh-access to your Raspberry and secure it by permitting only access to a special user with key-only access.
From security point of view it makes sense to disable login for the pi-default user while it's not necessary to delete or disable this user at all (it makes sense to keep this user as the initial config for e.g. Raspbian is done with 'pi').

Create new user on Raspberry

sudo adduser <newuser>

Give user permission to use sudo:

sudo visudo

Add config for the created user:

...
# User privilege specification
root    ALL=(ALL:ALL) ALL
<newuser>   ALL=(ALL) NOPASSWD: ALL
...

Create ssh-keys

Meanwhile switch to different host for creating the login-keys:

ssh-keygen -t rsa -C <newuser>@<host> -f ~/.ssh/<newuser>_id_rsa
ssh-copy-id -i ~/.ssh/<newuser>_id_rsa <newuser>@<host>

Adapt ssh-configuration

Edit sudo nano /etc/ssh/sshd_config to

  1. change ssh-default-port,
  2. disable password-authentication &
  3. allow only the new user to login
...
Port 4321
...

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
...

AllowUsers <newuser>
...

Restart ssh-daemon for the changes getting active: sudo /etc/init.d/ssh restart

Login

From now on only the new user is allowed to login using the created key:

ssh -i ~/.ssh/<newuser>_id_rsa -p 4321 <newuser>@<host>

To switch to the initial pi-user to continue with any configuration, use:

sudo su - pi