Provide public ssh-access to your Raspberry and secure it by permitting only access to a special user with key-only access.
From security point of view it makes sense to disable login for the pi-default user while it's not necessary to delete or disable this user at all (it makes sense to keep this user as the initial config for e.g. Raspbian is done with 'pi').
Create new user on Raspberry
sudo adduser <newuser>
Give user permission to use
Add config for the created user:
... # User privilege specification root ALL=(ALL:ALL) ALL <newuser> ALL=(ALL) NOPASSWD: ALL ...
Meanwhile switch to different host for creating the login-keys:
ssh-keygen -t rsa -C <newuser>@<host> -f ~/.ssh/<newuser>_id_rsa ssh-copy-id -i ~/.ssh/<newuser>_id_rsa <newuser>@<host>
sudo nano /etc/ssh/sshd_config to
- change ssh-default-port,
- disable password-authentication &
- allow only the new user to login
... Port 4321 ... # Change to no to disable tunnelled clear text passwords PasswordAuthentication no ... AllowUsers <newuser> ...
Restart ssh-daemon for the changes getting active:
sudo /etc/init.d/ssh restart
From now on only the new user is allowed to login using the created key:
ssh -i ~/.ssh/<newuser>_id_rsa -p 4321 <newuser>@<host>
To switch to the initial pi-user to continue with any configuration, use:
sudo su - pi