The Raspberry Pi Basics

This is intended as a quick-start guide to Raspberry Pi and assumes you have a main machine (Windows, Linux, Mac) to work from. I have both an original Raspberry Pi Model B and a Raspberry Pi 3 Model B. So this procedure will work on both and, hopefully, any Raspberry Pi up to the Pi 3.

Of course you'll need a monitor, keyboard and mouse to hook up to your Pi and a compatible SD or microSD memory card to get it off the ground. It's inconvenient to use the peripherals attached to your main machine but the goal here is to get remote access to the Pi working as fast as possible, so if you have to use your main keyboard, mouse and monitor just go ahead. After that it will work "headless" as long as it has power and a network connection.

Groundwork for Windows Users

Yep, most computers run Windows. It might seem hard to believe, but when running Raspberry Pis as Linux machines Windows users are at a slight disadvantage. If you're cool with setting up SSH connections to non-Windows machines just go ahead and skip this section. There are two ways to add to Windows the capabilities we need for the Raspberry Pi.

Option 1: Windows Subsystem for Linux (Beta)

Newly added to Windows 10 is the ability to use a bash shell (Linux terminal screen). I grabbed some instructions from How-To Geek and followed those. If you can hit the Start button and find "bash" when you search for it, you're on your way. The first time you run bash on Windows it asks if you want to install Ubuntu on Windows; you're in the right place. Go ahead.


I installed this on a Windows 10 virtual machine running on Parallels for Mac and it took quite a while. Grr. Anyway, this is what it looked like when I installed it.

 -- Beta feature --  
 This will install Ubuntu on Windows, distributed by Canonical  
 and licensed under its terms available here:  
 https://aka.ms/uowterms  
 Type "y" to continue: y  
 Downloading from the Windows Store... 100%  
 Extracting filesystem, this will take a few minutes...  
 Please create a default UNIX user account. The username does not need to match your Windows username.  
 For more information visit: https://aka.ms/wslusers  
 Enter new UNIX username: prawnhead  
 Enter new UNIX password:  
 Retype new UNIX password:  
 passwd: password updated successfully  
 Installation successful!  
 The environment will start momentarily...  
 Documentation is available at: https://aka.ms/wsldocs  
 48 packages can be updated.  
 29 updates are security updates.  
 prawnhead@MACBOOKPROWIN10:/mnt/c/Windows/System32$  

Option 2: PuTTY

If you'd rather not go through the above to get the bash shell working in Windows (and learning how to use it!) then just install PuTTY. Download PuTTY here. Go ahead and install it from the downloaded MSI file and I'll cover how to use it later.

Installing Raspbian Using NOOBS

You don't need me to show you how to do this. If you don't like the tutorial available from RaspberryPi.org then find a video or tutorial you like. If you're using WiFi and can join the WiFi network during the installation, do that. We'll check network connectivity later either way. Ensure you install the full Raspbian.

Once you get the dialog "All OSes installed successfully" the Pi reboots and the console screen logs itself in with the default user 'pi' and password 'raspberry'.

Keyboard

I had an issue with Raspbian picking up the wrong keyboard configuration. When I tried to edit files I had no quotation marks, etcetera. They were probably mapped to a key combination somewhere but I couldn't find it! It might be good to open a text editor and ensure all your keys work as you expect. I had to go further:
  1. Open a terminal
  2. Type raspi-config and hit <Enter>
  3. Select Localisation Options <Enter>
  4. Select Change Locale (use cursor up/down and <Enter>)
  5. (I selected en_AU, IS0-5580-1) Use the cursor up/down keys and <Space> to select. You will also need to deselect any other locales you don't want, then hit <Enter>
  6. A selection is required to select a system language. I selected en_AU.
  7. Select Localisation Options
  8. Select Change Keyboard Layout
  9. I selected Generic 104-Key PC and hit <Enter>
  10. Keyboard layout English (US)
  11. Key to function as AltGr: No AltGr key
  12. Compose key: No compose key
  13. Use Ctrl-Alt-Backspace to terminate X-Windows server: No
  14. <Finish>

Updating

Raspbian will have components updated all the time. To get up to date, at a bash prompt (terminal) run the command sudo apt-get update followed by sudo apt-get upgrade

Configuring for Remote Control

It's useful to configure two types of remote control, secure shell (SSH) and virtual network computing (VNC). We want to do the minimum work necessary so that we can unplug the Pi from its peripherals and run headless.

Networking

At this stage we're using the Pi's "console", the keyboard, mouse and monitor connected directly to it.
Open a terminal.

Type ifconfig and hit <Enter>. The output will look like this:

 pi@Pi1:~ $ ifconfig  
 eth0   Link encap:Ethernet HWaddr b8:27:eb:ac:d1:c0   
      inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0  
      inet6 addr: fe80::e711:57b4:5d4e:6314/64 Scope:Link  
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1  
      RX packets:166964 errors:0 dropped:894 overruns:0 frame:0  
      TX packets:57155 errors:0 dropped:0 overruns:0 carrier:0  
      collisions:0 txqueuelen:1000   
      RX bytes:57313285 (54.6 MiB) TX bytes:33978400 (32.4 MiB)  
   
 lo    Link encap:Local Loopback   
      inet addr:127.0.0.1 Mask:255.0.0.0  
      inet6 addr: ::1/128 Scope:Host  
      UP LOOPBACK RUNNING MTU:65536 Metric:1  
      RX packets:4875 errors:0 dropped:0 overruns:0 frame:0  
      TX packets:4875 errors:0 dropped:0 overruns:0 carrier:0  
      collisions:0 txqueuelen:1   
      RX bytes:3711570 (3.5 MiB) TX bytes:3711570 (3.5 MiB)  
   
 pi@Pi1:~ $   

If the Pi has a wired connection, it will be called eth0 and a wireless connection will usually be called wlan0. At this stage my wired network adaptor is connected; it's showing an inet addr which is the IP address given to that adaptor. Since the physical USB WiFi adaptor is unplugged, the wlan0 adaptor doesn't show up at all. lo is the loopback adaptor that does not connect to the outside world.

The wired ethernet adaptor will pick up an IP address when it is plugged in. Wireless is a little different. We need to edit a Linux configuration file to give Raspbian the name of the wireless access point to use and the password for it. If you connected to WiFi during the installation of Raspbian this is already done.

At the terminal, type sudo nano /etc/wpa_supplicant/wpa_supplicant.conf and hit <Enter>. You'll then be editing the wpa_supplicant.conf file in nano. Look out! Nano and other bash text editors (vi, vim, emacs) don't have the key bindings you're used to. Copy and paste for instance won't do what you want and you can't Ctrl-S to save. Make the file look like this with "ssidName" and "ssidPassword" replaced with the values for your access point. The "ssidNickname" can be whatever you like. Just use your cursor (up, down, left, right), backspace, delete and enter.

 network={  
   ssid="ssidName"
   psk="ssidPassword"
   id_str="ssidNickname"
 }  

To save and exit hit Ctrl-X. At the bottom of the screen you'll be prompted for a yes or no answer, hit "y". Then hit <Enter> to accept the existing file name. If you have a more complex scenario, read this.

Having updated the configuration we now need to restart the WiFi network adaptor. At the bash prompt:
  • sudo ifdown wlan0
  • sudo ifup wlan0
Wait a few seconds then run ifconfig again. You should now see your wireless network adaptor has an IP address next to the inet_addr label. Now you should be able to go back to your workstation and ping an IP address on the Pi and get a result.

Your Pi should now be on your network with either a wired or wireless connection. Don't use both at the same time. If both are configured and working, just unplug the cable from the Ethernet port.

Setting Up SSH

Secure shell is a text-only connection to your Pi. Why would you want that? Well, it's very powerful. If you haven't used a bash shell on a Linux computer much it will seem out of date and strange. Well, that's what I thought. But if you stay with it, you learn it's a mighty powerful tool.
  1. On the Pi, go back to the terminal and start raspi-config again.
  2. From the menu, pick Interfacing Options
  3. Choose SSH
  4. Select Yes
  5. Select OK
  6. Select Finish
That should be it for SSH configuration right now. Back at the workstation we need to test the SSH connection. On Mac and Linux pop open a terminal. On Windows you should either use Windows Subsystem for Linux (bash) or PuTTY as outlined above. The username and password pair for SSH is 'pi' and 'raspberry'. Other than that you only need to know the IP address for the Pi.

Starting SSH at a bash prompt goes like this:

 ~/.ssh: ssh pi@192.168.1.4  
 The authenticity of host '192.168.1.4 (192.168.1.4)' can't be established.  
 ECDSA key fingerprint is SHA256:cD3Esvi0cJojYnyBXlMGbL1qDOi2irDTpUqrcgsdQ8A.  
 Are you sure you want to continue connecting (yes/no)? yes  
 Warning: Permanently added '192.168.1.4' (ECDSA) to the list of known hosts.  
 pi@192.168.1.4's password:   
   
 The programs included with the Debian GNU/Linux system are free software;  
 the exact distribution terms for each program are described in the  
 individual files in /usr/share/doc/*/copyright.  
   
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent  
 permitted by applicable law.  
 Last login: Fri Mar 3 16:24:54 2017  
   
 SSH is enabled and the default password for the 'pi' user has not been changed.  
 This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.  
   
 pi@raspberrypi:~ $   

In PuTTY:

Click "Yes"

Congratulations, you've now opened up your Raspberry Pi to anyone who is on your network! Yes, that's a problem. We should at least heed the warning given about changing the pi user's password:

 pi@raspberrypi:~/.ssh $ passwd   
 Changing password for pi.  
 (current) UNIX password:   
 Enter new UNIX password:   
 Retype new UNIX password:   
 passwd: password updated successfully  
 pi@raspberrypi:~/.ssh $   

That's a start. But it ain't much!

Losing Your Head

Believe it or not SSH is all you need to run the Raspberry Pi headless. Having the desktop is nicer, and we'll set that up now with VNC. But you can stop using the console and do everything from here on remotely with SSH. If you're using the keyboard, mouse and monitor from another computer you can disconnect those from your Pi and just leave the USB power plug attached and the network cable if you're not using WiFi.

A few tips:
  • Find the IP address of your pi from your DHCP server (usually the Internet router) or by logging on to the Pi's console and running ifconfig
  • Use ping on your workstation to know if the Pi is connected to the network
  • Reboot your Pi at any time using sudo reboot
  • Change your Pis configuration as you did at the console by using raspi-config on an SSH connection.

Locking Down SSH

So far we've handled the convenience of remoting into your Pi. Now we make it very hard for anyone to abuse our remote access services. And if we do that, we can safely allow SSH directly from the Internet.

SSH is a very secure means of communication as long as the authentication method is up to it. Right now an SSH connection to your Pi is allowed using only the username 'pi' and the (possibly weak?) password you set above. That won't do. Change the password to something really hard? Not good enough. Create a new user and disable the 'pi' user? Yes, but we can do better. Authentication using certificates is the gold standard.

We can generate a pair of cryptographic keys to use in SSH connections. This is the same kind of security you use in your web browser when you go to a secure site using transport layer security (TLS) which used to be called secure sockets layer (SSL). If it's good enough for your banking web site, it's good enough for us to use for SSH.

Certificate Authentication

Mac/Linux

This is on your main computer, the one you want to use to connect to the Pi.
  1. Create an SSH key pair:
    1. Open a terminal
    2. If your ~/.ssh folder contains the files id_rsa and id_rsa.pub, you already have an SSH key pair. Ignore the rest of the steps in this sub-lists.
       prawnhead@ubuntu:~$ ls -a .ssh  
       . .. id_rsa id_rsa.pub  
       prawnhead@ubuntu:~$   
      
    3. Since you don't have an SSH key pair, use the command ssh-keygen -t rsa -b 4096 to create them. The passphrase is used to encrypt your private key. Choose a very strong passphrase and put it in your password vault app.
    4.  prawnhead@ubuntu:~$ ssh-keygen -t rsa -b 4096  
       Generating public/private rsa key pair.  
       Enter file in which to save the key (/home/prawnhead/.ssh/id_rsa):   
       Created directory '/home/prawnhead/.ssh'.  
       Enter passphrase (empty for no passphrase):   
       Enter same passphrase again:   
       Your identification has been saved in /home/prawnhead/.ssh/id_rsa.  
       Your public key has been saved in /home/prawnhead/.ssh/id_rsa.pub.  
       The key fingerprint is:  
       SHA256:ZkXtG9Q0jraWB5uot0f/P72snYG99Ljm+MaYm/OTrZo prawnhead@ubuntu  
       The key's randomart image is:  
       +---[RSA 4096]----+  
       |           .. oo |  
       |          . oo.. |  
       |           .o+ . |  
       |          . oo*  |  
       |         S . *o. |  
       |        o . .o.o |  
       |        . .. * *.|  
       |         . .=+@oB|  
       |          ..E@O@B|  
       +----[SHA256]-----+  
       prawnhead@ubuntu:~$   
  2. So the Pi will recognise you by your SSH key, you need to get your public key onto the Pi and append it do the ~/.ssh/authorized_hosts file. There's a command for that too. Remember to change the IP address to what your Pi is using:
     prawnhead@ubuntu:~$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub pi@192.168.1.4  
     /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/prawnhead/.ssh/id_rsa.pub"  
     /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed  
     /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys  
     pi@192.168.1.4's password:   
     Number of key(s) added: 1  
     Now try logging into the machine, with:  "ssh 'pi@192.168.1.4'"  
     and check to make sure that only the key(s) you wanted were added.  
     prawnhead@ubuntu:~$   
    
  3. Now test your SSH connection to the Pi. You should be prompted for the passphrase for your private key. You know, the really strong one you put in your password vault? With that, you should be connected. If you want, you can check the box.
     prawnhead@ubuntu:~$ ssh pi@192.168.1.4  
     The programs included with the Debian GNU/Linux system are free software;  
     the exact distribution terms for each program are described in the  
     individual files in /usr/share/doc/*/copyright.  
     Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent  
     permitted by applicable law.  
     Last login: Fri Apr 14 02:33:09 2017 from 192.168.1.115  
     pi@raspberrypi:~ $   
    Notice that you didn't need the password for the pi user this time.
  4. Now, exit the SSH session and start it again. This time you don't need to unlock your private key and you don't need the pi user's password. Nice huh?
  5. Now we need to ensure you can't use the username/password for the pi user to connect by editing the configuration file for SSH on the Pi. Find the line #PasswordAuthentication yes and append below it, without the leading hash (pound) sign PasswordAuthentication no. Ctrl-X to close, 'Y' to save, <Enter> to accept the existing file name.
     pi@raspberrypi:~ $ sudo nano /etc/ssh/sshd_config   
     pi@raspberrypi:  

  6. If we just restart the SSH service the new configuration will take effect.
     pi@raspberrypi:~ $ sudo /etc/init.d/ssh restart  
     [ ok ] Restarting ssh (via systemctl): ssh.service.  
     pi@raspberrypi:~ $  
    
  7. If you try to connect to your Pi from a machine that has not had it's public key added to the Pi's authorized_keys file, you can see the Pi does not fall back to asking for username and password. It's certificates only from now on. If you need to add more SSH clients' public keys to the Pi, just reverse the change to the sshd_config file and restart the SSH service as shown above.
     ~: ssh pi@192.168.1.4  
     Permission denied (publickey).  
     ~:   
    

Windows

If you've installed the Windows Subsystem for Linux (beta) click the Start menu and search for 'bash'. Then follow the above instructions for Mac/Linux. The only difference I've found is that the password to unlock the SSH private key is required every time you connect. Is it a bug? I don't know.

When using PuTTY on Windows (original procedure from HowToForge.com):
  1. Open PuTTY.
  2. Ensure the connection type is set to SSH. Enter pi@ followed by the Pi's IP address in the Host Name box. Click Open.
  3. You'll need to use the password 'raspberry' if you haven't changed that yet. That being the case, use the command passwd to set a new password on the pi account. Leave this SSH window open, we'll need it in a minute.
  4. Click the START button and search the Start menu for "Putty", click PuTTYgen
  5. Click Generate. You'll need to move your mouse around to generate some randomness.
  6. Once the progress bar hits 100% you will see the generated key nicely formatted ready to paste into the authorized_keys file.

  7. Click Save public key. Find a location to save it to. I suggests creating an SSH folder under the user's Documents folder. I named my file id_rsa.pub.
  8. Click Save private key. Use the same location. I named mine id_rsa.
  9. Select the entire Public key text from PuTTY Key Generator and hit Ctrl-C to copy it to the clipboard.
  10. Now go back to the SSH terminal you left open earlier, run nano ~/.ssh/authorized_keys to open that file in the Nano editor. Go to the bottom of the file and paste in what you have on the clipboard. WARNING! The key combination to paste is probably not what you're used to. For me it was a right-click that pasted from the clipboard. Use Ctrl-X, then 'N' to quit Nano without saving changes if you messed up.
  11. Once you've pasted in the ssh-rsa key check the formatting. Make sure there are no line breaks in the key. It should sit on one line only.
  12. Close the SSH session to the Pi
  13. We need to run Pageant to manage the keys for PuTTY to use in our SSH connection. Hit Start and search for "Pageant". Start it. It will show an icon in the System Tray.
  14. Right click Pageant in the System Tray and click View Keys. Click Add Key then locate the private key file you saved earlier. Click Open. You'll now need to enter the passphrase used when you created the key pair. You should now see your key listed in the Pageant Key List.
  15. Start PuTTY again, enter Host Name: pi@192.168.1.4 (using your appropriate IP address) and hit Open. The connection should open without requesting a password.
  16. Now we need to ensure that some other agent connecting to the Pi can't gain access with a username and password pair. At the Pi's bash prompt enter sudo nano /etc/ssh/sshd_config
  17. Locate the line #PasswordAuthentication yes and alter it to PasswordAuthentication noDon't forget to remove the leading '#' character! Again, use Ctrl-X, then 'Y', then <Enter> to exit saving changes.
  18. You can now restart SSH on the Pi with the command sudo /etc/init.d/ssh restart
  19. Now all SSH connections must be made using an SSH key pair. For all other machines that need to connect to this Pi ensure you generate an SSH key pair and copy the public key to ~/.ssh/authorized_keys on the Pi. If the other machines run Windows then you'll need to configure and run Pageant before it will work.

    SSH From the Internet

    Unless someone very knowledgeable has taken responsibility for your Internet security you should find that nothing inside your home or small office network is accessible from the Internet. How can you know for sure? Very easily.
    1. Open this web page https://www.grc.com/shieldsup
    2. Click the [Proceed] button.
    3. Click on [All Service Ports] in the middle of the page.
    4. Wait for the report to be generated
    GRC will probe your Internet connection for places where Internet attackers might be able to communicate directly with your computers or networking equipment. Unless you are very sure of what you're doing, this report should show green squares only.

    My port scan results show I have port 22 open. Hey! That's SSH! Sweet. Port 443 is required for my VPN. So my results are as per my expectations. If any other port showed red or blue I would immediately investigate.

    If you want to access your Raspberry Pi directly from the Internet you can if you've correctly configured your Pi to only accept connections with a valid SSH key pair. It's basically impossible for someone to log on to your Pi unless you first give the Pi their public key. We need a few things:
    • A second Internet service just for testing
    • A fixed Internet IP address or a dynamic DNS service to keep track of your dynamically-allocated Internet IP address
    • A firewall rule that "pinholes" port 22 TCP directly to the Pi
    • A client computer connected to the Internet that already has its public key added to the Pi's authorized_hosts file
    I won't write procedures for all of these. You can look up tutorials applicable to your ISP and equipment. The test that you've done each of the above bullet points correctly are:
    • Use a shared hotspot from a phone, public WiFi or a friend's place.
    • From a device outside your network you can:
      • ping your fixed public IP address,
        OR,
      • ping the alias set up on your dynamic DNS service (eg. myhouse.dyndns.org) and if your dynamic Internet IP address changes the alias reflects the change quickly
    • Your DHCP server (router, usually) is configured to:
      • always give the Pi the same IP address (DHCP reservation),
        AND
      • a port forwarding rule on the Internet router forwards port 22 TCP to the IP address of the Pi
    • You can take a machine that has an SSH key pair where the public key has already been added to the Pi and tested on the same network, to another Internet connection and connect back to the Pi using the fixed public IP address or dynamic DNS alias.

    VNC

    For hard core Linux or Unix (Mac?) people having the command line (bash shell) is all you need. But for the rest of us it's nice to see the graphical user interface. Let's set up remote access to the desktop remotely (assuming you have SSH working).
    1. SSH to your Pi.
    2. At the bash prompt, enter sudo raspi-config
    3. Select 5 Interfacing Options
    4. Select P3 VNC
    5. "Would you like the VNC Server to be enabled?" Hit <Tab> <Space> to press Yes.
    6. "The VNC server is enabled". Hit <Space> to click OK.
    We can verify the VNC server is running by entering the following at a command prompt: ps -ax | grep vnc

     pi@raspberrypi:~ $ ps -ax | grep vnc  
      1791 ?      S    0:00 vncserver-x11-serviced  
      1792 ?      Sl   0:02 /usr/bin/vncserver-x11-core -service  
      1810 ?      S    0:00 /usr/bin/vncagent service 16  
      1812 ?      S    0:01 /usr/bin/vncserverui service 17  
      1827 ?      S    0:00 /usr/bin/vncserverui -statusicon 7  
      1854 pts/2  S+   0:00 grep --color=auto vnc  
    

    Now we need to connect to the Pi over VNC. You'll need a VNC viewer application. On Windows I've used TightVNC and RealVNC; no problems with them. On my Mac I have VNC Viewer 6.0.1 from RealVNC.
    1. Open VNC Viewer (or other VNC viewer app)
    2. Create a new connection for the Raspberry Pi.
      Note: The connection will be different for connection on the local network versus via the Internet
    3. Start the connection. As with an SSH connection, identity is check and cached if you select Continue
    4. And voila! The desktop. Or, it should be. Mine only half loaded. This is a good time to Update Raspbian and see if it helps. The official procedure calls for installation of RealVNC Server on the Pi.
    5. All fixed.
    WARNING: You may have noticed from the above screen shots that VNC is connecting over port 5900. It might seem tempting to add a port forwarding rule to your router and get directly to your Pi's desktop using VNC. That would work, but it wouldn't be secure. See below.

    VNC over SSH

    SSH has excellent security when configured with the proper authentication method. If you've followed all of this tutorial you have SSH configured with a key pair for authentication. Excellent. Wouldn't it be great if we could have the convenience of a full graphical desktop with the security of an SSH connection? Come with me. I have just the thing.

    SSH can be configured to 'capture' network traffic on a specific port number and tunnel it through an SSH connection, making it reappear at the other end of the tunnel and connect it to the appropriate port number at the destination.

    Mac/Linux

    On the machine that wants to connect to the Pi: ssh -L 5900:localhost:5900 -N -l pi your.internet.alias

    So what? Well, we just told SSH to create a tunnel from this computer to the Pi so that when we try to connect a VNC Viewer to the current machine, SSH will tunnel that network traffic through SSH and make it magically connect to the Pi at the other end. Once that line is executed you can use VNC, to the PI, with the security of SSH. Boom!

    Windows

    You can configure PuTTY to use SSH tunnelling with a key pair but I have spent way too much time on this post and just need to publish it. Sorry :).

    That is all.

    Comments