Raspbian setup notes
I’ve been growing a document of setup notes for a new Raspberry Pi running Raspbian for awhile. Raspberry Pis are a problem for me, because it’s easy to have lots of them doing lots of tasks, so I do, everywhere. I thought I’d publish these notes, glommed together from various sources, in case they’re useful for others.
While many of these may work on other hardware and software, they’re regularly tested on Raspberry Pi 2 Model B with Raspbian Lite Jessie.
I should really script this.
Start with Raspbian Lite. NOOBS has an extra boot step, and Raspbian full version has a GUI and stuff like Wolfram Engine that you probably don’t want.
Use console, or grab the IP from your router’s DHCP client list and:
ssh pi@<ip address> # password "raspberry"
sudo raspi-config --expand-rootfs sudo reboot
Wait for reboot. Reconnect as above.
sudo apt-get -y update sudo apt-get -y dist-upgrade
sudo apt-get -y install rpi-update sudo rpi-update
Enable overclock (optional)
Pis seem to be relatively stable overclocked, even without a heatsink.
sudo raspi-config # Select "8 Overclock" # Select "<Ok>" # Select "High" # Select "<Ok>" # Select "<Finish>" # Select "<No>"
sudo dphys-swapfile uninstall
Create a new user
sudo adduser <username> # Follow prompts sudo usermod --append --groups sudo <username>
SSH in as the new user
# ON YOUR PI # Find your Pi's current IP, you don't know it ifconfig # ON ANOTHER MACHINE # If you don't already have an SSH key pair ssh-keygen -t ed25519 cat ~/.ssh/id_ed25519.pub # Copy your key to your Pi ssh <username>@<ip> mkdir .ssh # Enter password scp ~/.ssh/id_ed25519.pub <username>@<ip>:.ssh/authorized_keys # Enter password # Connect to your Pi; this should NOT ask for a password ssh <username>@<ip>
Lock down sshd
The SSH server has a lot of options turned on by default for compatibility with a wide range of clients. If you’re connecting only from modern machines, and you’ve gotten public key authentication working as described above (and tested it!), then you can turn off lots of the legacy options.
sudo tee /etc/ssh/sshd_config <<END Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation sandbox # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes AuthenticationMethods publickey RSAAuthentication no PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* UsePAM yes KexAlgorithms email@example.com Ciphers firstname.lastname@example.org MACs email@example.com END # Enter password for sudo
Enable the hardware random number generator
Note that hardware random number generators are controversial.
sudo modprobe bcm2835_rng echo bcm2835_rng | sudo tee --append /etc/modules sudo apt-get -y install rng-tools
Enable the hardware watchdog
This has false negatives (failures to reboot when it should) for me, but never false positives.
sudo apt-get -y install watchdog sudo tee --append /etc/watchdog.conf <<END watchdog-device = /dev/watchdog END
Enable automatic updates
sudo apt-get -y install unattended-upgrades sudo dpkg-reconfigure -plow unattended-upgrades # Choose "<Yes>"
You didn’t need mdns, did you?
sudo systemctl disable avahi-daemon.service
You didn’t need volume buttons, did you?
sudo systemctl disable triggerhappy.service
Disable frequency scaling
If you’re not planning to run on battery; this thing is slow enough anyway.
sudo apt-get -y install cpufrequtils sudo tee --append /etc/default/cpufrequtils <<END GOVERNOR="performance" END
This allows you to observe network topology if you have managed switches.
sudo apt-get -y install lldpd sudo tee --append /etc/default/lldp <<END DAEMON_ARGS="-c" END
Remove the pi user
Well-known username, well-known password, no thank you.
sudo deluser pi
You give up persistent syslogs, but you reduce SD writes. You can still run “logread” to read logs since boot from RAM.
sudo apt-get -y install busybox-syslogd
Test that changes work, and have some (disabling auto-login) take effect.
Note that ssh may scream “REMOTE HOST IDENTIFICATION HAS CHANGED!”; that’s a symptom of the sshd_config changes above. Just remove the line from the known_hosts file and reconnect.