Physical access cannot be completely defended. A sufficiently motivated person will reverse engineer the system to get access, up to disassembling it and reading off the hardware.
Make an attacker's task more difficult by replacing passwords with stronger authentication where possible.
SSH can be configured to remove password auth, both OpenSSH and dropbear implementations allow this.
Review what logins are possible locally, not over the network. Video out with USB in may enable login to a tty. Or, the hardware may provide a serial console.
On a Linux box with PAM libraries, authentication is customizable, via modules that can be combined in various ways.
Allow for login or sudo U2F with hardware authenticators like Yubikey (pam_u2f)
Allow one time password from a device (pam_google_authenticator or pam_oath)
Authenticate based on ssh-agent (pam_ssh_agent_auth)
Remove passwords as sufficient for authentication
Prohibit root login, only allow root to a difficult to physically access serial port (pam_securetty)
If you must have passwords, enforce a long length like 16 characters (pam_pwquality) and encourage use of phrases like with Diceware. Do not use "complexity" requirements, those are not user friendly.
That is an introduction to OS authentication, what about before? During boot is an example where physical access gets you in. Editing the kernel command in grub can get you a shell without credentials. Which while useful to recover from lost credentials, may not be desirable. Consider password protecting the boot loader.
