Did you know that you can log into your Raspberry Pi via Terminal without a password? And make it even more secure?
Yes, no password and more robust security go together, provided that you have a private key installed on your computer.
You probably heard that this is hard to do. And when you do it for the first time, it may not be totally wrong.
But if explained well, as I will attempt in this article, it is, in fact, very straightforward.
Note: This article focuses on generating private/public key pairs on macOS/Linux computers and using them to connect to Raspberry Pi devices.
A short introduction
As Bitcoin becomes ever more popular, so does the knowledge about encryption and private keys.
But if I were to guess, I’d still say that only 1% of all computer users have a private key installed on their computer.
All others use a password that they dutifully have to enter each time they connect.
But what if you could guarantee to your Raspberry Pi that your Macbook is a trusted device?
That’s basically how private keys work.
Private keys, together with their public counterpart, are part of asymmetric encryption. This is a lot more secure than passwords that are usually just a few characters long.
And although security might not be primordial for a digital picture frame, using private keys also comes with an added comfort layer.
Let’s look at the following use case: You are working on a digital picture frame on your Raspberry Pi and you use your Macbook to connect to your headless Pi and make code changes.
The connection is made through the terminal app by entering
You will be asked for your password and, if correct, your Raspberry Pi lets you in.
But there is another way: You can register your MacBook as a trusted computer on your Raspberry Pi.
Your Pi has your public key and can verify that it fits your private key but – without ever seeing it.
All you need to do is create a pair of keys, a public and a private one, and add the public key to a config file on your Raspberry Pi.
Once you have done that, you will never have to enter a password again.
Creating an ssh key pair
Before you create a new key, take a moment to see if you may already have an existing SSH key on your computer.
To do this, type in the Terminal (on your Mac/Linux device)
If you see something like
id_rsa id_rsa.pub known_hosts
you do not need to generate a new key pair but can use the existing one.
You create a private and a public key pair on the computer you use to access other computers. In my case, my MacBook.
In Linux or macOS, you open the Terminal app and enter
ssh-keygen -t rsa
You will see
Generating public/private rsa key pair. Enter file in which to save the key (/home/pi/.ssh/id_rsa):
Accept the default directory. When
Enter passphrase (empty for no passphrase):
comes up, you can either add a passphrase (password) for maximum security or just hit return to leave it empty. I leave it empty.
This is what you should get.
Your identification has been saved in /home/pi/.ssh/id_rsa. Your public key has been saved in /home/pi/.ssh/id_rsa.pub. The key fingerprint is: SHA256:NvHyQQHxva+PvXaxm1xjEQ+ai+CdSiZNrtySGlyHEDY pi@Pi4withPF2021 The key's randomart image is: +---[RSA 2048]----+ | E oo. | | . o . o | | . . o . .. | | . . + + .o| | o S o + ..| | . . B * + o ..| | o ..* = . .o+| | oo* . ++.=| | ..o.o oo+*.| +----[SHA256]-----+
Reading the key pair
To know what your public key looks like, type
$ pbcopy < ~/.ssh/id_rsa.pub
which copies the contents of the id_rsa.pub file to your clipboard.
Your public key will look something like this
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCy0xy+hgVUxgONvFxLAaE7KYwaHBe+S2822ymNK4lWqvLZhxZtYaET/qk6fHf9hOPOufsWbN7JZM0KHaSmKk6w9PQ6ootySl8EwQTYuk5qNxnGY97o+vgG9tXPA+mMhqi3IEuYLTlN0Xjayu5vCtHsoQD9JYHGmExfJsqSvvVf1WFtARDDcXHXUV0R5xUQ/vnfbN+927UIfr6dI/u/JY3m5uCGdVQdge14YY4NnHCnaxP3SPCKzVXFjB9ysYvwOLWC7N886HRaDLrqL1x2Cd/X5IbgiEtpBG4xNv+bA6HuvR5L/0jaNfHSkYSJSELLdEfPANb+5PO+j/pUwvTqKtlOKjvC6ojE0EI5Xi0n62sdBq2hV9cRrL4u58sOdH8OYVp7KONRCgFa3d+6ZjhtbygAIoeCYWCM8yK4HudBIphjKDZcb3tMlHSwlkpileC1qm1d+KOXBCqyDPO4BHLh3tx5BnYCRydszWoJ34FMbHII8t5iM9lCRnfUdy3K6FzKIss= wm@iMac.fritz.box
Note that the “ssh-rsa” as well as the end (in my case) “wm@iMac.fritz.box” is all part of the public key.
Should you have more than one, you can list all the public keys on your device with:
$ ls ~/.ssh/*.pub
If you want to have a look at your private key, type
$ pbcopy < ~/.ssh/id_rsa
and copy your clipboard into an editor.
It will look something like this (only longer):
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAstMcvoYFVMYDjbxcSwGhOymMGhwXvktvNtspjSuJVqry2YcWbWGh E/6pOnx3/YTjzrn7FmzeyWTNCh2kpipOsPT0OqKLckpfBMEE2LpOajcZxmPe6Pr4BvbVzw PpjIaotyBLmC05TdF42srubwrR7KEA/SWBxphMXybKkr71X9VhbQEQw3Fx11FdEecVEP75 32zfvdu1CH6+nSP7vyWN5ubghnVUNbXteGGODZxwp2sT90jwis1VxYwfcrGL8Di1guzfPO h0Wgy66i9cdgnf1+SG4IhLaQRuMTb/zui2jXx0pGEiUhCy3RHzwDW/uTzvo/6 VML06irZTio7wuqIxNBCOV4tJ+trHQatoVfXEay+LufLDnR/DmFaeyjjUQoBWt3fumY4bW C5oBXZv/4/T1AJDQCWCx4QMamDwPyUKYyGPRj9DJ2I8i2cnE+7sCNxGNiflkP/VBblJNJ5 mpd/oxS1fOhEZvMbEyJFal752kDbUrnptldtJUFAqr4v/7QZUAAADBANeYZaUYDH1LEggb dMwYJYEvbIaDFlgXGCVAkeyZhN1W2wbp6EVfPrBDq+dn5lJ670L24p4ZhDAUnc1Ehbr0Bj NDwp960YZIr5TW7GyQRk4jkzCKU/RGrayXFcGCOE5ibqAyIPULtt8vQHA3+0PK4LwYoZwX m4uxhBn8NUcMnOpPw9wuvwIczdkScuuz74qKChR3SR7xL8dKenhLgMt7uDSDTamsuYWPK8 dpm2wRY8xKgbL5AAAAEXdtQGlNYWMuZnJpdHouYm94AQ== -----END OPENSSH PRIVATE KEY-----
If you ever need to copy your private key, include everything from the first to the last hyphen.
Adding your computer’s public key
In this part, I will show you how to register your Mac as a trustworthy device on the Raspberry Pi.
Copy the public key of your (Mac/Linux) computer to the clipboard with
$ pbcopy < ~/.ssh/id_rsa.pub
In the Terminal connected to your Raspberry Pi type
mkdir .ssh sudo nano ~/.ssh/authorized_keys
and paste the public key in there. Save and close.
Finally, the ssh config file on the Raspberry Pi needs to be changed with
sudo nano /etc/ssh/sshd_config
In this file, you will see a lot of lines that have been commented out with a “#”.
Look for this line and change it to “yes”.
Save and close and restart SSH with
sudo /etc/init.d/ssh restart
Connecting to the Raspberry Pi
From your Mac/Linux, in the terminal connect to your Raspberry Pi as you normally would:
and just like magic, without asking you for a password, you will connect.
If you get a message like “REMOTE HOST IDENTIFICATION HAS CHANGED” read this article.
A few more answers
Q: Can I use the same public key for other computers that I connect to?
A: Yes, in fact, you can use it for any number of devices. You can also use it when you connect to servers via e.g. FileZilla.
Q: I have several computers that I use to connect to my Raspberry Pi. How does this work?
A: All you have to do is to create a key pair on every computer as described above. Then you just need to add the public key of your other computer(s) to
sudo nano ~/.ssh/authorized_keys
Q: Is a private key device-dependent?
A: Yes, each device has its own private and, as a consequence, public key.
Q: What happens if my hard disk crashes/my computer gets stolen etc.? How will I be able to still log in to my Raspberry Pi?
A. Just like you should store passwords in a password manager, you can do the same with your public and private keys.
On your replacement computing device, run the
ssh-keygen -t rsa
sudo nano id_rsa.pub
and paste the public key from the backup in there. Do the same with the private key with
sudo nano id_rsa
I hope this article helps to remove a bit of the mystery surrounding public/private keys and the whole encryption debate.
Just remember that a key pair pertains to a particular hardware device and that you only ever give away your public key, never the private one.
- Hot to disable overscan to get rid of the black border on your Raspberry Pi display
- How to use your Apple iMac or MacBook as a monitor for any Raspberry Pi with an HDMI Video Capture Card
- The two main reasons why Raspberry Pi digital picture frames break – and how to avoid them
- Check the wifi signal strength of your Raspberry Pi digital picture frame before you hang it up on the wall