SSH is a great networking protocol. Secure, fast and commonly-used are probably some of the reasons why it’s the default for communicating with your Raspberry Pi. But having to type in a password each time you log in sucks.
Luckily SSH has these things called keys which you can use for password-less logins. Using SSH keys is really simple if you have a basic understanding of networks (like really basic) and the shell. Once you get the idea you could basically use SSH-keys for anything SSH related, from Github to Digital Ocean and Vagrant.
Generating SSH Keys
Setting up SSH keys is always the first thing I do on new Raspberry Pi images, but before doing so I like to install Bonjour on the pi first because then you don’t have to lookup IP’s. Avahi sometimes requires an update first.
sudo apt-get update sudo apt-get upgrade sudo apt-get install avahi-daemon --fix-missing #I had some errors without fix-missing flag
Safest way is to reboot your pi, but
sudo service avahi-daemon restart works just as well for our setting up right now.
Ok so now that is configured, it’s time to build the actual ssh keys.
Everything we do will typically be stored in a hidden directory in the home folder called
.ssh. Generating a new key there is as easy as:
ssh-keygen -t rsa -C "email@example.com"
This creates a new key with the RSA type and creates it from the comment email address you provide. ssh-keygen will ask you for a password (make it secure) to create the new keys.
This will generate two new keys in the
~/.ssh directory, called
id_rsa.pub. It’s important to pause and think about how they act.
The first one is your private key and the .pub one is the public one. Typically, matching keys will require you to provide the public one to a service (Like Github, or the Pi login over SSH) so it can identify you. The first private key matches with the public one to authenticate you.
Never ever ever ever post the contens of id_rsa anywhere, this could lead to a huge security hole in your machine.
Now there are two options to match keys with the pi:
There’s this great application called ssh-copy-id which automatically matches the contents from the public key to a ssh host.
On Linux it’s mostly installed by default, but OS X can install it from brew with:
brew install ssh-copy-id.
Now you can just match the key by running it and providing an ssh host:
Provide the password once more and keys should be matched. Try logging into your pi and you shouldn’t be asked for a password.
Manually copying the contents
Get the contents of the public key with
cat ~/.ssh/id_rsa.pub and copy them somewhere.
Log in to your pi and enter the ssh directory. Create it if you dont have it with
Typically the key authenticator is not present on a new Raspbian install so create it with:
touch ~/.ssh/authorized_keys && nano ~/.ssh/authorized_keys
Paste in the contents of id_rsa.pub you copied before, save and exit. Now log out of the pi and log back in. No password should be provided.
As an extra you could provide some info in ~/.ssh/config on your main machine to make logging in even easier:
host pi hostname raspi.local user pi port 22
Now logging in is as simple as