Using password-based SSH is dangerous, especially if you want to put your Raspberry Pi on a public network such as the internet. That’s why you should disable the password-based SSH and switch to key-based authentication. In this article, you will learn how to configure SSH key-based authentication on Raspberry Pi.
The process is not as simple as enabling SSH that addressed in the previous article. You need to toy with some configuration files. The overall process is as follows:
- Generate private and public keys on the client machine
- Install the public key on the pi
- Disable the SSH password-based authentication
- Configure SSH on the client machine for easy access (optional)
If you don’t want to read the entire article, you can watch the YouTube video instead 😀
Generate private and public keys on the client machine
First, open the terminal on the client machine and type,
$ ssh-keygen -t rsa
The command asks you for a path. You can either accept the default one (if you don’t have any other key) or give your desired path and name such as
After that, you should set a passphrase. That is optional, but it’s highly recommended to provide a passphrase (a strong one).
RSA is the default algorithm and is considered highly backward compatible and relatively safe. The default key length is
3072 bits. Anything shorter is unsafe.
However, if you prefer to be safer, you can increase the key length to
4096 bits as follows:
$ ssh-keygen -t rsa -b 4096
There is another algorithm,
ed25519. It is considered the most secure one. However, it is not compatible with the old SSH client. In case you like to use
ed25519, you can generate a key like this:
$ ssh-key-gen -t ed25519
Now you have the private and public keys generated. To verify it, just run the following command,
$ ls ~/.ssh
You should see at least two files there. One ends with
_rsa.pub and another with
_rsa. Such as
Install the public key on the pi
To install or copy over the generated public key on the pi, you can use the
ssh-copy-id command as follow,
$ ssh-copy-id -i ~/.ssh/raspberrypi_rsa.pub pi-username@pi-ip-address
SSH to your Raspberry Pi and inspect the
~/.ssh directory. You should see the
authorized_keys file. That’s the public key file.
To ensure the key-based SSH is working, head to your client and run,
$ ssh pi-username@pi-ip-address
You should be able to SSH to your Pi without providing the password.
Disable the SSH password based authentication
The last mandatory step is to disable password based authentication. Of course, ensure the key-based authentication is already working.
sshd_config file in your Raspberry Pi.
$ sudo vim /etc/ssh/sshd_config
Find the following lines and change them as follows,
If those lines are commented, uncomment them and set the above values. If they don’t exist, add them at the end of the file.
Finally, reload the SSH daemon so changes can take effect.
$ sudo systemctl reload sshd
Ensure password based authentication is disabled
Head to your client terminal and try to password based SSHing.
$ ssh pi-username@pi-ip-address -o PubKeyAuthentication=no
You should get the
Permission denied (publickey) error.
Root SSH should also be disabled,
$ ssh root@pi-ip-address
You should get the same error message too.
Configure SSH on the client for easy access (optional)
You can now connect to your Raspberry Pi like
ssh pi-username@pi-ip-address. But that’s too much hassle. You need to remember your Pi IP address and type it each time. An easier way is to define an alias.
For that you need to create a
config file under the client
~/.ssh directory and fill it as follows,
Host pi pi-ip-address
Once you’ve done, you should be able to connect to your Pi by typing,
$ ssh pi
In case you want to check your Raspberry PI SSH logs for auditing purposes, you can use the below command,
$ cat /var/log/auth.log