Configure SSH key-based authentication on Raspberry Pi

Configure SSH key-based authentication on Raspberry Pi

Using password-based SSH is dangerous, especially if you want to put your Raspberry Pi on a public network such as the internet. That’s why you should disable the password-based SSH and switch to key-based authentication. In this article, you will learn how to configure SSH key-based authentication on Raspberry Pi.

The process is not as simple as enabling SSH that addressed in the previous article. You need to toy with some configuration files. The overall process is as follows:

  • Generate private and public keys on the client machine
  • Install the public key on the pi
  • Disable the SSH password-based authentication
  • Configure SSH on the client machine for easy access (optional)

If you don’t want to read the entire article, you can watch the YouTube video instead 😀

Generate private and public keys on the client machine

First, open the terminal on the client machine and type,

$ ssh-keygen -t rsa

The command asks you for a path. You can either accept the default one (if you don’t have any other key) or give your desired path and name such as ~/.ssh/raspberrypi_rsa.

After that, you should set a passphrase. That is optional, but it’s highly recommended to provide a passphrase (a strong one).

RSA is the default algorithm and is considered highly backward compatible and relatively safe. The default key length is 3072 bits. Anything shorter is unsafe.

However, if you prefer to be safer, you can increase the key length to 4096 bits as follows:

$ ssh-keygen -t rsa -b 4096

There is another algorithm, ed25519. It is considered the most secure one. However, it is not compatible with the old SSH client. In case you like to use ed25519, you can generate a key like this:

$ ssh-key-gen -t ed25519

Now you have the private and public keys generated. To verify it, just run the following command,

$ ls ~/.ssh

You should see at least two files there. One ends with and another with _rsa. Such as and raspberrypi_rsa

Install the public key on the pi

To install or copy over the generated public key on the pi, you can use the ssh-copy-id command as follow,

$ ssh-copy-id -i ~/.ssh/ pi-username@pi-ip-address

SSH to your Raspberry Pi and inspect the ~/.ssh directory. You should see the authorized_keys file. That’s the public key file.

To ensure the key-based SSH is working, head to your client and run,

$ ssh pi-username@pi-ip-address

You should be able to SSH to your Pi without providing the password.

Disable the SSH password based authentication

The last mandatory step is to disable password based authentication. Of course, ensure the key-based authentication is already working.

Open sshd_config file in your Raspberry Pi.

$ sudo vim /etc/ssh/sshd_config

Find the following lines and change them as follows,

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding no

If those lines are commented, uncomment them and set the above values. If they don’t exist, add them at the end of the file.

Finally, reload the SSH daemon so changes can take effect.

$ sudo systemctl reload sshd

Ensure password based authentication is disabled

Head to your client terminal and try to password based SSHing.

$ ssh pi-username@pi-ip-address -o PubKeyAuthentication=no

You should get the Permission denied (publickey) error.

Root SSH should also be disabled,

$ ssh root@pi-ip-address

You should get the same error message too.

Configure SSH on the client for easy access (optional)

You can now connect to your Raspberry Pi like ssh pi-username@pi-ip-address. But that’s too much hassle. You need to remember your Pi IP address and type it each time. An easier way is to define an alias.

For that you need to create a config file under the client ~/.ssh directory and fill it as follows,

Host pi pi-ip-address
    HostName pi-ip-address
    IdentityFile ~/.ssh/raspberrypi_rsa
    User pi-username

Once you’ve done, you should be able to connect to your Pi by typing,

$ ssh pi

SSH logs

In case you want to check your Raspberry PI SSH logs for auditing purposes, you can use the below command,

$ cat /var/log/auth.log

Inline/featured images credits