We have seen how to use SSH to connect a secure terminal to our Raspberry Pi. It is one of the most powerful tools and one we will use most frequently when working with remote systems.
However, using SSH forces us to constantly enter the password. Which, if the password is long (and for security it should be), well, what can I say… it’s a real pain 😄.
We have a widely used and recommended alternative, which is generating a pair of cryptographic keys to use as an SSH authentication system.
This method uses a pair of asymmetric cryptographic keys (a public key and a private key) to authenticate you, eliminating the need to enter a password every time you connect.
Let’s see how to set it up.
Generate the SSH key pair on the client device
First, we need an SSH key pair. This first step must be done on the client device (i.e., the computer from which you will connect to the Raspberry Pi, for example your PC).
Windows 10 and later, and most Linux distributions have SSH installed (OpenSSH or similar)
To do this, open a terminal on your client device (which could be Windows, Linux, or WSL, for example).
Run the following command to generate an SSH key pair:
ssh-keygen -t rsa -b 4096 -C “[email protected]”
Where,
- -t rsa: Specifies the type of encryption algorithm, in this case RSA
- -b 4096: Defines the key size in bits (4096 is a secure length)
- -C
[email protected]: Optional, adds a comment to identify the key (for example an email address)
Next, the system asks us to choose a location to save the key.
Enter file in which to save the key (/home/usuario/.ssh/id_rsa):
We can leave the default name, or give it any name we want. (for example the App, or the client’s name).
Or we can press Enter to accept the default location (the .ssh folder).
Regardless of the filename we choose, it is convenient to keep the .ssh path.
Finally, the system optionally allows us to add a passphrase to protect the private key.
Enter passphrase (empty for no passphrase):
We can leave it blank if we prefer not to have to enter a passphrase every time we use the SSH key (it’s less secure, but one of our goals is not having to type passwords all the time, right?).
This process will generate two files
id_rsa, private key which we must keep on the client (and never give to anyone)id_rsa.pub, public key which we must copy to the Raspberry Pi
Copy the public key to the Raspberry Pi
Now that we have our key pair, we need to copy the public key id_rsa.pub to the Raspberry Pi.
The content of this file must be added to the .ssh folder inside the user’s home directory on the Raspberry Pi, in a file called authorized_keys.
For this we have two options:
From another Linux
If we are working with a Linux client (for example, your computer is Ubuntu or WSL from Windows) we will have access to a utility called ssh-copy-id that does everything for us.
ssh-copy-id usuario@direccion_ip
Simply replace with your Raspberry Pi’s username and IP address (for example, [email protected]).
This command will copy the public key from your client device to the ~/.ssh/authorized_keys file on your Raspberry Pi. During this process, you will be asked for your Raspberry Pi password to complete the operation.
If you changed the certificate name (instead of the default id_rsa), you can specify the filename.
ssh-copy-id -i ~/.ssh/nombre_fichero.pub usuario@direccion_ip
From Windows
If we don’t have the ssh-copy-id tool available, we will have to copy it “manually”. Don’t worry, it’s not too difficult.
We simply need to add the content of the public key id_rsa.pub to the user’s ~/.ssh/authorized_keys file.
For example, you can copy it via scp with this command:
scp id_rsa.pub usuario@direccion_ip:/home/nombre_usuario/id_rsa.pub
And then, connecting via ssh, we add the content of id_rsa.pub to ~/.ssh/authorized_keys (for example, with the nano editor).
ssh usuario@direccion_ip
mkdir -p ~/.ssh nano ~/.ssh/authorized_keys
Or we could also add it like this (I prefer to copy it manually with nano):
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Finally, we make sure the file permissions are correct:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Delete the id_rsa.pub file you copied to the Raspberry Pi once you have finished copying its content to authorized_keys.
PowerShell script to set it up in one step:
$USER_AT_HOST="username@remote-machine-IP"
$PUBKEYPATH="$HOME\.ssh\id_nombre.pub"
$pubKey=(Get-Content "$PUBKEYPATH" | Out-String); ssh "$USER_AT_HOST" "mkdir -p ~/.ssh && chmod 700 ~/.ssh && echo '${pubKey}' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Where, before copying, you must replace:
- username@remote-machine-IP, with your Raspberry Pi username, and the Raspberry Pi’s IP (or its hostname)
- id_nombre.pub with the name you gave to your key file
Connect to the Raspberry Pi without a password
We’ve already done the hard part. Now it’s time to check that everything works correctly. You should be able to connect to your Raspberry Pi without needing to enter a password:
ssh nombre_usuario@direccion_ip
If everything went well, you should log into your Raspberry Pi automatically without needing to enter a password.
