Logging into a Rasberry Pi using Public/Private Keys

In a previous post we covered enabling sshd on the Raspberry Pi. Now that we’ve got SSH setup I’ll cover how to log in using a public/private key-pair rather than using password authentication. This is particularly useful if you’re going to put the Pi on the public internet. It’s also pretty handy if you can’t be bothered to type your password each time you ssh into the device.

The first step is to ensure that you have a public private key-pair installed on your local machine. Most developers will already have this but in linux or mac you can normally generate a new pair using:

ssh-keygen -t rsa -C "your_email@youremail.com"

I won’t cover creating these in any detail as there are plenty of guides available. Github’s guides cover this as a side effect of setting up git here and an issues helper here.

Next up we need to copy our keys over to the Rasberry Pi. I’m going to use the following script:

cat ~/.ssh/id_rsa.pub | ssh pi@ "mkdir .ssh;cat >> .ssh/authorized_keys"

This assumes that your private key is stored in ~/.ssh/id_rsa.pub and that the ip address of the server is You can change these for your own values. If all goes well you should be prompted for the password for the last time.

Now we should be able to log in using:

ssh pi@

This time we shouldn’t be asked for a password it should use the key instead!

Disallowing password login. To disallow password login we need to edit the ssh config found in /etc/ssh/sshd_config. Do do this we can ssh into the Pi. Once at the prompt we can enter the following:

sudo vi /etc/ssh/sshd_config
scroll down to the section that says #PasswordAuthentication yes
With the cursor over the # press x
Then scroll the console to the end and press i
Then press backspace to delete the word yes and replace it to no
Then press the escape key, press : and then w, then press : and then q.

We now need to restart sshd. The easiest way to do this is to type sudo /etc/init.d/ssh restart alternatively you can just reboot using sudo reboot.

Enabling SSH on Debian Raspberry Pi

Debian is the default recommended image for the Raspberry Pi. If you’re using the Raspberry Pi as a server you’ll most likely want to be able to manage it remotely over the network using a local computer and SSH. However, by default SSH isn’t enabled on the Pi. We’ll walk through the basics of getting SSH enabled and logging into the Raspberry Pi over SSH.

The first thing we need to do is log into the Pi normally by plugging in a monitor and keyboard. It also makes sense to plug in the network cable at this point. Once the board boots you get the login screen where the default username is pi and password raspberry.

If you want to change this password you can just type:


Now we’re going to enable SSH at boot. Luckily there’s a script that enables SSH for us provided so we just need to use the following command to move it to the right location:

sudo mv /boot/boot_enable_ssh.rc /boot/boot.rc

Once we’ve done this rebooting the Raspberry Pi will show something like:

Starting OpenBSD Secure Shell server: sshd

You should now be able to log in via SSH and the same username and password. To find the ip address we need to type:

ip addr

Here we want to look for the ip address on eth0 for example if the output is

1: lo: mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
2: eth0: mtu 1488 qdisc pfifo_fast state UP qlen 1000
    link/ether b8:27:eb:49:32:63 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0

then our ip address is listed after inet as You could even use ip addr | grep -e 'inet .* eth0' to find just this line.

With this ip address you can now log in using the following credentials:

host: (or whatever your IP was)
username: pi
password: raspberry (or whatever you changed it to)

On a unix based system this will most probably be:

ssh pi@

From here you can manage the Pi fully over SSH. It’s also possible to remove the password altogether and use a public/private keypair to log in. This is especially recommended if the Pi is going to be publicly available on the internet. In the next post we’ll cover removing the password and just using the keypair.