Generating SSH Keys

What are SSH Keys?

SSH keys are a common alternative to using passwords when logging into remote servers from your local machine. The important thing to remember about these keys is that there’s a cryptographically generated private and public key, the private key stays under your control and is never shared with anyone but the public key is uploaded to any machine you would like to be able to login to without using a password in the future. The Wikipedia article linked at the beginning of this paragraph has a good overview.

It’s a very simple process to set up a private/public ssh keypair, all you need to do is follow the instructions below and then you will be able to upload your public key to any remote machine you like. Also, now that you’ve created keys of your own, you will be able to add ssh keys from your local machines (like your laptop) and upload them to your Raspberry Pi, meaning you will be able to login to your Pi from your laptop without a password whenever you like.

All of these commands can also be run from your local Linux-based computer as well, which includes the likes of Debian and macOS and OS X before it. I’m going to cover how to copy the keys you generate onto a remote machine in another post coming up soon.

Login to Your Raspberry with a Password for the Last Time

After finding the IP address of your Raspberry Pi using one of a million different ways, one of them being the excellent WakeOnLan for OS X application which when run will output a list of every device on your local network. All you have to do is look for a device that has a MAC Address beginning with b8:27:eb, because every Raspberry Pi in the world begins with those six characters.

Another method is to open up your Terminal1 and use the following command:

arp -a | grep b8:27:eb | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' 

This command will output any device on your network that has a MAC Address that begins with the six characters b8:27:eb, and if - like me - you have more than one Raspberry Pi on your network then picking up the right Pi is an exercise left to the reader.

In this instance the IP address is 192.168.0.81 so the login command becomes:

ssh pi@192.168.0.81

halt

If you haven’t changed the default password then enter the word raspberry and press enter, note that the cursor will not move whilst you are typing but it is accepting input. You really should change your password by the way!

password entry

After inputting your password and pressing enter, this is what successfully logging into your Raspberry Pi via ssh looks like:

successful login

We now get down to the serious business of generating secure ssh keys. We are going to generate a larger than usual key to make it that much more difficult for any potential attacker to crack the cryptography that makes up our keypair and get access to our machine. The command we will use is:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

Generating keys

There seems to be mixed advice about whether to use a password with your ssh key, I suppose strictly speaking it would be more secure but we are trying to setup passwordless login to our Raspberry so we are just going to hit enter at this point. Obviously if your threat model contains the potential for somebody specifically trying to hack you then using a password on your keys would be the sensible thing to do.

password entry

When asked to enter the passphrase again, just press enter.

press enter

And after a little while you should see this screen which means you have successfully generated a private/public ssh keypair. Congratulations you!

Successful generation

Now we need to just quickly set some permissions and we will be done, this first command makes it so only the current user can write to the home folder:

chmod go-w ~/

Current user home folder right permissions

We need to set the permissions for the folder containing our keys to 700 with:

chmod 700 ~/.ssh/

700 permissions

We need to create a file which will contain the public ssh keys of other machines that are allowed to log into this machine remotely2:

touch ~/.ssh/authorized_keys

Create authorised keys file

Let’s protect the file we created in the previous step but a setting the permissions to 600 with:

chmod 600 ~/.ssh/authorized_keys

protects unauthorised keys file

That’s it, job done! You can now log out with the exit command and go back to your local machine and be able to successfully copy the public ssh key from your local machine to your Raspberry Pi and then add it to the authorized_keys file. From that point forward you will no longer need a password to login to your Raspberry Pi.

exit out

All logged out. :-)

all logged out


  1. With the Terminal application on OS X is found in /Applications/Utilities 

  2. Uploading public keys to remote machines is outside the scope of this post, but I will cover it in another post.