With this How To SSH Login Without Passwort (Mac to Raspi) you learn how you login securely without password. The How To is leveraging on ED25519 keys for secure SSH login.
Index of SSH Login Without Passwort (Mac to Raspi)
Background
SSH is great for secure login and it provides different options for authentication. The typical one is login by username and password. This is secure, but cybersecurity specialists recommend to replace the username/password login by the login leveraging on username/keys. In this how to we will be leveraging on the most modern and secure ED25519 keys.
As a matter of fact, login via keys can be even more convenient.
The environment leveraged for writing this How To consists of a Mac mini computer and a Raspberry Pi. The Mac mini computer is foreseen to login into the Raspberry, but not the other way around (even that would be possible too).
How To SSH Login Without Passwort (Mac to Raspi)
First of all, you need to activate SSH on your Raspberry pi. This you do by the following command:
sudo raspi-config
Next you select in the menu “Interface Options” and below this SSH. The many will ask you, whether you like to enable the SSH server. You will respond with yes.
In the next step we find out the IP address of the Raspberry Pi. This we do by running
ifconfig -a
Search for an IP address linked to eth0 or wlan0. In my case the IP address is 192.168.2.160. Knowing this, we move to the Mac and login the first time leveraging on SSH.
Start a terminal window on the Mac. Run the following:
ssh pi@192.168.2.160
Note: You need to replace the IP address that is in the above case 192.168.2.160 by the IP address you have identified in the previous step. Secondly, if your Raspberry does not consist of the default user called “pi”, than you need to replace the “pi” by whatever your user is called.
Once you logged in successfully, you open another, second terminal window on your Mac whilst keeping the SSH connection to your Raspberry open. Within the second terminal window on your Mac you type:
cat .ssh/id_ed25519.pub
This will turn into a result that looks like this, but obviously with different letters. It’s your public key that needs to be put on the Raspberry. You therefore copy this public key.
ssh-ed25519 AAAAXXxxxxxxxxI1NTE5xxxxIGM2GxcBxYjxL5hfuJaxCCvx1111111vxaXXXXXXXXXX
Back on the other Terminal window that consists of the SSH connection to your Raspberry. You type the following:
mkdir .ssh touch .ssh/authorized_keys vi .ssh/authorized_keys
This opens the vi editor for the file known_hosts. You now copy the public key that looks like this:
ssh-ed25519 AAAAXXxxxxxxxxI1NTE5xxxxIGM2GxcBxYjxL5hfuJaxCCvx1111111vxaXXXXXXXXXX
Let’s now doublecheck whether this works. Open a third terminal on you Mac and type
ssh -v pi@192.168.2.160
The login should now happen via the key. If you have not set a password for your private key, then the login will even happen without tying a password. If this is satisfying to you and you would like to have the overall installation even more secure, then you should disable login by password and only allow login by ED25519 keys. This will avoid that somebody could start to guess passwords for remote login. To do so, run
sudo vi /etc/ssh/sshd_config
and search for the line “#HostKey /etc/ssh/ssh_host_ed25519_key”. Take of the # so it looks like this:
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key
This will allow only login by ed25519 key. Secondly you search for “#PubkeyAuthentication yes”. If there is a # in front, take it off. This will enforce authentication by key. It should look like this:
PubkeyAuthentication yes
Secondly, you disable password authentication. Search for “PasswordAuthentication”. If there is a # in front of it you take it off and put the value that most likely is “yes” to “no”. Once done it should look like this:
PasswordAuthentication no
Restart now the SSH service by running:
sudo systemctl restart ssh.service
Once done, open a fourth terminal window on your Mac, or type exit in your 3rd terminal window on your Mac, whilst keeping the other open for the case your configuration does not work. If it does not work, then you can redo what you have done in the above. Now, on the fourth terminal window you type:
ssh -v pi@192.168.2.160
If again the login does work without any issue, then you are fine. Enjoy the more secure but easier life configuration!
Additional Information
I have written a hardening guide for openhabian. This is close to a Debian Linux as the openhabian Linux is based on Debian Linux. You maybe like to check out this guide too, as it gives you plenty of security options for your Raspberry.
More about OpenSSH can be found on this website.
Help and Comments
I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to this how to. Simply click this link to touch base with me.
Linking and Recommending the HowTo or the myhowto.blog
I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!