Raspberry Pi SSH: Complete Setup, Key Auth, and Hardening Guide

ByC Wilson
Raspberry Pi SSH

Raspberry Pi SSH is the standard way to connect to and manage a Pi without a keyboard, mouse, or monitor. SSH is enabled in Raspberry Pi Imager’s advanced settings before flashing, which means a headless Pi is accessible over the network on the first boot with no additional configuration. This guide covers enabling SSH via Imager, the first connection from Windows, macOS, and Linux, setting up key-based authentication with ed25519 keys, disabling password login, and hardening the SSH daemon configuration. For a static IP before running SSH, see Raspberry Pi Static IP: Router Reservation, nmcli, and nmtui Guide.

Last tested: Raspberry Pi OS Bookworm Lite 64-bit | May 2026 | Raspberry Pi 4 Model B (4GB) and Raspberry Pi 5 (8GB) | OpenSSH 9.2

Key Takeaways

  • Do not use the empty ssh file method to enable SSH on current Raspberry Pi OS. That method is deprecated. The correct method is to enable SSH in Raspberry Pi Imager’s advanced settings (the gear icon or Ctrl+Shift+X) before flashing. This also sets the username, password, hostname, and optionally the public key in one step.
  • Disable password authentication only after confirming that key-based login works in a separate terminal session. Running sudo systemctl restart ssh while still logged in via password does not lock you out immediately, but if key login fails and you close the session, recovering requires physical access to the Pi or reflashing. Test key login in a second terminal before disabling passwords.
  • The ssh file drop in /boot/ and the wpa_supplicant.conf drop method are both deprecated on Bookworm and do not work reliably. Raspberry Pi Imager handles both headless WiFi and SSH setup in its advanced settings panel and is the only supported path for new builds.

Enabling Raspberry Pi SSH with Raspberry Pi Imager

Download and install Raspberry Pi Imager from raspberrypi.com/software. Insert a microSD card, select the OS and storage device, then open the advanced options before clicking Write. On Windows and macOS the button is labelled “Next” which opens a “Use OS customisation?” dialog. Click “Edit Settings.”

In the General tab, set the hostname, username, and password. In the Services tab, enable SSH and choose either password authentication or public key authentication. For public key authentication, paste the contents of your existing public key (typically ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub on the client machine) into the field. If you do not have a key pair yet, generate one first (covered in the next section) then return to Imager.

Flash the card, insert it into the Pi, and power on. The Pi is accessible over SSH within 30-60 seconds of boot. Connect using the hostname set in Imager:

ssh youruser@yourpi.local

If .local resolution does not work (common on some Windows configurations without Bonjour), use the IP address instead. Find the Pi’s IP from the router’s DHCP client list or by scanning: nmap -sn 192.168.1.0/24.

Expected result: The first connection shows a host key fingerprint prompt. Type yes to accept and add the Pi to ~/.ssh/known_hosts. The prompt changes to youruser@yourpi:~$. If the connection is refused, SSH may still be starting. Wait 30 seconds and retry. If it times out, confirm the Pi is on the network with a ping: ping yourpi.local.

Raspberry Pi SSH setup and hardening flow: enable in Imager, first connection, key authentication, sshd hardening, and maintenance

SSH Key Authentication on Raspberry Pi

Key-based authentication is more secure than passwords and more convenient once configured. The private key stays on the client machine; the public key is placed on the Pi. Authentication happens without typing a password.

Generate an ed25519 key pair on the client machine (not on the Pi). ed25519 is the current recommended algorithm: smaller, faster, and more secure than RSA 2048:

ssh-keygen -t ed25519 -C "yourpi-$(date +%Y)"

Accept the default path (~/.ssh/id_ed25519) or specify a custom path. Set a passphrase to protect the private key. The passphrase encrypts the local key file. It is not transmitted over the network.

Copy the public key to the Pi with ssh-copy-id:

ssh-copy-id -i ~/.ssh/id_ed25519.pub youruser@yourpi.local

On Windows without ssh-copy-id, copy the key manually:

type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh youruser@yourpi.local "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Test key login in a new terminal session before changing any sshd configuration:

ssh -i ~/.ssh/id_ed25519 youruser@yourpi.local

Expected result: The connection succeeds without prompting for a password (only the local key passphrase if set). The prompt shows the Pi’s shell. If it still asks for a password, check permissions on the Pi: ~/.ssh must be 700 and ~/.ssh/authorized_keys must be 600:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

SSH Config and Hardening on Raspberry Pi

Once key login is confirmed, disable password authentication in the SSH daemon config. Open the sshd config on the Pi:

sudo nano /etc/ssh/sshd_config

Set or confirm these lines (uncomment and change as needed):

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding no
MaxAuthTries 3
LoginGraceTime 20

On Bookworm, some settings may be overridden by drop-in files in /etc/ssh/sshd_config.d/. Check for conflicting settings:

grep -r "PasswordAuthentication" /etc/ssh/

Restart the SSH daemon to apply changes:

sudo systemctl restart ssh

Expected result: In a separate terminal, attempt to connect with a password: ssh -o PubkeyAuthentication=no youruser@yourpi.local. The connection should be refused with “Permission denied (publickey).” If key login still works from the first terminal, the hardening is complete.

Client-side SSH config. A ~/.ssh/config file on the client avoids typing the full connection string each time. Create or edit ~/.ssh/config:

Host mypi
    HostName yourpi.local
    User youruser
    IdentityFile ~/.ssh/id_ed25519
    ServerAliveInterval 60

Host labpi
    HostName 192.168.1.100
    User chuck
    IdentityFile ~/.ssh/id_ed25519
    Port 22

With this file, connecting is as simple as ssh mypi. The config supports multiple Pis with different usernames, keys, and ports, and ProxyJump chains for reaching Pis behind a jump host.

Fail2ban for SSH. Fail2ban monitors auth logs and bans IPs after repeated failed attempts. Install on the Pi:

sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban

The default configuration protects SSH with a 10-minute ban after 5 failed attempts. For a Pi accessible from the internet (not recommended without Tailscale or a VPN), tighten the ban time in /etc/fail2ban/jail.local.

Troubleshooting Raspberry Pi SSH Connection Problems

Connection refused. SSH is not running or not enabled. On the Pi (with physical access or serial console): sudo systemctl status ssh. If inactive, start it: sudo systemctl enable --now ssh. Confirm the port is not blocked by UFW: sudo ufw status. If UFW is active, allow SSH: sudo ufw allow ssh.

Connection timeout. The Pi is unreachable. Confirm it is on the network with ping yourpi.local or ping [ip]. If no response, check that the Pi booted successfully (activity LED pattern) and that the network cable is seated or WiFi credentials are correct. For WiFi, confirm the SSID and password were set correctly in Imager before flashing.

Host key verification failed. The Pi’s host key changed (common after reflashing). Remove the old key from the client:

ssh-keygen -R yourpi.local
# Or by IP:
ssh-keygen -R 192.168.1.100

Permission denied (publickey). Key login failing is almost always a permissions issue on the Pi. Check:

# On the Pi:
ls -la ~/.ssh/
# ~/.ssh should be drwx------ (700)
# authorized_keys should be -rw------- (600)

# Check the authorized_keys file contains the correct public key:
cat ~/.ssh/authorized_keys

Also confirm there are no conflicting PasswordAuthentication directives in /etc/ssh/sshd_config.d/ that override the main config.

SSH too slow to connect. DNS resolution on the server is causing delays. Add UseDNS no to /etc/ssh/sshd_config and restart SSH. Also add GSSAPIAuthentication no to the client ~/.ssh/config for the affected host.

FAQ

How do I enable SSH on Raspberry Pi?

In Raspberry Pi Imager, open the advanced settings (gear icon or Ctrl+Shift+X), go to the Services tab, and enable SSH before clicking Write. Set a username and password in the General tab at the same time. This is the only supported method on current Raspberry Pi OS Bookworm. The old method of dropping an empty ssh file into the boot partition is deprecated and unreliable on Bookworm.

What is the default Raspberry Pi SSH username and password?

There is no default. Current Raspberry Pi OS Bookworm requires credentials to be set in Raspberry Pi Imager before flashing. The old default username pi and password raspberry no longer exist. If an image flashed without setting credentials prompts for a password, the first-boot setup wizard will require creating a user before SSH becomes accessible.

How do I find my Raspberry Pi’s IP address for SSH?

The hostname set in Imager resolves via mDNS as hostname.local on macOS and Linux without any additional configuration. On Windows, mDNS resolution requires Bonjour (installed with iTunes or Apple devices) or enabling the mDNS responder. If .local does not resolve, find the IP from the router’s DHCP client list, or scan the network with nmap -sn 192.168.1.0/24 and look for the Pi’s hostname or MAC address (Raspberry Pi Foundation OUI prefix: B8:27:EB, DC:A6:32, E4:5F:01, or D8:3A:DD for Pi 5).

How do I SSH into Raspberry Pi from Windows?

Windows 10 (1809+) and Windows 11 include OpenSSH client built in. Open PowerShell or Command Prompt and run ssh youruser@yourpi.local. No third-party client (PuTTY, MobaXterm) is required, though those remain options. For key generation on Windows, run ssh-keygen -t ed25519 in PowerShell. Keys are stored in C:\Users\yourname\.ssh\. The ~/.ssh/config shortcut works in Windows PowerShell using the same syntax as Linux.

Is it safe to expose Raspberry Pi SSH to the internet?

Not recommended without additional protection. A Pi with SSH port-forwarded to the internet receives automated brute-force attempts within minutes. If remote access is required, use Tailscale instead of port forwarding. It creates a private encrypted network between the Pi and your devices with no port exposure. If SSH must be exposed directly, disable password authentication, change the port from 22, and run Fail2ban. For the complete Tailscale setup, see Tailscale Raspberry Pi: Complete Secure Remote Access Guide.

References:

About the Author

Chuck Wilson has been programming and building with computers since the Tandy 1000 era. His professional background includes CAD drafting, manufacturing line programming, and custom computer design. He runs PidiyLab in retirement, documenting Raspberry Pi and homelab projects that he actually deploys and maintains on real hardware. Every article on this site reflects hands-on testing on specific hardware and OS versions, not theoretical walkthroughs.

Last tested hardware: Raspberry Pi 4 Model B (4GB) and Raspberry Pi 5 (8GB). Last tested OS: Raspberry Pi OS Bookworm Lite 64-bit. OpenSSH 9.2, May 2026.