This post was prompted by an exchange I saw on a RasPi Facebook group a couple of weeks ago. It started when someone asked how many Raspberry Pis members had. Scores of people responded, and it became clear that many of us have lots. One guy claimed to have 300!
My own collection - that accumulated slowly over the years - amounts to about 13, each dedicated to its own little job.
To access my Pis, I maintain a spreadsheet with hostnames, static IP addresses, and different passwords for all 13. Before I ssh in, I need to open my spreadsheet and scroll down to the relevant listing to get the password. It's a bit laborious, but until recently, that's all I knew.
So the Facebook post got me wondering. How do other people do it? I followed up on the Original Poster's question with a query of my own. "How many Pis do you have and how do you communicate with them?"
I was amazed by the feedback - and equally amazed by the different methods used. For those interested, I've noted at the foot of this post some of them, but today I'm going to explain the simplest.
RaspberryPi dot Org
As usual, the best description can be found at the RasPi Foundation on this page. It explains how to log in to the Raspberry Pi without a password.
But, as I discovered, this is only half the story. I'd known for some time that this was possible, but I'd never put two and two together to understand what it actually meant. I just assumed it was to save typing a password into an individual pi. I had no idea what it was really for.
Private and Public Key Cryptography
The use of Private and Public keys for safe transmission of data is tried and tested. In RaspbianOS you create your keys with the command:
ssh-keygen
This produces "id_rsa" and "id _rsa.pub" files in your /.ssh directory.
You can freely share your Public Key with anyone - but it's not much use without the Private Key - that you guard with your life. Only when you have both keys, can data be deciphered. In simple terms, there's a link between them that can only be untangled when both are present. One without the other is just a very long string of gibberish.
So how does this help log in to lots of Pis?
Ok, so we have a secure way of transmitting data, but how does this help me communicate easily with a field of Raspberries?
While the page I linked to above explains how to generate keys, what is fails to reveal is that you can share the same Public Key with all your RasPis, so that you can easily log into them with a simple ssh pi@... command.
So, all I needed to do was copy my Public Key to all 13 Pis and I could forget about my password list forever. The command to do this is:
ssh-copy-id <USERNAME>@<IP-ADDRESS>
Once you've done that, you'll be able to log into all your Pis without entering a single password.
That's fine for lots of Pis, but what if I want to ssh in from more than one computer?
This had me stumped for a while.
I have a desktop and a laptop, and I wanted to be able to access the Pis without passwords from both.
The first question I asked myself was, do I share the Private Key between the laptop and the desktop? That way I could use the same Private and Public keys no matter which computer I am using.
I Googled the question and the general consensus what that sharing a Private Key is not recommended.
Then I hit a problem. If I used the same ssh-keygen
command on my second computer, it would generate a Public Key with the same name as the first one. If I copied over a Public Key with the same name, surely it would cause a conflict inside the Pi that would screw everything up?
I spent an hour Googling things like "naming convention for Public and Private keys," "how to avoid conflicting names of Public Keys" - but I kept going around in circles.
I went back and re-read the RasPi.org instruction page - particularly the troubleshooting stuff at the bottom. Nothing seemed to refer to the problem.
In the end, and against all my instincts, I simply used ssh-keygen
on my second computer, then copied it with ssh-copy-id <USERNAME>@<IP-ADDRESS>
to the Pi - fully expecting a full seizure and to be locked out the Pis forever.
But to my amazement, that's not what happened. The second Public Key automatically appended to the "authorised_keys" file - which you can view using the command: cat ~/.ssh/authorised_keys
.
So now I'm ssh_ing into all of my Pis from both of my computers without using a single password between them.
It's saving a lot of time and effort.