Everything I do when setting up a new Raspberry Pi
I’m a big fan of Raspberry Pi. I have a few in my house doing various things, so from time to time I have to set up a new Pi, which involves a lot of steps.
There are heaps of how-to guides out there for setting up your Raspberry Pi, so this is mostly for my own reference!
1. Image the card with your OS
I use Raspberry Pi’s first-party Imager tool and install stock Raspbian, but there are lots of convenience images for different use cases (e.g. Homebridge).
2. Enable SSH and set up your network
- Create an empty file at the root of the newly-imaged boot volume :
touch /Volumes/ssh. This will start thesshddaemon when the system boots. - If you’re connecting to WiFi, create a file at the root of the boot volume called
wpa_supplicant.conf. At the top of the file, add:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=<Insert 2 letter ISO 3166-1 country code here>
Then, add each of the WiFi networks that you want configured:
network={
ssid="<network_name>"
psk="<network_password"
}
3. Set up user accounts
Eject your SD card, stick it in the Pi, and boot it up! It’ll connect to your network, and within a few moments you can connect over SSH using the default credentials: ssh pi@raspberrypi.local. The default password is raspberry.
- Change the password for the default
piaccount. Runpasswd, then enter a new account password.
Raspbian will most likely show you a warning message when you log in for the first time telling you that it’s a security risk to leave SSH enabled with the Pi user password unchanged.
2. Create your user account: sudo useradd -m -G sudo <username>. I always add my user account to the sudo group; if you don’t want to, remove -G sudo. 3. Set a password for your new user account: run sudo passwd <username> and enter a new account password. 4. In a new Terminal window, try connecting with your new username and password: ssh <username>@raspberrypi.local. If everything works, great! You can close the other connection and continue working in your new user account.
4. Set up key-based SSH access
Key-based access is both convenient and far more secure than passwords. Once you set up key-based authentication, you’ll no longer be prompted for your user password when logging in to your Pi because you’ll supply a special private key file that proves your identity.
- Enable key-based authentication. Log in to your Pi using your password and edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config.
Find the line that reads #PubkeyAuthentication yes. Remove the # to uncomment it and enable key-based authentication. Save and close the file, then restart the SSH daemon: sudo systemctl restart sshd.
- Generate a new key pair. On your computer (not your Pi), run
ssh-keygen -t rsa -b 4096 -f <key_name>.pem.
The key generator will ask if you want to set a passphrase. Doing so keeps your key safe even if someone else gets ahold of your private key, but is less convenient since you’ll once again be prompted for the passphrase to log in. I leave the passphrase blank so none is set.
The key generator creates two files: <key_name>.pem and <key_name>.pem.pub. The former is your private key, the latter is the public key. You keep the private key safe, and store private key on your Pi. Together, they work like a lock and key, verifying your identity and allowing you to log in. The usual place to keep the private key is in ~/.ssh.
3. Copy the public key to the Pi. Still on your computer, run ssh-copy-id -i ~/.ssh/<key_name>.pem.pub <username>@raspberrypi.local. You’ll be prompted for your Pi user password, and the key copy tool will move the public key into place on your Pi. Go ahead and try logging in using your private key: ssh -i ~/.ssh/<key_name>.pem. If everything worked right, you should be logged in!
4. Disable password-based authentication. Now that you’ve upgraded to key-based authentication, disabling passwords makes logging in more secure.
Once again, edit the SSH configuration file: sudo nano /etc/ssh/sshd_config. Find the line that reads #PasswordAuthentication yes. Uncomment the line, and change yes to no.
While we’re editing the SSH configuration file, I like to increase the client keep-alive timeout so that SSH sessions don’t constantly disconnect. Find and update these lines:` ClientAliveInterval 60 ClientAliveCountMax 720
Restart the SSH daemon again (`sudo systemctl restart sshd`), then logout of your Pi and try signing in with your private key again to make sure everything’s set up properly. At this point, you should be able to sign in with your private key, and not your password.
5. (Optional) Change your Pi’s hostname to something more descriptive. On the Pi that runs Homebridge in my house, the hostname is `homebridge`, so I can address it at `homebridge.local`.
Log in to your Pi and edit the file at `/etc/hostname`. This file contains only the plaintext hostname of the Pi. Change `raspberrypi` to whatever you want, in my example `homebridge`.
Save and close `/etc/hostname`, then edit `/etc/hosts`. The very last line lists the localhost entry; replace `raspberrypi` with your new hostname, then save and close the file.
6. (Optional) Add an SSH config entry for easier access. On your computer, edit `~/.ssh/config`. Add a entry like this:
Host raspberrypi HostName raspberrypi.local User