Foundation

Raspberry Pi
Documentation

Computers

Accessories

Microcontrollers

Services

Pico C SDK

Remote access

Introduction to Remote
Access
Edit this on GitHub

Sometimes you need to access a Raspberry Pi without

connecting it to a monitor. Perhaps the Raspberry Pi is
embedded in something like a robot, or you may want to
view some information from it from elsewhere. Or
perhaps you simply don’t have a spare monitor!

You can connect to your Raspberry Pi from another

machine. But in order to do so you’ll need to know its IP
Address.

Any device connected to a Local Area Network is

assigned an IP address. In order to connect to your
Raspberry Pi from another machine using SSH or VNC,
you need to know the Raspberry Pi’s IP address. This is
easy if you have a display connected, and there are a
number of methods for Jnding it remotely from another
machine on the network.

How to Find your IP Address

It is possible to Jnd the IP address of your Raspberry Pi
without connecting to a screen using one of the following
methods:

NOTE

If you are using a display with your Raspberry Pi and if

you boot to the command line instead of the desktop,
your IP address should be shown in the last few
messages before the login prompt. Otherwise open a
Terminal window and type hostname -I which will
reveal your Raspberry Pi’s IP address.

Router devices list

In a web browser navigate to your router’s IP address e.g.

http://192.168.1.1, which is usually printed on a label
on your router; this will take you to a control panel. Then
log in using your credentials, which is usually also printed
on the router or sent to you in the accompanying
paperwork. Browse to the list of connected devices or
similar (all routers are different), and you should see
some devices you recognise. Some devices are detected
as PCs, tablets, phones, printers, etc. so you should
recognise some and rule them out to Jgure out which is
your Raspberry Pi. Also note the connection type; if your
Raspberry Pi is connected with a wire there should be
fewer devices to choose from.

Resolving raspberrypi.local with mDNS

On Raspberry Pi OS, multicast DNS is supported out-of-

the-box by the Avahi service.

If your device supports mDNS, you can reach your

Raspberry Pi by using its hostname and the .local
suRx. The default hostname on a fresh Raspberry Pi OS
install is raspberrypi, so by default any Raspberry Pi
running Raspberry Pi OS responds to:

ping raspberrypi.local

If the Raspberry Pi is reachable, ping will show its IP

address:

PING raspberrypi.local (192.168.1.131): 56 data by

64 bytes from 192.168.1.131: icmp_seq=0 ttl=255 ti

If you change the system hostname of the Raspberry Pi

(e.g., by editing /etc/hostname), Avahi will also change
the .local mDNS address.

If you don’t remember the hostname of the Raspberry Pi,

but have a system with Avahi installed, you can browse all
the hosts and services on the LAN with the avahi-browse
command.

nmap command

The nmap command (Network Mapper) is a free and

open-source tool for network discovery, available for
Linux, macOS, and Windows.

To install on Linux, install the nmap package e.g.

apt install nmap.

To install on macOS or Windows, see the nmap.org

download page.

To use nmap to scan the devices on your network, you

need to know the subnet you are connected to. First Jnd
your own IP address, in other words the one of the
computer you’re using to Jnd your Raspberry Pi’s IP
address:

On Linux, type hostname -I into a terminal

window

On macOS, go to System Preferences then

Network and select your active network connection
to view the IP address

On Windows, go to the Control Panel, then under

Network and Sharing Center, click View
network connections, select your active network
connection and click View status of this
connection to view the IP address

Now you have the IP address of your computer, you will

scan the whole subnet for other devices. For example, if
your IP address is 192.168.1.5, other devices will be at
addresses like 192.168.1.2, 192.168.1.3,
192.168.1.4, etc. The notation of this subnet range is
192.168.1.0/24 (this covers 192.168.1.0 to
192.168.1.255).

Now use the nmap command with the -sn Vag (ping
scan) on the whole subnet range. This may take a few
seconds:

nmap -sn 192.168.1.0/24

Ping scan just pings all the IP addresses to see if they

respond. For each device that responds to the ping, the
output shows the hostname and IP address like so:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-

Nmap scan report for hpprinter (192.168.1.2)
Host is up (0.00044s latency).
Nmap scan report for Gordons-MBP (192.168.1.4)
Host is up (0.0010s latency).
Nmap scan report for ubuntu (192.168.1.5)
Host is up (0.0010s latency).
Nmap scan report for raspberrypi (192.168.1.8)
Host is up (0.0030s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned i

Here you can see a device with hostname raspberrypi

has IP address 192.168.1.8. Note, to see the
hostnames, you must run nmap as root by prepending
sudo to the command.

Getting IPv6 addresses by pinging from a second

device

First Jnd your own IP address(es), in other words the one

of the computer you’re using to Jnd your Raspberry Pi’s IP
address by hostname -I

fd00::ba27:ebff:feb6:f293
2001:db8:494:9d01:ba27:ebff:feb6:f293

The example shows two IP addresses. The Jrst one is a

so called unique local unicast address(fc00::/7). The
second one is the global unicast address(2000::/3). It is
also possible to see only one of them depending on your
network (router) conJguration. Both addresses are valid
for reaching the Raspberry Pi within your LAN. The
address out of 2000::/3 is accessible world wide,
provided your router’s Jrewall is opened.

Now use one of IPs from the Jrst step to ping all local
nodes:

ping -c 2 -I 2001:db8:494:9d01:ba27:ebff:feb6:f293
ping -c 2 -I 2001:db8:494:9d01:ba27:ebff:feb6:f293

-c 2 stands for sending two echo requests

-I with the IP address, it sets the interface and the

source address of the echo request, it is necessary to
choose the interface’s IP address, eth0 isn’t suRcient -
the answer would be the local link address(fe80::/10),
we need the global or local unicast address

ff02::1 is a well known multicast address for all nodes

on the link, so it behaves like a local broadcast, usually it
is deJned in /etc/hosts so you can also use the name
(ip6-allnodes or ipv6-allnodes) instead of the literal
address

Some newer systems expect the interface ID behind the

multicast address.

ping -c 2 -I 2001:db8:494:9d01:ba27:ebff:feb6:f293
PING ip6-allnodes(ip6-allnodes (ff02::1)) from 200
64 bytes from 2001:db8:494:9d01:ba27:ebff:feb6:f29
64 bytes from witz.fritz.box (2001:db8:494:9d01:72
64 bytes from raspberrypi4.fritz.box (2001:db8:494
64 bytes from 2001:db8:494:9d01:da37:beff:fefd:f09
64 bytes from fusion.fritz.box (2001:db8:494:9d01:
64 bytes from fritz.box (2001:db8:494:9d01:464e:6d
64 bytes from raspberrypi.fritz.box (2001:db8:494:

--- ip6-allnodes ping statistics ---

2 packets transmitted, 2 received, +5 duplicates,
rtt min/avg/max/mdev = 0.480/1.283/2.623/0.735 ms

This should result in replies from all the nodes on your

(W)LAN link, with associated DNS names.

Exclude your own IP( here

2001:db8:494:9d01:ba27:ebff:feb6:f293 ), then
check the others by trying to connect them via SSH.

ssh pi@2001:db8:494:9d01:dea6:32ff:fe23:6be1
The authenticity of host '2001:db8:494:9d01:dea6:3
ECDSA key fingerprint is SHA256:DAW68oen42TdWDyrOy
Are you sure you want to continue connecting (yes/
Warning: Permanently added '2001:db8:494:9d01:dea6
pi@2001:db8:494:9d01:dea6:32ff:fe23:6be1's passwor
Linux raspberrypi4 4.19.75-v7l+ #1270 SMP Tue Sep

...

pi@raspberrypi4:~ $

Getting the IP address of a Raspberry Pi using your

smartphone

The Fing app is a free network scanner for smartphones.

It is available for Android and iOS.

Your phone and your Raspberry Pi have to be on the

same network, so connect your phone to the correct
wireless network.

When you open the Fing app, touch the refresh button in
the upper right-hand corner of the screen. After a few
seconds you will get a list with all the devices connected
to your network. Scroll down to the entry with the
manufacturer "Raspberry Pi". You will see the IP address
in the bottom left-hand corner, and the MAC address in
the bottom right-hand corner of the entry.

Setting up an SSH Server

Edit this on GitHub

You can access the command line of a Raspberry Pi

remotely from another computer or device on the same
network using the Secure Shell (SSH) protocol.

You will only have access to the command line, not the
full desktop environment. For a full remote desktop, see
VNC.

Set up your Local Network

Make sure your Raspberry Pi is properly set up and
connected. If you are using wireless networking, this can
be enabled via the desktop user interface, or using from
the command line. If you are not using wireless
connectivity, plug your Raspberry Pi directly into the
router.

NOTE

You will need to note down the IP address of your

Raspberry Pi in order to connect to it later. Using the
ifconfig command will display information about
the current network status, including the IP address,
or you can use hostname -I to display the IP
addresses associated with the device.

Enabling the Server

Raspberry Pi OS has the SSH server disabled by default. It
can be enabled manually from the desktop:

1. Launch Raspberry Pi Configuration from the

Preferences menu

2. Navigate to the Interfaces tab

3. Select Enabled next to SSH

4. Click OK

Alternatively you can enable it from the terminal using the

raspi-conJg application,

1. Enter sudo raspi-config in a terminal window

2. Select Interfacing Options

3. Navigate to and select SSH

4. Choose Yes

5. Select Ok

2. Choose Finish

NOTE

For headless setup, SSH can be enabled by placing a

Jle named ssh, without any extension, onto the boot
partition of the SD Card. When the Raspberry Pi boots,
it looks for the ssh Jle. If it is found, SSH is enabled
and the Jle is deleted. The content of the Jle does not
matter; it could contain text, or nothing at all.

NOTE

For headless setup in addition to the ssh Jle you need

a userconf.txt Jle, which contains a string
username:encryptedpassword. Please refer to the
section on conJguring a user in the discussions
around headless setup of a Raspberry Pi.

WARNING

When enabling SSH on a Raspberry Pi that may be

connected to the internet, you should ensure that your
password is not easily brute forced.

Secure Shell from Linux or

Mac OS
Edit this on GitHub

You can use SSH to connect to your Raspberry Pi from a

Linux desktop, another Raspberry Pi, or from an Apple
Mac without installing additional software.

Open a terminal window on your computer replacing

<IP> with the IP address of the Raspberry Pi you’re trying
to connect to,

ssh pi@<IP>

When the connection works you will see a

security/authenticity warning. Type yes to continue. You
will only see this warning the Jrst time you connect.

NOTE

If you receive a connection timed out error it is

likely that you have entered the wrong IP address for
the Raspberry Pi.

WARNING

In the event your Raspberry Pi has taken the IP

address of a device to which your computer has
connected before (even if this was on another
network), you may be given a warning and asked to
clear the record from your list of known devices.
Following this instruction and trying the ssh
command again should be successful.

Next you will be prompted for the password for the pi

login: the default password on Raspberry Pi OS is
raspberry.

For security reasons it is highly recommended to change

the default password on the Raspberry Pi (also, you can
not login through ssh if the password is blank). You
should now be able to see the Raspberry Pi prompt,
which will be identical to the one found on the Raspberry
Pi itself.

If you have set up another user on the Raspberry Pi, you

can connect to it in the same way, replacing the
username with your own, e.g. [email protected]

pi@raspberrypi ~ $

You are now connected to the Raspberry Pi remotely, and

can execute commands.

Forwarding X11
You can also forward your X session over SSH, to allow
the use of graphical applications, by using the -Y Vag:

ssh -Y [email protected]

NOTE

X11 is no longer installed by default on macOS, so you

will have to download and install it.

Now you are on the command line as before, but you

have the ability to open up graphical windows. For
example, typing:

geany &

will open up the Geany editor in a window on your local

desktop.

Secure Shell from Windows

10
Edit this on GitHub

You can use SSH to connect to your Raspberry Pi from a

Windows 10 computer that is using October 2018 Update
or later without having to use third-party clients.

Open a terminal window on your computer replacing

<IP> with the IP address of the Raspberry Pi you’re trying
to connect to,

ssh pi@<IP>

When the connection works you will see a

security/authenticity warning. Type yes to continue. You
will only see this warning the Jrst time you connect.

NOTE

If you receive a connection timed out error it is

likely that you have entered the wrong IP address for
the Raspberry Pi.

WARNING

In the event your Raspberry Pi has taken the IP

address of a device to which your computer has
connected before (even if this was on another
network), you may be given a warning and asked to
clear the record from your list of known devices.
Following this instruction and trying the ssh
command again should be successful.

Next you will be prompted for the password for the pi

login: the default password on Raspberry Pi OS is
raspberry.

For security reasons it is highly recommended to change

the default password on the Raspberry Pi (also, you can
not login through ssh if the password is blank). You
should now be able to see the Raspberry Pi prompt,
which will be identical to the one found on the Raspberry
Pi itself.

If you have set up another user on the Raspberry Pi, you

can connect to it in the same way, replacing the
username with your own, e.g. [email protected]

pi@raspberrypi ~ $

You are now connected to the Raspberry Pi remotely, and

can execute commands.

Passwordless SSH Access

Edit this on GitHub

It is possible to conJgure your Raspberry Pi to allow

access from another computer without needing to
provide a password each time you connect. To do this,
you need to use an SSH key instead of a password. To
generate an SSH key:

Checking for Existing SSH Keys

First, check whether there are already keys on the
computer you are using to connect to the Raspberry Pi:

ls ~/.ssh

If you see Jles named id_rsa.pub or id_dsa.pub then

you have keys set up already, so you can skip the
'Generate new SSH keys' step below.

Generate new SSH Keys

To generate new SSH keys enter the following command:

ssh-keygen

Upon entering this command, you will be asked where to

save the key. We suggest saving it in the default location
(~/.ssh/id_rsa) by pressing Enter.

You will also be asked to enter a passphrase, which is

optional. The passphrase is used to encrypt the private
SSH key, so that if someone else copied the key, they
could not impersonate you to gain access. If you choose
to use a passphrase, type it here and press Enter, then
type it again when prompted. Leave the Jeld empty for no
passphrase.

Now look inside your .ssh directory:

ls ~/.ssh

and you should see the Jles id_rsa and id_rsa.pub:

authorized_keys id_rsa id_rsa.pub known_hosts

The id_rsa Jle is your private key. Keep this on your

computer.

The id_rsa.pub Jle is your public key. This is what you

share with machines that you connect to: in this case
your Raspberry Pi. When the machine you try to connect
to matches up your public and private key, it will allow you
to connect.

Take a look at your public key to see what it looks like:

cat ~/.ssh/id_rsa.pub

It should be in the form:

ssh-rsa <REALLY LONG STRING OF RANDOM CHARACTERS>

Copy your Key to your Raspberry

Pi
Using the computer which you will be connecting from,
append the public key to your authorized_keys Jle on
the Raspberry Pi by sending it over SSH:

ssh-copy-id <USERNAME>@<IP-ADDRESS>

NOTE

During this step you will need to authenticate with

your password.

Alternatively, if ssh-copy-id is not available on your

system, you can copy the Jle manually over SSH:

cat ~/.ssh/id_rsa.pub | ssh <USERNAME>@<IP-ADDRESS

If you see the message ssh: connect to host <IP-

ADDRESS> port 22: Connection refused and you
know the IP-ADDRESS is correct, then you may not have
enabled SSH on your Raspberry Pi. Run sudo raspi-
config in the Raspberry Pi’s terminal window, enable
SSH, then try to copy the Jles again.

Now try ssh <USER>@<IP-ADDRESS> and you should

connect without a password prompt.

If you see a message "Agent admitted failure to sign

using the key" then add your RSA or DSA identities to the
authentication agent ssh-agent then execute the
following command:

ssh-add

NOTE

You can also send Jles over SSH using the scp
(secure copy) command.

Adjust Directory Permissions

If you can’t establish a connection after following the
steps above there might be a problem with your directory
permissions. First, you want to check the logs for any
errors:

tail -f /var/log/secure
# might return:
Nov 23 12:31:26 raspberrypi sshd[9146]: Authentica

If the log says Authentication refused: bad

ownership or modes for directory /home/pi
there is a permission problem regarding your home
directory. SSH needs your home and ~/.ssh directory to
not have group write access. You can adjust the
permissions using chmod:

chmod g-w $HOME

chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys

Now only the user itself has access to .ssh and

.ssh/authorized_keys in which the public keys of your
remote machines are stored.

Storing the passphrase in the

macOS keychain
If you are using macOS, and after verifying that your new
key allows you to connect, you have the option of storing
the passphrase for your key in the macOS keychain. This
allows you to connect to your Raspberry Pi without
entering the passphrase.

Run the following command to store it in your keychain:

ssh-add -K ~/.ssh/id_rsa

NOTE

From macOS Monterey onwards the -K Vag has been

deprecated and been replaced by the --apple-use-
keychain Vag.

Using Secure Copy