Raspberry Pi Headless SSH Guide

Find your Pi's IP address and SSH in from Mac — no monitor required

Generated: April 20, 2026 · Covers Raspberry Pi OS Bullseye + Bookworm

Quick Start — Do These First

Try pinging the Pi by name. If you never changed the hostname, this is the fastest way.

ping raspberrypi.local

If it responds, SSH in directly. If not, scan the network.

ssh pi@raspberrypi.local

If name resolution fails, run the network scan below to find the IP.

sudo nmap -sn 192.168.1.0/24

Tip: Your Pi has both WiFi and ethernet — it may have two IP addresses. Either works for SSH.

Part 1 — Finding the Pi's IP Address

Fastest Method 1: mDNS / Bonjour (ping by name)

Raspberry Pi OS broadcasts itself via mDNS/Bonjour. No scanning needed.

ping raspberrypi.local

If it replies, use raspberrypi.local as the hostname in SSH commands. That's it.

If the default name doesn't work (you may have changed it), try variants:

ping raspberrypi4.local ping raspberrypi3.local ping raspberrypi2.local ping raspberrypi.local

Or browse all SSH services on your network:

dns-sd -B _ssh._tcp local. dns-sd -G v4 raspberrypi.local

Why this works: The Pi runs Avahi (Linux mDNS) which advertises raspberrypi.local on your LAN. Your Mac has Bonjour built in, so no extra software needed.

Fast Method 2: Check Mac's ARP Cache

The Pi may already be in your Mac's ARP table. Check for Pi MAC address prefixes.

arp -a

Look for lines matching these Raspberry Pi MAC prefixes:

OUI Prefix	Model
`b8:27:eb`	Pi 1, 2, 3 (original Foundation OUI)
`dc:a6:32`	Pi 4, Pi 400, CM4
`e4:5f:01`	Pi 4 (alternate)
`28:cd:c1`	Pi 5
`d8:3a:dd`	Pi 5 (alternate)
`2c:cf:67`	Pi Zero W, Zero 2W
`e4:5f:01`	Pi 400

Quick filter:

arp -a | grep -i "b8:27:eb\|dc:a6:32\|e4:5f:01\|28:cd:c1\|d8:3a:dd\|2c:cf:67"

Tip: The IP is the first item in the line, e.g. ? (192.168.1.47) at dc:a6:32:xx:xx:xx

Recommended Method 3: Router Admin Panel (Most Reliable)

Log into your router — it has a complete list of every device with an IP address. This never fails.

First, find your router's IP:

netstat -nr | grep default

Or:

route get default | grep gateway

Then open these URLs in your browser (try each one):

URL	Common On
`http://192.168.1.1`	Most Netgear, Linksys, TP-Link
`http://192.168.0.1`	TP-Link, D-Link, older Linksys
`http://10.0.0.1`	Apple routers, Xfinity
`http://192.168.2.1`	Belkin, some Xfinity
`http://192.168.100.1`	Arris/Motorola cable modems
`http://router.local`	Modern routers (mDNS)

Once logged in, look for sections named:

"Connected Devices" or "Device List"
"DHCP Client List" or "LAN Settings"
"Attached Devices"

Look for a device named raspberrypi or matching a Pi MAC OUI from the table above.

Note: Router default credentials vary by manufacturer. Common defaults are printed on the router itself. If you changed them, check your notes.

Very Reliable Method 4: nmap Network Scan

Install nmap, then scan your local network. This finds every live device.

brew install nmap

Find your Mac's IP first:

ifconfig en0 | grep "inet "

Then scan your subnet. Replace the IP range with yours:

sudo nmap -sn 192.168.1.0/24

Look for entries labeled "Raspberry Pi Trading" or "Raspberry Pi Foundation" in the MAC Address field. Those are your Pi.

What the flags do: -sn = ping scan (no port scan, fast). sudo = uses raw packets so it sees MAC vendor info. You need sudo for MAC addresses.

Also useful — scan specifically for SSH port:

nmap -p 22 --open 192.168.1.0/24

Very Reliable Method 5: arp-scan (Better Than nmap for This)

arp-scan queries every IP directly with ARP packets. It's faster and shows vendor names clearly.

brew install arp-scan

Find your network interface:

ifconfig | grep "^en"

Run the scan:

sudo arp-scan --interface=en0 --localnet

Or scan all interfaces:

sudo arp-scan --localnet

Look for lines with Raspberry Pi in the Company field.

arp-scan vs nmap: arp-scan sends raw ARP requests to every IP in the subnet and waits for replies. nmap uses a mix of ping + SYN scans. arp-scan is more reliable on local networks because ARP is always answered, even by firewalls that block ICMP.

Quick Method 6: mDNS Service Discovery

Browse for all SSH services advertised on your network via Bonjour:

dns-sd -B _ssh._tcp local.

Leave it running for 30 seconds. It will list any device advertising SSH.

Or resolve a known hostname:

dns-sd -L raspberrypi _ssh._tcp local.

Part 2 — SSH Into the Pi

Recommended Step 1: SSH Command

Once you have the IP, SSH in:

ssh pi@192.168.1.47

Or by hostname (if mDNS resolved earlier):

ssh pi@raspberrypi.local

Verbose mode (if something goes wrong):

ssh -v pi@192.168.1.47

Non-standard port (if you changed SSH port on the Pi):

ssh -p 2222 pi@192.168.1.47

Recommended Step 2: Credentials

OS Version	Default User	Default Password	SSH Enabled
Pi OS Bullseye (April 2022+)	`pi`	`raspberry`	Off by default
Pi OS Bookworm (Oct 2023+)	Set during imaging	Set during imaging	Off by default
Older images (pre-2022)	`pi`	`raspberry`	On by default

Important: Modern Pi OS (Bookworm, 2023+) has NO default pi user. You must set the username and password when imaging the SD card, or the account won't exist. Use Raspberry Pi Imager's advanced options (gear icon) to set this before flashing.

SSH on modern Pi OS: SSH is disabled by default. You need to put an empty file named ssh on the boot partition of the SD card before first boot. See Part 3 below.

Recommended Step 3: Set Up SSH Key Auth (Skip Password Forever)

Generate a key on your Mac (if you don't have one):

ls ~/.ssh/id_ed25519.pub

If that returns "No such file or directory," generate one:

ssh-keygen -t ed25519 -C "mac-to-pi"

Copy the key to the Pi (run this on your Mac, enter password when asked):

ssh-copy-id pi@192.168.1.47

Or if ssh-copy-id isn't available:

cat ~/.ssh/id_ed25519.pub | ssh pi@192.168.1.47 \ "mkdir -p ~/.ssh && chmod 700 ~/.ssh && \ cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Now SSH in without a password:

ssh pi@192.168.1.47

Create a shortcut in ~/.ssh/config so you never type the IP again:

Host pi
    HostName 192.168.1.47
    User pi
    IdentityFile ~/.ssh/id_ed25519
    Port 22

Save that to ~/.ssh/config, then just type ssh pi from then on.

Recommended Step 4: First Login Checklist

Once logged in via SSH, run these on the Pi:

passwd

Change the default password immediately.

sudo apt update && sudo apt full-upgrade -y

Update everything to the latest version.

hostname -I

Show all IP addresses (WiFi + ethernet).

uname -a

Check which Pi model and OS version you're running.

Part 3 — Headless Setup Before First Boot

Recommended Use Raspberry Pi Imager (Easiest Path)

The Raspberry Pi Imager handles SSH enable + WiFi config + user creation all at once. No manual file editing.

brew install --cask raspberry-pi-imager

Or download from raspberrypi.com/software

In the Imager:

Select your Pi model and OS
Click the gear icon (Advanced options) before clicking Write
Set hostname, enable SSH, create username/password
Enter your WiFi SSID and password
Configure wireless LAN country (e.g., US)
Click Write — Imager handles the rest

Why Imager is better for Bookworm (2023+): The modern OS moved WiFi config from wpa_supplicant.conf on boot to NetworkManager. Imager bridges this gap automatically.

Manual Manual: Enable SSH via SD Card

After flashing the OS image to the SD card, mount the boot partition on your Mac. It usually auto-mounts as /Volumes/bootfs (Bookworm) or /Volumes/boot (older).

ls /Volumes/

Enable SSH by creating an empty file:

touch /Volumes/bootfs/ssh

That's it. The presence of this file tells Pi OS to enable SSH on first boot.

Manual Manual: Configure WiFi via SD Card

Create a WiFi config file on the boot partition:

cat > /Volumes/bootfs/wpa_supplicant.conf << 'EOF' country=US ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="YourWiFiNetworkName" psk="YourWiFiPassword" key_mgmt=WPA-PSK priority=1 } EOF

For hidden networks or 5GHz, add scan_ssid=1 inside the network={} block.

Add a fallback network (e.g., your phone hotspot):

cat > /Volumes/bootfs/wpa_supplicant.conf << 'EOF' country=US ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="PrimaryWiFi" psk="PrimaryPassword" key_mgmt=WPA-PSK priority=1 } network={ ssid="FallbackHotspot" psk="HotspotPassword" key_mgmt=WPA-PSK priority=2 } EOF

Bookworm note: wpa_supplicant.conf in the boot partition still works for initial connect but Pi OS Bookworm prefers NetworkManager. Imager is the safest bet for Bookworm.

Manual Manual: Create User on Modern Pi OS (Required Since 2022)

Modern Pi OS has no default pi user. Create one via the SD card:

# Generate a password hash on your Mac python3 -c "import crypt; print(crypt.crypt('YourPassword', crypt.mksalt(crypt.METHOD_SHA512)))"

Create the user config file on boot partition:

# Replace the hash with your actual output echo "pi:\$6\$rounds=656000\$YourHashHere" > /Volumes/bootfs/userconf.txt # Verify it looks right cat /Volumes/bootfs/userconf.txt

Format is username:password_hash — one line, no spaces.

Or: Use the Imager's built-in user creation. It's much easier than the hash approach.

Manual Manual: Pre-Load SSH Keys (Skip Password Setup Entirely)

Mount the rootfs partition and copy your public key so passwordless login works on first boot:

# Install ext4 support (needed to read Linux filesystem from Mac) brew install --cask macfuse brew install ext4fuse # Find the rootfs partition diskutil list

Then mount and copy the key:

# Mount rootfs (replace disk2s2 with your actual partition) sudo mkdir -p /Volumes/rootfs_pi sudo ext4fuse /dev/disk2s2 /Volumes/rootfs_pi -o allow_other # Copy your public key sudo mkdir -p /Volumes/rootfs_pi/home/pi/.ssh cat ~/.ssh/id_ed25519.pub | sudo tee /Volumes/rootfs_pi/home/pi/.ssh/authorized_keys sudo chmod 700 /Volumes/rootfs_pi/home/pi/.ssh sudo chmod 600 /Volumes/rootfs_pi/home/pi/.ssh/authorized_keys sudo chown -R 1000:1000 /Volumes/rootfs_pi/home/pi/.ssh

Eject safely:

diskutil eject /Volumes/rootfs_pi diskutil eject /Volumes/bootfs

Part 4 — Troubleshooting

Fix "Connection refused" — SSH Not Enabled

The Pi's SSH server isn't running. Re-enable it via SD card:

touch /Volumes/bootfs/ssh

Then remount/eject and power cycle the Pi.

Fix "Host key verification failed" — Stale Key After Reflash

You reflashed the Pi and the old host key doesn't match anymore:

ssh-keygen -R 192.168.1.47 ssh-keygen -R raspberrypi.local ssh pi@192.168.1.47

Answer yes to accept the new host key.

Fix "No route to host" — Pi on Different Network

The Pi and your Mac are on different subnets. Check both are connected to the same router/LAN. If your Mac is on WiFi and the Pi is on ethernet, they should still be on the same subnet (same router).

# Check your Mac's IP ifconfig en0 | grep "inet " # Check Pi's IP (from the router admin panel) # Or re-run the nmap scan

Fix "raspberrypi.local" Doesn't Resolve — mDNS Broken

Some routers block multicast traffic that mDNS needs. Use the IP directly instead:

# Check if mDNS browsing works dns-sd -B _services._dns-sd._udp local. # If it returns nothing, mDNS is blocked on your network # Just use the IP address from nmap/arp-scan instead ssh pi@192.168.1.47

Fix Forgotten Password — Reset via SD Card

Can't log in because you forgot the password. Reset it via the SD card:

# Create userconf.txt on boot partition with a known password hash python3 -c "import crypt; print(crypt.crypt('newpassword', crypt.mksalt(crypt.METHOD_SHA512)))"

Then create /Volumes/bootfs/userconf.txt with:

pi:$6$rounds=656000$

Boot the Pi with this SD card — the password is now newpassword.

Fix DHCP Keeps Changing the Pi's IP

Set a static IP reservation on your router (router admin panel, DHCP settings) — tie the Pi's MAC address to a fixed IP. Or set a static IP on the Pi itself:

# On the Pi, edit the DHCP config sudo nano /etc/dhcpcd.conf

Add at the bottom:

interface eth0
    static ip_address=192.168.1.100/24
    static routers=192.168.1.1
    static domain_name_servers=8.8.8.8

interface wlan0
    static ip_address=192.168.1.101/24
    static routers=192.168.1.1
    static domain_name_servers=8.8.8.8

Pick an IP outside your router's DHCP range. Then update your ~/.ssh/config with the new IP.

Complete Workflow — Your Step by Step

Try mDNS first: ping raspberrypi.local — if this works, skip to step 3.

Find your subnet: ifconfig en0 | grep "inet " — gives e.g. 192.168.1.105. Then scan: sudo nmap -sn 192.168.1.0/24. Look for Raspberry Pi in the output.

SSH in: ssh pi@192.168.1.47 (or ssh pi@raspberrypi.local). Enter your password.

Change password: passwd

Set up key auth (recommended): On your Mac: ssh-copy-id pi@192.168.1.47

Update: sudo apt update && sudo apt full-upgrade -y

Check IPs: hostname -I — shows both WiFi and ethernet IPs

Quick Reference — All Commands

Find the Pi

ping raspberrypi.local

arp -a | grep -i "dc:a6:32\|b8:27:eb\|e4:5f:01\|28:cd:c1"

sudo nmap -sn 192.168.1.0/24

sudo arp-scan --interface=en0 --localnet

netstat -nr | grep default

SSH In

ssh pi@raspberrypi.local

ssh pi@192.168.1.47

ssh -v pi@192.168.1.47

Key Setup

ssh-keygen -t ed25519 -C "mac-to-pi" ssh-copy-id pi@192.168.1.47

Fix Stale Host Key

ssh-keygen -R 192.168.1.47

SD Card Prep (Headless)

touch /Volumes/bootfs/ssh # then create wpa_supplicant.conf

On the Pi (First Login)

passwd sudo apt update && sudo apt full-upgrade -y hostname -I uname -a

Modern Pi OS Catch (Bookworm, 2023+): No more default pi/raspberry. SSH is disabled. WiFi config via boot partition is deprecated. Use Raspberry Pi Imager with the gear icon (Advanced options) to set username, password, SSH, and WiFi all at once before flashing. This is the path of least resistance and the only fully supported method for Bookworm.