What is SSH and what is it for?
SSH (Secure Shell), is an encrypted protocol used to communicate and manage servers. This is especially important with Debian servers due to the fact that you’ll likely be spending most of your time in the terminal anyway.
This guide will show you how to set up your own SSH keys for Debian 10. SSH keys provide a simple and secure way of logging in to your server and are highly recommended!
Create the RSA Key Pair
First of all you have to create a key pair on the client machine (the computer you will be logging in from, usually your computer). You can do this by entering the following command into the terminal:
By default this will create a 2048bit RSA key pair which for most use cases is more than secure enough. However, you may optionally add the flag
-b 4096 to create a more secure, larger 4096bit key.
CAUTION - Do not overwrite another key on disk unless you know what you are doing. If you overwrite a key on disk you will NOT be able to authenticate using the previous key anymore.
You will also be prompted to (optionally) enter a secure passphrase, which is of course highly recommended as it adds an “additional layer” of security to prevent unauthorized users from logging in.
Copy the Public Key to Debian Server
There are many methods of copying your public key to the Debian host. I will list the three most useful below.
ssh-copy-idis included by default in almost all linux distros, so you are likely to have it available on your local system. However, for this method to work you must already have password-based SSH access to the Debian host.
To use the utility, you simply need to specify the remote host that you would like to connect to followed by the user account that you have password SSH access to. This is the account to which your public SSH key will be copied also. The terminal command looks like the example below:
$ ssh-copy-id username@host
- Copying Public Key Using SSH
If you’re unable to use
ssh-copy-id, but you have password-based SSH access to an account on your Debian 10 server, you can upload your keys using a more conventional SSH method.
This is done by using the
cat command to read the contents of the public SSH key file on our client computer and piping that through an SSH connection to the remote Debian host. We can then output the content we piped over into a file called
authorized_keys within this directory. We can use the
>> symbol to append the content rather than the default option which is overwriting it. This allows us to add keys without removing previously added keys. The full command looks like the following:
$ cat ~/.ssh/id_rsa.pub | ssh username@remote_host “mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys”
- Copying Public Key Manually
If you do not yet have password-based SSH access to your Debian host server, you will have to perform this manually. We will be manually appending the content of the newly generated
id_rsa.pub (unless you changed the filename) file to the
~/.ssh/authorized_keys file on the Debian host. To display the content of your key file use the following command on your client computer
$ cat ~/.ssh/id_rsa.pub
Once you have copied the contents of this file, you should access your remote Debian host using the method you have available. Once you have accessed the Debian host you should make sure that the
~/.ssh directory exists. You can do this by using this command, which will create the directory if it doesn’t exist, but if it already exists it will do nothing:
$ mkdir -p ~/.ssh
Now all you have to do is create/modify the
authorized_keys file inside of this directory. Add the contents of your
id_rsa.pub file to the end of the
authorized_keys file, creating it if necessary using this command:
$ echo PUBLIC_KEY_STRING_HERE >> ~/.ssh/authorized_keys
IMPORTANT NOTE - If you’re using the root account to set up keys for a user account, you have to make sure that the ~/.ssh directory belongs to the corresponding user and not to root, you can do this using the command:
$ chown -R user:pass ~/.ssh
Authenticate to Debian Host Using SSH Keys
After finally completing one of the procedures above, you should be able to log into the remote host without a password. The basic process is the same in that you connect using the command
$ ssh usernamme@host. If you did not supply a passphrase for your private key, you will be logged in immediately. However, if you did submit a passphrase for the private key when you created it, you will be prompted to enter it now.
OPTIONAL - Disable Password Authentication on Debian Server
After successfully logging into your account and using SSH without a password, your password based authentication is still active, meaning that your server is still exposed to brute-force attacks. Once you have confirmed that your remote account has administrative privileges, log into your server wish SSH keys. Then open up the SSH daemon’s config file using the command:
$ sudo nano /etc/ssh/sshd_config
Search for an option called
PasswordAuthentication inside the file (this may be commented out) and set the value to
no. This will fully disable the ability to login via SSH using account passwords.
Save and close the file when you are done editing it by pressing
Ctrl + X then
Y to confirm saving the file, then press Enter to exit nano. For these changes to be implemented the
sshd service needs to be restarted, this can be done with the following command:
$ sudo systemctl restart ssh
You should now have SSH-Key authentication successfully configured on your Debian 10 server, allowing you to authenticate without providing an account password and protecting you against brute-force attacks.