SSH Keys

Debian / Ubuntu

Overview

Setup SSH keys and disable password authentication for increased security.

Assumptions

• Initial system setup completed.

• Logged in as administrative user.

Update

Before getting started, update package repositories. Consider upgrading them as well for the latest patches.

# Debian
sudo apt update
sudo apt upgrade

Verify OpenSSH

Secure Shell (SSH) requires an application to function. Verify the required openssh-server package is installed on your target server, and openssh-client is installed on any system you want to use to access the server.

sudo apt install openssh-server

sudo apt install openssh-client

Generate SSH Keys

Start by creating a new SSH key pair on your client computer using ssh-keygen. Generate an RSA 4096 or Ed25519 pair.

RSA-4096

ssh-keygen -t rsa -b 4096 -C "[email protected]"

Ed25519

ssh-keygen -t ed25519 -C "[email protected]"

When prompted, specify a filename and enter a secure password to encrypt the private key with. The key will be generated and two files will be created with your chosen filename (id_rsa by default).

• id_rsa - Private key used for authentication. Store in a secure location and do not share it.
• id_rsa.pub - Public key. Placed on the server to verify the private key when opening a connection.

Copy Public Key

Once the SSH key pair as been created, the public key must be added to the authorized_keys list for the login user on the target server.

Using ssh-copy-id

OpenSSH has a built-in tool, ssh-copy-id, for copying SSH keys from your local system to a server. This method requires SSH access to the server.

Run the ssh-copy-id command, replacing the necessary values.

ssh-copy-id id_rsa.pub user@serverIP

If successful, the command will output the number of keys added.

Using ctrl + c/v

If you cannot, or won’t, use ssh-copy-id, copy the public key to the server manually.

Login to the server and verify the .ssh directory exists in the chosen user’s home directory.

mkdir ~/.ssh

Copy the contents of the public key file, named id_rsa.pub by default. Paste the public key in the authorized_keys file in the .ssh directory.

nano ~/.ssh/authorized_keys

Set the ownership and permissions of the .ssh directory so that only the system user can access it.

chown -R \$USER:\$USER ~/.ssh && chmod -R go= ~/.ssh

SSH Key Login

Once the public key has been copied to the server, an SSH connection can be opened using the private key.

SSH Command

When logging in using an SSH key, specify the SSH private key path when executing the SSH command.

ssh -i ~/.ssh/id_rsa user@serverIP

SSH Config

To make your life easy, add the server to your client SSH config file.

nano ~/.ssh/config

Below is an example of an SSH host definition. Add and replace the information to match your server details.

Host example-host
  HostName 1.2.3.4
  Port 22
  User targetUser
  IdentityFile /home/localUser/.ssh/id_rsa

You can now open an SSH connection using the chosen Host name; no need to specifiy user, address, or SSH key path.

ssh example-host

Disable Passwords

To gain the full security benefit of using SSH keys, you should disable password authentication on your server. Verify you can access the system via SSH key before disabling passwords.

Open the /etc/ssh/sshd_config file.

sudo nano /etc/ssh/sshd_config

Set the value of PubkeyAuthentication to yes, PasswordAuthentication to no. Verify the lines are uncommented if modified.

PubkeyAuthentication yes
PasswordAuthentication no

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd