Secure Shell (SSH) is a cryptographic networking protocol used for secure communication between client and server and supports various authentication mechanisms. An encrypted connection can be used to execute commands on the server, X11 tunneling, port forwarding, and more.
Password and public key are the two most common authentication mechanisms.
Public key authentication relies on digital signatures and is more secure and convenient than traditional password authentication.
This article describes how to generate SSH keys on Debian 10 systems. We will also show you how to set up SSH key based authentication and connect to remote Linux servers without entering a password.
Generating SSH Keys in Debian
Most likely, you already have an SSH key pair on your Debian client machine. If you generate a new key pair, the old one will be overwritten.
Run the following ls command to check if the key files exist:
ls -l ~/.ssh/id_*.pub
If the output of the command above contains something like No such file or directory or no matches found, that means you don’t have SSH keys and you can go to the next step and generate a new SSH key pair.
Otherwise, if you have an SSH key pair, you can use them, or back up the old keys and generate new ones.
Generate a new 4096 bit SSH key pair with your email address as a comment by entering the following command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
The output will look something like this:
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
Press Enter to accept the default file location and file name.
Next, you will be prompted for a secure passphrase. Whether you want to use a passphrase is up to you. The passphrase adds an extra layer of security.
Enter passphrase (empty for no passphrase):
If you don’t want to use a passphrase, just press Enter.
All interaction looks like this:
To verify that the SSH key pair has been generated, run the following command:
The command will list the key files:
Copy the public key to the server
Now that you have your SSH key pair, the next step is to copy the public key to the server you want to manage.
The easiest and most recommended way to copy a public key to a remote server is to use the ssh-copy-id tool.
Run the following command on your local machine:
ssh-copy-id [email protected]_ip_address
You will be prompted for the remote_username password:
[email protected]_ip_address's password:
After the user is authenticated, the contents of the public key file (~ / .ssh / id_rsa.pub) will be appended to the ~ / .ssh / authorized_keys file of the remote user and the connection will be closed.
Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]_ip_address'" and check to make sure that only the key(s) you wanted were added.
If the ssh-copy-id utility is not available on your local machine, use the following command to copy the public key:
cat ~/.ssh/id_rsa.pub | ssh [email protected]_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Login to the server using SSH keys
At this point, you will be able to log into the remote server without asking for a password.
To test this, try connecting to the server via SSH:
ssh [email protected]_ip_address
If you have not set a password, you will be logged in immediately. Otherwise, you will be prompted for a passphrase.
Disable SSH Password Authentication
To add an extra layer of security to your server, you can disable SSH password authentication.
Before disabling password authentication, make sure you can log into your server without a password and the user you are logging in with has sudo privileges.
Login to your remote server:
ssh [email protected]_ip_address
Open the SSH server configuration file / etc / ssh / sshd_config:
sudo nano /etc/ssh/sshd_config
Find the following directives and change them as follows:
/ etc / ssh / sshd_config
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
After that save the file and restart the SSH service:
sudo systemctl restart ssh
At this point, password-based authentication is disabled.
We showed you how to generate a new SSH key pair and set up SSH key based authentication. You can use the same key to manage multiple remote servers. You also learned how to disable SSH password authentication and add an extra layer of security to your server.
By default, SSH listens on port 22. Changing the default SSH port reduces the risk of automated attacks. To simplify your workflow, use an SSH config file to define all of your SSH connections.
If you have any questions or feedback, do not hesitate to leave comments.