How To Set Up SSH Keys on Debian 10

SSH or Secure Shell is an encrypted protocol for administering and communicating with servers. As you learn to use SSH on a Debian 10 s...

SSH or Secure Shell is an encrypted protocol for administering and communicating with servers. As you learn to use SSH on a Debian 10 server, you will find yourself spending all of your time in a terminal session connected to your server using SSH.

Let's go through the steps of this article to see how simple and secure it is to Set Up SSH Keys on Debian 10. And use SSH keys to log into your server. Apart from these characteristics, it is suitable for all users.

1. How To Create the RSA Key Pair

First, let’s create a key pair on the client machine.

ssh-keygen

Output:

Generating public/private RSA key pair.  Enter file in which to save the key (/your_home/.ssh/id_rsa):

1. The default behavior of ssh-keygen is to generate a 2048-bit RSA key pair. You can ensure your security by doing so. Also, keep in mind that the -b 4096 options can be used to generate a bigger 4096-bit key.
2. Remember to replace your intended name or email address in the prompted lines of commands.

You must now save the key pair in your home directories.ssh/ subdirectory or select a different path. To do so, use the enter key.

You may have already generated an SSH key pair. If you answer yes, you will see the following prompt:

Output:

/home/your_home/.ssh/id_rsa already exists.  Overwrite (y/n)?

Please be advised that if you choose yes, you will not be able to change your mind. So, whenever you are certain, choose to overwrite the key on the disc. Because you will no longer be able to authenticate with the previous key.

The result will then look like this.

Output:

Enter passphrase (empty for no passphrase):

You may now enter a safe password (optionally). As you can see, pass adds an extra degree of security to prevent unauthorized people from signing in.

Then you'll see the following output:

Output:

Your identification has been saved in /your_home/.ssh/id_rsa.  Your public key has been saved in /your_home/.ssh/id_rsa.pub.  The key fingerprint is:  a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_host  The key's randomart image is:  +--[ RSA 2048]----+  |     ..o         |  |   E o= .        |  |    o. o         |  |        ..       |  |      ..S        |  |     o o.        |  |   =o.+.         |  |. =++..          |  |o=++.            |  +-----------------+

As a result, you have a public and private key that you may use to authenticate yourself. Now, try to install the public key on your server so that you can log in using SSH-key-based authentication.

2. How To Copy the Public Key to Debian Server

Let's check what the quickest method is for copying your public key to the Debian host. You can use the ssh-copy-id program. Here is a straightforward strategy that is highly recommended. If you do not have access to an ssh-copy-id on your client machine. In this part, you will find two alternative techniques.

How To Copy Public Key Using ssh-copy-id

Because it is included by default in many operating systems, you may have the ssh-copy-idtool on your local system. To make this approach function, the password-based SSH must be available.

The ideal approach to utilise the application is to indicate the remote host to which you want to connect as well as the user account to whom you have password SSH access. This is the account to which your public SSH key will be cloned, as you might expect.

Here is the considered command:

ssh-copy-id username@remote_host

Output:

The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.  ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.  Are you sure you want to continue connecting (yes/no)? yes

The output above indicates that your local computer does not identify the distant host. Because this is your first time connecting to a new host. As usual, input "yes" and press ENTER to proceed.

The tool will then search your local account for the id rsa.pub key that you produced previously. When the key is found, you will be prompted for the remote user's account password.

Output:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed  /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys  username@203.0.113.1's password:

Now, type in the password and press ENTER. So using the password you provided, the utility will connect to the account on the remote host. After that, it will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account’s home ~/.ssh directory called authorized_keys.

Now, you see an output like the below:

Output

Several keys (s) added: 1    Now try logging into the machine, with "ssh 'username@203.0.113.1'"  and check to make sure that only the key(s) you wanted were added.

Now, you can make sure that your id_rsa.pub key has been uploaded to the remote account.

How to Copy Public Key Using SSH

You can upload your keys via a traditional SSH approach if you don't have ssh-copy-id but have password-based SSH access to an account on your server.

You may do this by letting the cut command read the contents of the public SSH key on your local computer and pipe that across an SSH connection to the remote server.

You can also ensure that the /.ssh directory exists and that the account you are using has the proper permissions.

As a result, within this directory, you can export the material we piped over into a file called authorized keys. Instead of overwriting the text, you can attach it by using the >> redirect sign. You can use this to add keys without removing previously added keys.

The complete command is as follows:

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

Output:

The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.  ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.  Are you sure you want to continue connecting (yes/no)? yes

By receiving this output you can see that your local computer does not recognize the remote host. As always type “yes” and press ENTER to continue.

In the following, you will be prompted to enter the remote user account password:

Output:

username@203.0.113.1's password:

When you input your password, the content of your id rsa.pub key is copied to the end of the remote user's authorized keys file.

How To Copy Public Key Manually

If you do not have password-based SSH access to your server, try to perform the following process manually.

The content of your id rsa.pub file will be manually appended to the /.ssh/authorized keys file on your remote system.

To view the contents of your id rsa.pub key, run the following command on your local computer.

cat ~/.ssh/id_rsa.pub

Output:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test

Try to connect to your remote host and then verify that the /.ssh directory exists. If the directory does not already exist, the next command will create it if necessary.

mkdir -p ~/.ssh

It is time to modify the authorized_keys file within this directory. Also, you can add the contents of your id_rsa.pub file to the end of the authorized_keys file.

echo public_key_string >> ~/.ssh/authorized_keys

In the above command, substitute the public_key_string with the output from the cat ~/.ssh/id_rsa.pub command that you executed on your local system. It should start with ssh-RSA AAAA….

Finally, type the below command to make sure that the ~/.ssh directory and authorized_keys file have the appropriate permissions set:

chmod -R go= ~/.ssh

Using this command causes removing all “group” and “other” permissions for the ~/.ssh/ directory.

Please consider that in case you are using the root account to set up keys for a user account, it’s also important that the ~/.ssh directory belongs to the user and not to root:

chown -R noodi:noodi ~/.ssh

Our user in this instruction is named noodi, as you might expect, but you should substitute the relevant username into the above command.

You can now try passwordless authentication with your Debian server.

3. How to Authenticate to Debian Server Using SSH Keys

If all of the previous steps were successful, you should be able to get into the remote host without the remote account's password.

ssh username@remote_host

Output:

The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.  ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.  Are you sure you want to continue connecting (yes/no)? yes

When you connect to this host for the first time, you will see the output shown above.

Furthermore, it indicates that your local computer does not identify the distant host. To proceed, type "yes" and then hit ENTER.

As a result, if you did not provide a passphrase for your private key, you will be logged in immediately. If you provided a password for the private key when you created it, you will be required to input it now. After all, when the authentication process is complete, a new shell session with the configured account should open for you on the Debian server.

If key-based authentication was successful, you can proceed to discover how to further safeguard your system by removing password authentication.

4. How To Disable Password Authentication on your Server

If you have successfully configured SSH-key-based authentication for your account, you can log in using SSH without a password in this step. Please keep in mind that, even if your password-based authentication system is still operational, your server is still vulnerable to brute-force attacks.

Check to see if you have SSH-key-based authentication configured for the root account on this server, or preferable, for a non-root account with sudo rights on this server.

You will see how it will shut down password-based logins from now on, so ensuring that you will still have administrative access is critical.

When you've checked that your remote account has administrative access, log in with SSH keys. And it is possible to do to root or with a sudo-enabled account. Then, open the configuration file for the SSH daemon:

sudo nano /etc/ssh/sshd_config

Inside the file, search for a directive called PasswordAuthentication. This may be commented out. Uncomment the line and set the value to “no”. This will disable your ability to log in via SSH using account passwords:

/etc/ssh/sshd_config

...  PasswordAuthentication no  ...

When you're finished, you can save and close the file. This is accomplished by pressing CTRL + X, then Y to confirm saving the file, and lastly ENTER to quit nano.

To restart the sshd service and apply these changes, do the following:

sudo systemctl restart ssh

To add further security, create a new terminal window and verify that the SSH service is operational before exiting the current session:

ssh username@remote_host

After you have confirmed your SSH service, you can close all ongoing server sessions. Also, keep in mind that your Debian server's SSH daemon now only responds to SSH keys. Password authentication has been successfully disabled.

Conclusion

You have completed all four parts of this guide and now know how to Set Up SSH Keys on Debian 10. You might also be interested in learning more about SSH on other servers.