HomeArchive

Secure remote access to Linux servers using SSH keys

Last edited on 2024-10-22 Tagged under  #ssh   #server   #encrypt   #network   #debian   #lmde   #linux 

Disable password logins and switch to SSH key-based authentication to secure access to remote servers.

SERVER is running Debian and is configured for SSH logins from a (Debian) Linux CLIENT.

1. Install

On the SERVER:

$ sudo apt install openssh-server

On the CLIENT:

$ sudo apt install openssh-client

2. Create ~/.ssh

On both the SERVER and the CLIENT create an SSH directory in the user's $HOME:

$ mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys

3. Generate keys

Generate an SSH key pair on the CLIENT:

$ ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)"

4. Add key to current console

Notify SSH that you have keys by running ssh-add:

$ ssh-add
Enter passphrase for /home/<username>/.ssh/id_ed25519:
Identity added: /home/<username>/.ssh/id_ed25519 (/home/<username>/.ssh/id_ed25519)

All SSH logins launched during the session will access this key stored in memory.

5. Upload key

Upload the public key to the SERVER (replacing my_server_ip_address with your own) and append to its authorized_keys files:

$ ssh-copy-id -i ~/.ssh/id_ed25519.pub my_server_ip_address

Verify login to SERVER using key-based authentication:

$ ssh -o PasswordAuthentication=no my_server_ip_address

6. Disable password logins

On the SERVER, open sshd_config for editing:

$ sudo vim /etc/ssh/sshd_config

Make the following changes:

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no

Save changes, and restart SSH:

$ sudo systemctl restart ssh

While remaining logged into the server, open another terminal and verify the changes by attempting a new login using password authentication from CLIENT (which should fail):

$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no my_server_ip_address
my_username@my_server_ip_address: Permission denied (publickey).

Verify key-based authentication continues to work as before:

$ ssh my_server_ip_address

SERVER is now secured to accept only SSH key authentication for logins.

7. Alias

On the CLIENT, create/edit the ~/.ssh/config file:

$ sudo vim ~/.ssh/config

Add an alias with the SSH login options for the server. Example:

Host ssh-vps
  HostName 178.123.1.234

Now, a login to SERVER is simply:

$ ssh ssh-vps

8. (Extra) Change SSH port

By default, SSH listens on port 22 for connections. Changing this to a dynamic or private port between 49152 through 65535 will frustrate automated attacks.

On the SERVER, re-open sshd_config for editing:

$ sudo vim /etc/ssh/sshd_config

Change:

#Port 22

Uncomment the setting, and set port (for example) to 52222:

Port 52222

Save changes, and restart SSH:

$ sudo systemctl restart ssh

On the CLIENT, re-open config for editing:

$ sudo vim ~/.ssh/config

Add the Port setting to the existing alias:

Host ssh-vps
  HostName 178.123.1.234
  Port 52222

Save changes, and verify everything is in order:

$ ssh ssh-vps

Done!

You can like, share, or comment on this post on the Fediverse 💬

Thanks for reading! Read other posts?

» Next: Droplet in the DigitalOcean

« Previous: MintyFresh: My configuration script for Linux Mint Debian Edition (LMDE 6)