SSH (Secure Shell) is a encrypted protocol which allows client system to communicate securely with a server. You can connect to your system remotely, perform administrative tasks and access files. Communicate with server using SSH keys is more secure and convenient way than password authentication.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related SSH queries.
In this context, we shall look into how to create SSH keys on Debian 9 system and how to copy it to server using different ways.
Before performing this procedure, ensure that you are using a user with sudo privileges.
i. To begin, we will create a key pair on client system using below command:
$ ssh-keygen
ii. By default, ssh-keygen will generate 2048-bit RSA key pair. If you wish to create larger 4096-bit key then you can pass -b 4096 in flag as below:
$ ssh-keygen -t rsa -b 4096
It should show output like below:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
iii. Hit the Enter key to save the key pairs at ./ssh directory or you can specify location as per your choice.
After that, it will prompt to enter a secure passphrase as below. Passphrase will add an additional security layer to your keys. It is optional, if you don't want to set then you can skip it by just hitting Enter key.
Output
Enter passphrase (empty for no passphrase):
Next, you will see output as following:
Your identification has been saved in /home/yourusername/.ssh/id_rsa.
Your public key has been saved in /home/yourusername/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+cxkUbcUyFc7jXMHnQNlm/2O8rj+yDyP5Rnt29ov8Bc yourusername@yourdomain.com
The key's randomart image is:
+---[RSA 2048]----+
| ..oB*o|
| .ooo*B|
| . .+=*|
| . . o+|
| S o .|
| * . E |
| + .o+ +|
| o.Oo=o|
| .O=B=B|
+----[SHA256]-----+
Now you have public and private keys which you can use to authenticate with your Debian server.
iv. You also can verify that your files are generated or not by typing:
ls ~/.ssh/id_*
It will show output like this:
/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub
How to Copy the Public Key to Debian Server ?
Now, next step is to place public key to your Debian server. Simple and fast way to copy public is to use ssh-copy-id utility.
Run the below command:
$ ssh-copy-id username@server_ip_address
It will be prompted to enter password for your username:
Output
username@server_ip_address's password:
Once the user is authenticate successfully, the public key will be appended to ~/.ssh/authorized_keys file on remote user and connection will be disconnected.
Output
Number of key(s) added: 1
Now you can try login to your machine with command ssh username@server_ip_address and check that only the key(s) added which you want to add.
If your local system don’t have ssh-copy-id utility installed then you can use following command to copy the public key:
cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Ensure that you have password-based SSH access to your server then only you can use above method.
How to Login to the Server using SSH Keys ?
Now, you should be able to login to the remote machine without the remote user's password.
You can try to connect using SSH command:
$ ssh username@server_ip_address
If you are first time to login then it may prompt you as following.
Type yes and hit Enter key to continue:
Output
The authenticity of host '192.168.27.18 (192.168.27.18)' can't be established.
ECDSA key fingerprint is ed:ed:f4:g9:66:ge:53:48:e1:55:00:fd:6d:d7:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
Now, if you haven't set passphrase for your keys then you will be logged in immediately without asking passphrase. Otherwise it will be asked to enter passphrase. After successful authentication, a new shell session will open your user account on the Debian server.
How to Disable SSH Password Authentication ?
You can add one more security layer by disabling the password authentication for SSH. Before starting process, make sure that you are able to authenticate to your server without entering password and must have sudo enabled user account.
i. Let's login to your server using ssh:
$ ssh username@server_ip_address
ii. Now edit the SSH configuration file located at /etc/ssh/sshd_config:
$ sudo nano /etc/ssh/sshd_config
iii. Find PasswordAuthentication directive and if line commented out then uncomment the line and set the value to "no" as given below:
PasswordAuthentication no
iv. Save and close the file. You must need to restart the SSH service using below command:
$ sudo systemctl restart ssh
Now, password-based authentication is disabled on your Debian server.
This article covers how to create a new SSH key pair and set up an SSH key-based authentication. You can set up same key to multiple remote hosts. Also, you will learn how to disable SSH password authentication. SSH stands for Secure Shell and works as a method to establish remote connections between computers. SSH is usually used to log in and manage a remote server.
SSH key pairs can be used to authenticate a client to a server. The client creates a key pair and then uploads the public key to any remote server it wishes to access. This is placed in a file called authorized_keys within the ~/. ssh directory in the user account's home directory on the remote server.
To Disable Password Authentication:
Disabling password authentication is a security precaution. It prevents brute-force attacks against attempting to log in to the server.
1. Start by logging into the remote server:
$ ssh user@hostname
2. Next, edit the sshd_config file in a text editor of your choice (we are using nano):
$ sudo nano /etc/ssh/sshd_config
3. Find and modify the following lines to look as follows:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
4. Write the changes, then exit the editor. Restart the SSH service by entering the following:
$ sudo systemctl restart ssh