Skip to Content

Secure remote access using SSH keys

Posted on

🐧 Home Server :: Create cryptographic keys and disable password logins to make remote machines more secure.

Let’s go!

Server is a netbook running Debian configured for SSH logins from a Linux client.

0. Install

On the server

Install openssh-server and create an SSH configuration in the home directory of users who requires access to the system …

sudo apt install openssh-server                                           
mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys

Collect key fingerprints …

ssh-keygen -lf /etc/ssh/ >> ~/.ssh/keys.txt               
ssh-keygen -lf /etc/ssh/ >> ~/.ssh/keys.txt             
ssh-keygen -lf /etc/ssh/ >> ~/.ssh/keys.txt               

… and give keys.txt to users to compare signature when connecting for the first time.

On the client

Install openssh-client and create the SSH folder in $HOME

sudo apt install openssh-client                                             
mkdir ~/.ssh && chmod 700 ~/.ssh                                                

Create ~/.ssh/config to hold aliases with the login options for a server. Example …

Host netbook.lan
Port 22                                                                      
User foo

Test SSH password login to the server …

ssh netbook.lan
    foo@'s password: 
    Last login: Thu Feb 19 18:07:48 2015 from chromebook.lan

Optional: Use Dynamic DNS (DDNS) to configure access to a home server from outside the local area network (LAN).

1. Keys

On the client

Generate SSH keys …

ssh-keygen -t rsa -C "$(whoami)@$(hostname)-$(date -I)" 

Upload the public key to the server and append to ~/.ssh/authorized_keys

cat ~/.ssh/ | ssh netbook.lan "cat >> ~/.ssh/authorized_keys"        

Graphical display managers like gdm will automatically check a user account for SSH keys upon login. A pop-up box will prompt for the passphrase and the key will be added to the desktop session.

If logging into a console, tell SSH that you have keys by running ssh-add

    Enter passphrase for /home/foo/.ssh/id_rsa:
    Identity added: /home/foo/.ssh/id_rsa (/home/foo/.ssh/id_rsa)

All SSH sessions launched from this console will access this user key stored in memory. Make sure to test the connection before disabling password logins …

ssh netbook.lan
    Last login: Thu Feb 19 18:22:42 2015 from chromebook.lan

No request for passphrase indicates SSH key authentication is properly configured.

2. Disable password logins

On the server

Make the following modifications in /etc/ssh/sshd_config

PermitRootLogin no
PubkeyAuthentication yes                                                    
ChallengeResponseAuthentication no                                          
PasswordAuthentication no                                                   
UsePAM no                                                                   

Restart SSH …

sudo systemctl restart ssh

3. Key management

Keychain is an OpenSSH key manager. From the package description …

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/$HOSTNAME-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.

On the client

Install …

sudo apt install keychain                                             

Configure ~/.bashrc

# setup keychain - ssh-agent management                                     
keychain ~/.ssh/id_rsa                                                      
. ~/.keychain/$HOSTNAME-sh                                                  

Flush all cached keys from memory …

keychain --clear                  

Optional: If using tmux enable persistent SSH key management across sessions by editing ~/.tmux.conf


Happy hacking!