Secure remote access using SSH keys
Disable password logins and switch to SSH key-based authentication to secure access to remote machines.
Let's go!
Server is running Debian and is configured for SSH logins from a Linux client.
1. On the server: Install
Install openssh-server
...
$ sudo apt install openssh-server
Create an SSH configuration in the home directory of users who requires access to the system ...
$ mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
2. On the client: Install
Install openssh-client
and create the SSH folder in $HOME
...
$ sudo apt install openssh-client
$ mkdir ~/.ssh && chmod 700 ~/.ssh
Create ~/.ssh/config
to hold aliases with the login options for a server.
Example ...
Host laptop-server.lan
HostName 192.168.1.88
Port 22
User foo
Test the SSH password login to the server ...
$ ssh laptop-server.lan
foo@192.168.1.88's password:
3. On the client: Generate keys
$ ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)"
4. On the client: Upload key to server
Upload the public key to the server and append to ~/.ssh/authorized_keys
...
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub laptop-server.lan
Notify SSH that you have keys by running ssh-add
...
$ ssh-add
Enter passphrase for /home/foo/.ssh/id_ed25519:
Identity added: /home/foo/.ssh/id_ed25519 (/home/foo/.ssh/id_ed25519)
All SSH sessions launched from this console will access this user key stored in memory.
Make sure to test the connection before disabling password logins ...
$ ssh laptop-server.lan
No request for a passphrase indicates SSH key authentication is properly configured.
5. On the server: Disable password logins
Make the following modifications in /etc/ssh/sshd_config
...
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
Restart SSH ...
$ sudo systemctl restart ssh
6. On the client: Key management
Keychain is an OpenSSH key manager. From the package description ...
When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to
~/.keychain/$HOSTNAME-sh
, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.
Install ...
$ sudo apt install keychain
Configure ~/.bashrc
...
# Use `keychain` for ssh-agent management
if [[ -x /usr/bin/keychain ]]; then
keychain ~/.ssh/id_ed25519
. "${HOME}/.keychain/${HOSTNAME}-sh"
fi
Flush all cached keys from memory ...
$ keychain --clear
If using tmux, enable persistent SSH key management across sessions by editing ~/.tmux.conf
...
set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"
» Next: Put a modem-router in bridge mode
« Previous: VirtualBox on Debian Buster