Securing SSH with Key Authentication | Debian/Linux Guide

Watch the video:

0:00 - Intro & Why you want SSH Key Authentication
0:45 - Creating an SSH key in Debian
0:52 - Generating keypair using ssh-keygen
1:38 - Generating keypair with PuTTY
2:20 - Saving key on server
3:25 - Connecting to server with SSH VSCode + RemoteSSH
5:30 - Disabling password login
6:40 - Verify server is secure

Introduction

In this guide, we will walk you through the process of setting up SSH key authentication in Debian/Linux. SSH key authentication provides an extra layer of security compared to password authentication.

Creating an SSH Keypair

To set up SSH key authentication, you first need to generate an SSH keypair. We’ll cover two methods.

PuTTYGen

Download PuTTYGen from here and open it. Select the RSA key type and set the key size to 2048 bits. Move your mouse randomly over the blank area to generate a random key. Once the key is generated, save the public and private keys in a secure location.

ssh-keygen CLI

A ton of operating systems come with a program built in called ssh keygen. You can use this to generate keys very quickly. Open a terminal and run the following command:

1	ssh-keygen -t rsa -b 2048

This command generates an RSA keypair with a key size of 2048 bits. You can adjust the key size according to your preference. When prompted, choose the directory where you want to save the keys. It is recommended to back up your keys in a secure location, as losing them will deny you access to your server.

Saving the Public Key on the Server

Now that you have generated your SSH keypair, you need to save the public key on the server. This allows you to authenticate using your private key.

First, create a directory to save the SSH key, and create the nessecary file if it doesn’t exist already.

1 2	sudo mkdir ~/.ssh sudo touch ~/.ssh/authorized_keys

Double checked permissions by running the following commands:

1 2	sudo chmod 700 -R ~/.ssh sudo chmod 600 ~/.ssh/authorized_keys

These commands set the permissions for the SSH directory to 700 and the authorized_keys file to 600, ensuring that only the owner has read, write, and execute permissions.

Adding the Public Key to the authorized_keys File

Open the authorized_keys file for editing by running the following command:

1	sudo nano ~/.ssh/authorized_keys

If you prefer to edit the file at a later time or encounter any errors, you can use the touch command to create the file and then edit it.

Paste your public key into the file and save the changes by pressing Ctrl + S and then Ctrl + X.

Connecting to the Server with SSH Key Authentication

Now that you have set up SSH key authentication on the server, you can connect to it using your private key. We’ll cover two methods: using PuTTY and using Visual Studio Code with the Remote SSH extension.

Using PuTTY

If you are using PuTTY, open the PuTTY application and load your saved session. Enter the hostname and port number (default is 22) of your server. Navigate to the SSH section and select the private key file you generated earlier. Save the session and click “Open” to connect to the server. You will be prompted to enter your username and passphrase (if you set one). Once authenticated, you will have access to your server.

Using Visual Studio Code with Remote SSH

If you prefer to use Visual Studio Code with the Remote SSH extension, open Visual Studio Code and press F1 to open the command palette. Search for Remote SSH: Configure SSH Hosts and select it. In the configuration file, add a new server entry with the hostname, username, and path to your private key file. Save the file and press F1 again, this time search for “Remote SSH: Connect to Host” and select your server. Enter your passphrase when prompted, and you will be connected to your server.

Disabling Root User and Password Logins

To further enhance the security of your SSH connection, it is recommended to disable root user and password logins. This ensures that you can only connect to the server using SSH key authentication.

Open the SSHD config file for editing by running the following command:

1	sudo nano /etc/ssh/sshd_config

To disable root user login: search for the line that says PermitRootLogin and change the value from yes to no. This disables root user login via SSH.

To disable password (normal) authentication, and require a key: search for the line that says PasswordAuthentication and change the value from yes to no. This disables password authentication, allowing only SSH key authentication.

To prevent brute force attacks, it is recommended to lower the maximum number of authentication retries. Search for the line that says MaxAuthTries and set the value to a lower number, such as 4.

Finally, save the changes to the SSHD config file by pressing Ctrl + S and then Ctrl + X. Restart the SSH service by running the following command:

1	sudo service ssh restart

Verifying SSH Key Authentication

To verify that SSH key authentication is working correctly, try connecting to your server using a username and password. You should see a “Permission denied (publickey)” message, indicating that password authentication is disabled.

Assuming you receive an error when trying to connect using a normal password, but are able to connect using the key pair, then congratulations. Everything is set up the way that it needs to be.