How to Generate & Set Up SSH Keys on Debian 10

September 14, 2020

Introduction

SSH stands for Secure Shell and works as a method to establish remote connections between computers. SSH is usually used to log in and manage a remote server.

This guide will help you generate an SSH key pair on Debian 10 Linux.

How to Set Up and Generate SSH Keys on Debian.

Prerequisites

  • A system running Debian 10 Linux
  • SSH configured on both the client and the remote system. (Learn how to enable SSH on Debian.)
  • Access to a terminal window / command line (Activities > Search > Terminal)
  • A user account with sudo or root privileges for the local system
  • A user account and hostname for the remote server

About SSH Keys: SSH uses a pair of keys to encrypt and decrypt data – a public key and a private key. If a private key is used to encrypt the data, only the corresponding public key can decrypt it.

Step 1: Check for Existing Keys

If the system has already connected to the remote server via SSH, it may already have SSH keys. Check for any pre-existing keys by entering the following command into a terminal window:

ls -l ~/.ssh/id*

If the system responds that there is no such file or directory, the system has no SSH keys.

Check yo see if you have existing SSH keys.

If the system lists a file, it has an SSH key pair. To continue using this key pair, skip ahead to Step 3. Alternately, back up this key pair, then proceed to generate a new SSH key pair.

Step 2: Create an SSH Key Pair

This step creates a public and private SSH key.

1. In the terminal, enter the following command:

ssh-keygen

2. By default, this creates a 2048-bit RSA key pair. For added security, a 4096-bit RSA key pair can be added using the -b 4096 option as follows:

ssh-keygen -b 4096

The system processes the request and then prompts for the location to save the key pair. By default, it uses ~/.ssh/id_rsa. That is the /.ssh directory in the home directory.

3. Press Enter to accept this location unless there’s a need to use a different location.

4. If a key already exists on this system, it will now prompt to overwrite the old key. Press y to continue.

Create a 4096-bit RSA key pair on Debian.

Note: Overwriting the old key destroys it. The system will no longer be able to authenticate using the old key.

5. Next, the system prompts you to enter and confirm a passphrase. This is an added layer of ssh security, forcing users to enter the passphrase when connecting via SSH. Set and confirm a passphrase, or leave it blank to skip this step.

6. Finally, the system displays the identification and public key location, the key fingerprint, and the key’s randomart image.

Location of the public key fingerprint.and SSH

Step 3: Copy the Public Key to the Remote Server

Copy the public key to the remote server to pair the SSH keys correctly:

1. The easiest method is to enter the following command:

ssh-copy-id user@hostname

Replace user with the actual username for the remote system. Also, replace hostname with the actual hostname of the remote computer. The IP address of the remote system may be used instead of the hostname.

2. The system now attempts to connect to the remote system using the username you provided. On the first connection, the system may respond that the host’s authenticity cannot be established. Type yes and press Enter.

3. The system scans the local system for the id_rsa.pub key that was generated in Step 2. Then it will prompt for the password for the user account on the remote system. Enter the password and press Enter.

Note: The password will not be displayed. Use the password for the user account specified in the previous step.

4. The system should display the number of keys added: 1. Then it displays instructions for logging in to the remote system. You may enter the command as displayed on your screen.

Note: By default, Debian 10 includes the ssh-copy-id command. If it’s not included, it can be installed as part of the openssh-server package by entering: sudo apt-get install openssh-server.

Step 3.1: Manually Copying the SSH Public Key to the Remote Server

If it’s not possible to copy the SSH key automatically, the key can be copied manually.

1. First, display the SSH key with the following command:

cat ~/.ssh/id_rsa.pub

The system should display the SSH public key that was just created. It should start with:

ssh-rsa AAAA

2. Make a note of this string of characters.

Display the SSH key on Debian manually

3. Next, access the remote server. Open a terminal and create a new ssh directory by entering the following:

sudo mkdir -p ~/.ssh

Note: If the ~/.ssh directory already exists, the command will exit without making changes.

5. Next, add the public key to the authorized_keys file by entering the following:

sudo echo ssh_public_key >> ~/.ssh/authorized_keys

Replace ssh_public_key with the actual public key displayed by the cat command.

6. Set the correct permissions for the new directory:

sudo chmod -R go= ~/.ssh

7. If you’re using the root Debian user account on the server, the directory owner must be set to the user account that will be logging in remotely to the server:

sudo chown -R user:user ~/.ssh

Step 4: Log in Remotely Using SSH

1. From the client system, open a terminal window and enter the following:

ssh user@hostname

2. The system may display that the authenticity of the host can’t be established. Type yes and press Enter.

3. If you set a passphrase during Step 2, enter it when prompted.

You should now have an SSH connection to the remote server.

Step 5: Disable Password Authentication (Optional)

Disabling password authentication is a security precaution. It prevents brute-force attacks against attempting to log in to the server.

Before continuing, double-check to make sure:

  • You can log into the server without a password (such as using an SSH connection with a key pair, detailed in this article).
  • You are logging into the server with a sudo user account.

1. Start by logging into the remote server:

ssh user@hostname

This username should have sudo privileges.

2. Next, edit the sshd_config file in a text editor of your choice (we are using nano):

sudo nano /etc/ssh/sshd_config

3. Find and modify the following lines to look as follows:

PasswordAuthentication no

ChallengeResponseAuthentication no

UsePAM no

4. Write the changes, then exit the editor. Restart the SSH service by entering the following:

sudo systemctl restart ssh

The system now no longer allows password authentication for logins.

Conclusion

Now you can to configure and connect to a remote system using SSH key pairs. Learn more SSH commands in this tutorial.

Was this article helpful?
YesNo
Sofija Simic
Sofija Simic is an experienced Technical Writer. Alongside her educational background in teaching and writing, she has had a lifelong passion for information technology. She is committed to unscrambling confusing IT concepts and streamlining intricate software installations.
Next you should read
How to Use SSH Port Forwarding
May 18, 2020

This article demonstrates 3 distinct methods used to port forward SSH connections. It examines the syntax of...
Read more
How to Set Up Passwordless SSH Login
April 15, 2020

Speed up connecting to remote servers by enabling passwordless SSH login via public key authentication. In...
Read more
How to Fix "ssh_exchange_identification: read: Connection reset by peer" Error
January 19, 2024

This article deals with the most common causes of the "ssh_exchange_identification: read: Connection reset by...
Read more
How to Transfer Files with Rsync over SSH
January 31, 2020

Rsync is a Linux tool that allows you to transfer data over SSH to a remote server securely. Use the options...
Read more