Introduction
SSH stands for Secure Shell and works as a method to establish remote connections between computers. SSH is usually used to log in and manage a remote server.
This guide will help you generate an SSH key pair on Debian 10 Linux.
Prerequisites
- A system running Debian 10 Linux
- SSH configured on both the client and the remote system. (Learn how to enable SSH on Debian.)
- Access to a terminal window / command line (Activities > Search > Terminal)
- A user account with sudo or root privileges for the local system
- A user account and hostname for the remote server
About SSH Keys: SSH uses a pair of keys to encrypt and decrypt data – a public key and a private key. If a private key is used to encrypt the data, only the corresponding public key can decrypt it.
Step 1: Check for Existing Keys
If the system has already connected to the remote server via SSH, it may already have SSH keys. Check for any pre-existing keys by entering the following command into a terminal window:
ls -l ~/.ssh/id*
If the system responds that there is no such file or directory, the system has no SSH keys.
If the system lists a file, it has an SSH key pair. To continue using this key pair, skip ahead to Step 3. Alternately, back up this key pair, then proceed to generate a new SSH key pair.
Step 2: Create an SSH Key Pair
This step creates a public and private SSH key.
1. In the terminal, enter the following command:
ssh-keygen
2. By default, this creates a 2048-bit RSA key pair. For added security, a 4096-bit RSA key pair can be added using the -b 4096
option as follows:
ssh-keygen -b 4096
The system processes the request and then prompts for the location to save the key pair. By default, it uses ~/.ssh/id_rsa. That is the /.ssh directory in the home directory.
3. Press Enter to accept this location unless there’s a need to use a different location.
4. If a key already exists on this system, it will now prompt to overwrite the old key. Press y
to continue.
Note: Overwriting the old key destroys it. The system will no longer be able to authenticate using the old key.
5. Next, the system prompts you to enter and confirm a passphrase. This is an added layer of ssh security, forcing users to enter the passphrase when connecting via SSH. Set and confirm a passphrase, or leave it blank to skip this step.
6. Finally, the system displays the identification and public key location, the key fingerprint, and the key’s randomart image.
Step 3: Copy the Public Key to the Remote Server
Copy the public key to the remote server to pair the SSH keys correctly:
1. The easiest method is to enter the following command:
ssh-copy-id user@hostname
Replace user with the actual username for the remote system. Also, replace hostname with the actual hostname of the remote computer. The IP address of the remote system may be used instead of the hostname.
2. The system now attempts to connect to the remote system using the username you provided. On the first connection, the system may respond that the host’s authenticity cannot be established. Type yes
and press Enter.
3. The system scans the local system for the id_rsa.pub key that was generated in Step 2. Then it will prompt for the password for the user account on the remote system. Enter the password and press Enter.
Note: The password will not be displayed. Use the password for the user account specified in the previous step.
4. The system should display the number of keys added: 1. Then it displays instructions for logging in to the remote system. You may enter the command as displayed on your screen.
Note: By default, Debian 10 includes the ssh-copy-id
command. If it’s not included, it can be installed as part of the openssh-server package by entering: sudo apt-get install openssh-server
.
Step 3.1: Manually Copying the SSH Public Key to the Remote Server
If it’s not possible to copy the SSH key automatically, the key can be copied manually.
1. First, display the SSH key with the following command:
cat ~/.ssh/id_rsa.pub
The system should display the SSH public key that was just created. It should start with:
ssh-rsa AAAA
2. Make a note of this string of characters.
3. Next, access the remote server. Open a terminal and create a new ssh directory by entering the following:
sudo mkdir -p ~/.ssh
Note: If the ~/.ssh directory already exists, the command will exit without making changes.
5. Next, add the public key to the authorized_keys file by entering the following:
sudo echo ssh_public_key >> ~/.ssh/authorized_keys
Replace ssh_public_key with the actual public key displayed by the cat command.
6. Set the correct permissions for the new directory:
sudo chmod -R go= ~/.ssh
7. If you’re using the root Debian user account on the server, the directory owner must be set to the user account that will be logging in remotely to the server:
sudo chown -R user:user ~/.ssh
Step 4: Log in Remotely Using SSH
1. From the client system, open a terminal window and enter the following:
ssh user@hostname
2. The system may display that the authenticity of the host can’t be established. Type yes
and press Enter.
3. If you set a passphrase during Step 2, enter it when prompted.
You should now have an SSH connection to the remote server.
Step 5: Disable Password Authentication (Optional)
Disabling password authentication is a security precaution. It prevents brute-force attacks against attempting to log in to the server.
Before continuing, double-check to make sure:
- You can log into the server without a password (such as using an SSH connection with a key pair, detailed in this article).
- You are logging into the server with a sudo user account.
1. Start by logging into the remote server:
ssh user@hostname
This username should have sudo privileges.
2. Next, edit the sshd_config file in a text editor of your choice (we are using nano):
sudo nano /etc/ssh/sshd_config
3. Find and modify the following lines to look as follows:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
4. Write the changes, then exit the editor. Restart the SSH service by entering the following:
sudo systemctl restart ssh
The system now no longer allows password authentication for logins.
Conclusion
Now you can to configure and connect to a remote system using SSH key pairs. Learn more SSH commands in this tutorial.