How to Setup SSH Keys on Debian 11

IntroductionIntroduction

SSH or secure shell is an encrypted protocol used to manage and communicate with servers. When working with Debian servers, you will most likely spend most of your time in terminal sessions connected to the server via SSH.

In this guide, I will focus on setting up SSH keys for a standard Debian 11 installation. SSH keys provide an easy and secure way to log into a server and are recommended for all users.

Step 1 - Create the RSA Key PairStep 1 - Create the RSA Key Pair

RSA Key Pair is a pair of cryptographic keys used in the RSA encryption system. The first step is to create a key pair on the client (your computer):

ssh-keygen

By default ssh-keygen will create a 3072-bit RSA key pair, which is secure enough for most use cases (you can also optionally use the command parameter, -b 4096 to create a 4096-bit key).

After running the command, you will see the following output:

Output
Generating public/private rsa key pair.
Enter file in which to save the key (/fahmi/.ssh/id_rsa):

Press enter to save the key pair to the .ssh directory in your home directory, or specify an alternative directory yourself.

If you have previously created an SSH key pair, you may see the following command message:

Output
/home/fahmi/.ssh/id_rsa already exists.
Overwrite (y/n)?

If you choose to overwrite the key, you will not be able to authenticate the server using the previous key. Be careful when choosing this option, as it is a destructive process and cannot be undone.

Then you will see the following command message:

Output
Enter passphrase (empty for no passphrase):

Here, you can enter a strong and secure password, which is highly recommended. This password adds an extra layer of security to prevent unauthorized users from logging into the server.

You will then see the following output:

Output
Your identification has been saved in /fahmi/.ssh/id_rsa.
Your public key has been saved in /fahmi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:5E2BtTN9FHPBNoRXAB/EdjtHNYOHzTBzG5qUv7S3hyM fahmi@fabrikam
The key's randomart image is:
+---[RSA 3072]----+
|         oo .O^XB|
|        .  +.BO%B|
|        . = .+B+o|
|       o o o . =.|
|        S .   . =|
|               o.|
|               .o|
|            E o..|
|             . ..|
+----[SHA256]-----+

Now that you have a public and private key that you can use to authenticate, the next step is to place the public key on your server so that you can use SSH key-based authentication to log in.

Step 2 - Copy the Public Key to Debian ServerStep 2 - Copy the Public Key to Debian Server

The quickest way to copy your public key to the server is to use a utility called ssh-copy-id. Due to its simplicity, this method is highly recommended. If you don’t have ssh-copy-id on your client computer, you can use one of the two alternative methods included in this section (the password-based SSH copy method or manual copying).

Copying Public Key Using ssh-copy-idCopying Public Key Using ssh-copy-id

ssh-copy-id is included by default on many operating systems. For this method to work, you must already have password-based access to your server.

To use this utility, you need to specify the remote host (in this case, the server) you want to connect to and a user account that has SSH access with a password. The syntax is:

ssh-copy-id username@remote_host

You may see the following command message:

Output
The authenticity of host 'XXX.X.XXX.X (XXX.X.XXX.X)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

This message indicates that your computer does not yet recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press ENTER to continue.

Next, the utility will scan your local id_rsa.pub for the key we created earlier. When it finds the key, it will prompt you for the remote host user’s password:

Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s),
to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed
-- if you are prompted now it is to install the new keys

username@XXX.X.XXX.X's password:

Enter a password (your typing will not be displayed for security reasons) and press ENTER. The utility will connect to the account on the remote host using the password you provided. Then, the utility will copy the contents of the key ~/.ssh/id_rsa.pub into a ~/.ssh directory called authorized_keys.

You will see the following output message:

Output
Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@XXX.X.XXX.X'"
and check to make sure that only the key(s) you wanted were added.

At this step, your id_rsa.pub key has been copied to the remote host user account. You can proceed to Step 3.

Copying Public Key Using SSHCopying Public Key Using SSH

If you don’t have ssh-copy-id, but you still have password-based SSH access to the account on your server, you can copy it using conventional SSH methods.

We can do this by using the cat command to read the contents of the public SSH key on our local computer and copy it over the server’s SSH connection.

First, we need to make sure that the ~/.ssh directory exists and has the correct permissions according to the account we are using.

Run this command to copy the id_rsa.pub key on your local computer to the remote host (replace username and remote_host with your username and server address):

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh &&
touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will see the output of the command:

Output
The authenticity of host 'XXX.X.XXX.X (XXX.X.XXX.X)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

This message indicates that your computer does not yet recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press ENTER to continue.

You will be prompted to enter the password for the remote host or server user account:

Output
username@XXX.0.XXX.X's password:

After entering the password, the contents of your id_rsa.pub key will be copied to the remote host or server user account’s authorized_keys file. You can proceed to Step 3 if successful.

Copying Public Key ManuallyCopying Public Key Manually

If you don’t have password-based SSH access to your server, you’ll need to perform the above process manually.

We will manually add the contents of your id_rsa.pub key to the ~/.ssh/authorized_keys file on the server.

To display the contents of the id_rsa.pub key, type this into your local computer:

cat ~/.ssh/id_rsa.pub

You will see the key content, which should look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgkLJ8d2gG ... A5GyNM= demo@local

Access your server using any method available. Once you have access to your account on the server, you will need to make sure that the ~/.ssh directory exists.

mkdir -p ~/.ssh

Now, you can create or modify the authorized_keys file in the server’s ~/.ssh directory. You can copy the contents of the id_rsa.pub key to the ~/.ssh/authorized_keys file on the server:

echo public_key_string >> ~/.ssh/authorized_keys

Replace public_key_string with the output of cat ~/.ssh/id_rsa.pub. The output should start with ssh-rsa AAAA....

Finally, we’ll make sure that the ~/.ssh directory and the authorized_keys file have their permissions set:

chmod -R go= ~/.ssh

This recursively removes all group and other permissions for the ~/.ssh directory. Make sure that the ~/.ssh directory belongs to the user only.

chown -R fahmi:fahmi ~/.ssh

Now you can try passwordless authentication with your Debian 11 server.

Step 3 - Authenticate Using SSH KeysStep 3 - Authenticate Using SSH Keys

If you successfully completed one part of the steps above, you should now be able to log into the server without a password.

ssh fahmi@remote_host

If this is the first time you have connected to this host using an SSH key, you may see a message like this:

Output
The authenticity of host 'XXX.X.XXX.X (XXX.X.XXX.X)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

If your SSH Key is not password protected, you will be logged in directly to the server. But If you protected it with a password when creating the key, you will be prompted to enter it (again the password will not be displayed in the terminal session for security reasons). After authenticating, a new shell session will be opened with the account configured on the Debian server.

If SSH key-based authentication is successful, continue on to learn how to further secure your system by disabling password authentication.

Step 4 - Disable Password AuthenticationStep 4 - Disable Password Authentication

If you can now log into your account using SSH keys without a password, then you have successfully configured SSH key-based authentication to your server account. However, your password-based authentication mechanism is still active, which means your server is still vulnerable to brute-force attacks.

Before completing the steps in this section, make sure you have configured SSH key-based authentication. Better yet, you have configured SSH key-based authentication for non-root accounts on the server.

This step will deny password-based logins, so double-check that you can still gain administrative privileges.

Once you have confirmed that you still have administrative privileges, you can log in to the server with SSH keys, either as the root user or with an account that has sudo privileges. Then, open the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

In this configuration, find the PasswordAuthentication setting line. This command may be commented out with #. Uncomment this line and set its value to no. This will disable your access to SSH login using a password:

/etc/ssh/sshd_config
...
PasswordAuthentication no
...

Save and close the settings when finished by pressing CTRL + X, then Y to confirm the save. Finally ENTER to exit nano. To apply these changes, we need to restart the SSH service:

sudo systemctl restart ssh

As a precaution, open a new terminal and test whether the SSH service is working properly before closing this session:

ssh username@remote_host

Once you have verified that the SSH service is running properly, you can safely close all current server sessions.

SSH on your Debian server now only responds to SSH keys. Password-based authentication has been successfully disabled.

ConclusionConclusion

You have now configured SSH key-based authentication on your server, which allows you to log in without providing your account password.