How to install and configure SSH with public and private keys

Prerequisites

In this article, we will assume that you already have a debian based machine such as Debian or Ubuntu.

Installation

First, let's start by updating the current packages.

sudo apt-get update

Then, we will be able to download the necessary package.

Installing the SSH service is extremely simple on Linux. Only one command line is required. Just install the openssh-server module.

sudo apt-get install openssh-server

That's it. In order to check that the service is installed and working, let's have a look at the service status.

sudo systemctl status ssh

Alternatively, if the systemctl module is not available, you can always use the service ssh status command.

You should get something like this.

If the service is not started, you can do it with this command sudo systemctl start ssh or sudo service ssh start. If you want the service to start automatically when the machine is started, you must type the following command : sudo systemctl enable ssh.

Usage

Now that the ssh service is installed, you will be able to access this machine using the following command :

ssh username@ip_address

username is the name of the user you wish to log in with and ip_address is the ip of the machine with which you installed the ssh service. To retrieve this ip, you can type the command :

ip addr

And i should appear after the key word inet.

Now that the ssh service is working, let's configure the ssh keys.

SSH key configuration

Now that we have installed the ssh service, all that remains is to configure and secure it. One method would be to use a key set (public/private) to allow only the public key holder to connect.

Key set generation

Let's start by generating the RSA key set on your local machine with the following command :

ssh-keygen -t rsa -b 4096 -C "key_comment"

Here, we will generate 4096-bit RSA keys. The -C is used to give a comment to the key so that it can be discerned later.

The previous command will ask you for the file's backup path. Leave the base path.

Enter file in which to save the key (/home/user/.ssh/id_rsa) :

Next, you will need to specify a passphrase. For development purposes, you can leave this field empty but in production or in a remote server, I highly recommend you to choose a strong and secure passphrase.

Sending the private key to the server

Now we need to send the key set to the server (or virtual machine) from our local machine.

ssh-copy-id username@ip_address

You will then be asked to enter the password of the desired user.

You should see the following text appear :

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@server_ip_address'"
and check to make sure that only the key(s) you wanted were added.

In case the ssh-copy-id command does not work, use the following command : cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Editing the configuration file

All that remains is to finalise the configuration of the ssh service. To do this, you will need to modify the /etc/ssh/sshd_config file. You will need to apply the following changes :

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

In this way, connections using a password will be disabled. Thus you will only be able to access the remote server using the set of keys that was created earlier.

From this point on, you will need to enter the passphrase you specified at the beginning of the operation. This way, only users who have the ssh keys and the passphrase will be able to connect.

Unfortunately, if you are using several computers to access the remote server, this can quickly become tedious.

Cover by Tianyi Ma