Secure remote access using SSH keys

Last updated on 2021-03-08 • Tagged under  #ssh   #network   #linux 

Create cryptographic keys and disable password logins to make remote machines more secure.

Let's go!

Server is running Debian configured for SSH logins from a Linux client.

1. Install on the server

Install openssh-server and create an SSH configuration in the home directory of users who requires access to the system ...

$ sudo apt install openssh-server                                           
$ mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys

2. Install on the client

Install openssh-client and create the SSH folder in $HOME ...

$ sudo apt install openssh-client                                             
$ mkdir ~/.ssh && chmod 700 ~/.ssh                                                

Create ~/.ssh/config to hold aliases with the login options for a server. Example ...

Host laptop-server.lan
HostName 192.168.1.88                                                   
Port 22                                                                      
User foo

Test the SSH password login to the server ...

$ ssh laptop-server.lan
foo@192.168.1.88's password: 

3. Generate SSH keys on the client

$ ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" 

Upload the public key to the server and append to ~/.ssh/authorized_keys ...

$ ssh-copy-id -i ~/.ssh/id_ed25519.pub laptop-server.lan

Notify SSH that you have keys by running ssh-add ...

$ ssh-add
Enter passphrase for /home/foo/.ssh/id_ed25519:
Identity added: /home/foo/.ssh/id_ed25519 (/home/foo/.ssh/id_ed25519)

All SSH sessions launched from this console will access this user key stored in memory. Make sure to test the connection before disabling password logins ...

$ ssh laptop-server.lan

No request for a passphrase indicates SSH key authentication is properly configured.

4. Disable password logins on the server

Make the following modifications in /etc/ssh/sshd_config ...

PermitRootLogin no
PubkeyAuthentication yes                                                    
ChallengeResponseAuthentication no                                          
PasswordAuthentication no                                                   
UsePAM no                                                                   

Restart SSH ...

$ sudo systemctl restart ssh

5. Key management on the client

Keychain is an OpenSSH key manager. From the package description ...

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/$HOSTNAME-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.

Install ...

$ sudo apt install keychain                                             

Configure ~/.bashrc ...

# Use `keychain` for ssh-agent management
if [[ -x /usr/bin/keychain ]]; then
	keychain ~/.ssh/id_ed25519
	. "${HOME}/.keychain/${HOSTNAME}-sh"
fi

Flush all cached keys from memory ...

$ keychain --clear                  

If using tmux, enable persistent SSH key management across sessions by editing ~/.tmux.conf ...

set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"

» Later: Automatic upgrades in Debian

« Earlier: Virtualbox on Debian Buster