Secure remote access using SSH keys
Create cryptographic keys and disable password logins to make remote machines more secure.
Let’s go!
Server is a netbook running Debian configured for SSH logins from a Linux client.
0. Install
On the server
Install openssh-server and create an SSH configuration in the home directory of users who requires access to the system …
$ sudo apt install openssh-server
$ mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keysCollect key fingerprints …
$ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub >> ~/.ssh/keys.txt
$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub >> ~/.ssh/keys.txt
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub >> ~/.ssh/keys.txt … and give keys.txt to users to compare signature when connecting for the first time.
On the client
Install openssh-client and create the SSH folder in $HOME …
$ sudo apt install openssh-client
$ mkdir ~/.ssh && chmod 700 ~/.ssh Create ~/.ssh/config to hold aliases with the login options for a server. Example …
Host netbook.lan
HostName 192.168.1.88
Port 22
User fooTest SSH password login to the server …
$ ssh netbook.lan
foo@192.168.1.88's password:
Last login: Thu Feb 19 18:07:48 2015 from chromebook.lanOptional: Use Dynamic DNS (DDNS) to configure access to a home server from outside the local area network (LAN).
1. Keys
On the client
Generate SSH keys …
$ ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date -I)" Upload the public key to the server and append to ~/.ssh/authorized_keys …
$ cat ~/.ssh/id_ed25519.pub | ssh netbook.lan "cat >> ~/.ssh/authorized_keys" Graphical display managers like gdm will automatically check a user account for SSH keys upon login. A pop-up box will prompt for the passphrase and the key will be added to the desktop session.
If logging into a console, tell SSH that you have keys by running ssh-add …
$ ssh-add
Enter passphrase for /home/foo/.ssh/id_ed25519:
Identity added: /home/foo/.ssh/id_ed25519 (/home/foo/.ssh/id_ed25519)All SSH sessions launched from this console will access this user key stored in memory. Make sure to test the connection before disabling password logins …
$ ssh netbook.lan
Last login: Thu Feb 19 18:22:42 2015 from chromebook.lanNo request for passphrase indicates SSH key authentication is properly configured.
2. Disable password logins
On the server
Make the following modifications in /etc/ssh/sshd_config …
PermitRootLogin no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no Restart SSH …
$ sudo systemctl restart ssh3. Key management
Keychain is an OpenSSH key manager. From the package description …
When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to
~/.keychain/$HOSTNAME-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.
On the client
Install …
$ sudo apt install keychain Configure ~/.bashrc …
# setup keychain - ssh-agent management
keychain ~/.ssh/id_ed25519
. ~/.keychain/$HOSTNAME-sh Flush all cached keys from memory …
$ keychain --clear Optional: If using tmux enable persistent SSH key management across sessions by editing ~/.tmux.conf …
set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"🐧 Part of the Linux Home Server project.
Happy hacking!