How to Set Up SSH Keys on Debian 10
4 min read
Secure Shell (SSH) is a cryptographic network protocol used for a secure connection between a client and a server and supports various authentication mechanisms. The encrypted connection can be used to execute commands on the server, X11 tunneling, port forwarding, and more.
Password and public-key based are the two most common mechanisms for authentications.
Authentication using a public key is based on the use of digital signatures, and it is more secure and convenient than traditional password authentication.
This article describes how to generate SSH keys on Debian 10 systems. We will also show you how to set up an SSH key-based authentication and connect to remote Linux servers without entering a password.
Creating SSH keys on Debian
The chances are that you already have an SSH key pair on your Debian client machine. If you are generating a new key pair, the old one will be overwritten.
Run the following
command to check whether the key files exist:
ls -l ~/.ssh/id_*.pub
If the output of the command above contains something like
No such file or directory or
no matches found, it means that you don’t have SSH keys, and you can continue with the next step and generate a new SSH key pair.
Otherwise, if you have an SSH key pair, you can either use those or backup up the old keys and generate new ones.
Generate a new 4096 bits SSH key pair with your email address as a comment by entering the following command:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
The output will look something like this:
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
Enter to accept the default file location and file name.
Next, you’ll be prompted to type a secure passphrase. Whether you want to use a passphrase, it’s up to you. The passphrase adds an extra layer of security.
Enter passphrase (empty for no passphrase):
If you don’t want to use a passphrase, just press
The whole interaction looks like this:
To confirm the SSH key pair was generated, run the following command:
The command will list the key files:
Copy the Public Key to the Server
Now that you have your SSH key pair, the next step is to copy the public key to the server you want to manage.
The easiest and the recommended way to copy the public key to the remote server is to use the
Run the following command on your local machine:
You will be prompted to enter the
Once the user is authenticated, the content of the public key file (
~/.ssh/id_rsa.pub) will be appended to the remote user
~/.ssh/authorized_keys file, and connection will be closed.
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'username@server_ip_address'" and check to make sure that only the key(s) you wanted were added.
ssh-copy-id utility is not available on your local machine, use the following command to copy the public key:
cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Login to the Server using SSH Keys
At this point, you should be able to log in to the remote server without being prompted for a password.
To test it, try to connect to the server via SSH:
If you haven’t set a passphrase, you will be logged in immediately. Otherwise, you will be prompted to enter the passphrase.
Disabling SSH Password Authentication
To add an extra layer of security to your server, you can disable the SSH password authentication.
Before disabling the password authentication, make sure you can log in to your server without a password, and the user you are logging in with has sudo privileges .
Log into your remote server:
Open the SSH server configuration file
sudo nano /etc/ssh/sshd_config
Search for the following directives and modify as it follows:
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
Once done, save the file and restart the SSH service:
sudo systemctl restart ssh
At this point, the password-based authentication is disabled.
We’ve shown you how to generate a new SSH key pair and set up an SSH key-based authentication. You can use the same key to manage multiple remote servers. You have also learned how to disable SSH password authentication and add an extra layer of security to your server.
By default, SSH listens on port 22. Changing the default SSH port reduces the risk of automated attacks. To simplify your workflow, use the SSH config file to define all your SSH connections.
If you have any questions or feedback, feel free to leave a comment.