How to Configure Advanced SSH Settings for Automation in Debian 12 Bookworm System

Secure Shell (SSH) is a cornerstone of Linux administration, enabling secure remote login, file transfers, and automated system management. When it comes to automation on Debian 12 (Bookworm), configuring advanced SSH settings correctly is critical for performance, security, and reliability. Whether you’re running scripts across multiple servers, using Ansible or Jenkins for deployment, or setting up unattended backups, SSH configuration plays a central role.

In this guide, we’ll walk you through how to configure advanced SSH settings specifically for automation on a Debian 12 system.

Why Configure SSH for Automation?

Before diving into configurations, let’s understand why SSH settings matter in automation:

• Passwordless Authentication: To avoid human interaction during script execution.
• Connection Multiplexing: Speeds up repeated SSH connections.
• Timeout and KeepAlive Settings: Prevents scripts from failing due to dropped connections.
• Security Hardening: Ensures automated systems are not exposed to unnecessary risks.
• Logging and Debugging: Helps identify issues during automated tasks.

Prerequisites

Ensure the following before proceeding:

• You are running Debian 12 (Bookworm).

• You have sudo privileges on the system.

• OpenSSH Server is installed and running:

  sudo apt update
  sudo apt install openssh-server
  

Step 1: Set Up SSH Key-Based Authentication

Passwordless login using SSH keys is the cornerstone of any automation setup.

1.1 Generate SSH Keys

On the client machine (from which automation is triggered), run:

ssh-keygen -t rsa -b 4096 -C "automation@yourdomain.com"

Choose a descriptive name for the key file (e.g., ~/.ssh/id_rsa_automation) and avoid a passphrase for fully automated workflows.

1.2 Copy Public Key to Debian 12 Host

Use ssh-copy-id or manually copy the key:

ssh-copy-id -i ~/.ssh/id_rsa_automation.pub user@debian12-server

Or manually:

cat ~/.ssh/id_rsa_automation.pub | ssh user@debian12-server 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

Step 2: Harden the SSH Server Configuration

Edit the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Recommended options for automation:

# Allow only key-based login
PasswordAuthentication no
ChallengeResponseAuthentication no

# Use protocol 2 (default)
Protocol 2

# Idle timeout (optional for automation)
ClientAliveInterval 120
ClientAliveCountMax 2

# Allow only specific users
AllowUsers automationuser

# Max number of simultaneous connections
MaxSessions 10
MaxStartups 10:30:100

# Enable logging for debugging
LogLevel VERBOSE

After editing:

sudo systemctl restart ssh

⚠️ Warning: Disabling password authentication means you’ll need a backup method (e.g., console access) if key-based login fails.

Step 3: Enable SSH Connection Multiplexing

Connection multiplexing speeds up repeated SSH connections by reusing a single TCP connection.

3.1 Configure ~/.ssh/config on the client

Create or edit the SSH configuration file:

nano ~/.ssh/config

Add:

Host debian-automation
  HostName your.debian12.ip.or.hostname
  User automationuser
  IdentityFile ~/.ssh/id_rsa_automation
  ControlMaster auto
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlPersist 10m
  ServerAliveInterval 60
  ServerAliveCountMax 2

Test the connection:

ssh debian-automation

The initial connection might be slightly slower, but subsequent SSH commands will be almost instant.

Step 4: Use SSH Agent for Key Management

If you’re not using a passphrase, you can skip this. But if your keys are passphrase-protected and you want to automate without retyping it:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa_automation

You can then use tools like keychain or gpg-agent to persist SSH keys across sessions.

Step 5: Configure SSH for Automation Tools (Optional)

5.1 Ansible

If using Ansible, create an inventory file:

[debian_hosts]
debian-automation ansible_host=your.debian12.ip ansible_user=automationuser ansible_ssh_private_key_file=~/.ssh/id_rsa_automation

In ansible.cfg:

[defaults]
host_key_checking = False
timeout = 30

Now you can run:

ansible -i inventory.ini debian_hosts -m ping

5.2 Rsync over SSH

Automated backups or deployments via rsync:

rsync -avz -e "ssh -i ~/.ssh/id_rsa_automation" ./source/ automationuser@debian12-server:/backup/

5.3 Cron Jobs Using SSH

To run scheduled tasks over SSH:

crontab -e

Add:

0 2 * * * /usr/bin/ssh -i ~/.ssh/id_rsa_automation automationuser@debian12-server '/usr/local/bin/backup.sh'

Make sure your script and permissions are correct on the remote server.

Step 6: Advanced Logging and Debugging

For automation, knowing what went wrong is half the battle.

6.1 Enable Verbose Client Logs

You can add -vvv to your SSH command for detailed logs:

ssh -vvv debian-automation

6.2 View SSH Logs on Debian Server

Logs can be found at:

sudo journalctl -u ssh

Or:

sudo tail -f /var/log/auth.log

Step 7: SSH Daemon Performance Tuning (Optional)

For environments with many automated connections:

7.1 Increase File Descriptors

Edit:

sudo nano /etc/security/limits.conf

Add:

* soft nofile 65535
* hard nofile 65535

Then update systemd:

sudo systemctl edit ssh

Add:

[Service]
LimitNOFILE=65535

Reload and restart:

sudo systemctl daemon-reexec
sudo systemctl restart ssh

Step 8: Secure Automation with Fail2Ban and Firewall

Even automated systems must be protected.

8.1 Install and Configure UFW

sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw enable

8.2 Install Fail2Ban

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure:

sudo nano /etc/fail2ban/jail.local

Example settings:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h

Conclusion

Automating tasks on Debian 12 using SSH can dramatically streamline system administration, but it requires a well-tuned SSH setup. By implementing secure, efficient, and reliable SSH configurations—including key-based authentication, multiplexing, timeout settings, and logging—you can ensure your automation workflows are resilient and secure.

Whether you’re managing backups, deployments, or configuration management with Ansible, a properly configured SSH environment is the backbone of success.