How to Set Up SSH Keys for User Authentication in Debian 12 Bookworm

Learn how to set up SSH keys for user authentication in Debian 12 Bookworm.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Secure Shell (SSH) is a widely used protocol for securely connecting to remote systems. SSH key-based authentication offers a more secure alternative to password authentication, making it a preferred choice for system administrators. In this guide, we will walk you through the process of setting up SSH keys for user authentication on a Debian 12 Bookworm system.

By using SSH keys, you can enhance security by eliminating password-based logins, reducing the risk of brute-force attacks, and automating secure connections for administrative tasks.

Prerequisites

Before proceeding, ensure you have the following:

  • A Debian 12 (Bookworm) system with SSH installed.
  • A non-root user with sudo privileges.
  • Access to a remote or local Debian server where SSH is enabled.

Step 1: Check for Existing SSH Keys

First, check if you already have an SSH key pair on your client system. Open a terminal and run:

ls -l ~/.ssh/id_rsa*

If the command returns a file listing such as id_rsa and id_rsa.pub, you already have an SSH key pair. If not, you need to generate a new one.

Step 2: Generate a New SSH Key Pair

If no SSH keys exist or if you prefer to generate a new pair, use the following command:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
  • -t rsa: Specifies the RSA key type.
  • -b 4096: Generates a 4096-bit key for stronger security.
  • -C "your_email@example.com": Adds an optional comment for identification.

After running the command, you will be prompted to specify a location to save the key:

Enter file in which to save the key (/home/youruser/.ssh/id_rsa):

Press Enter to accept the default location or specify a custom path.

Next, you will be asked to create a passphrase:

Enter passphrase (empty for no passphrase):

Adding a passphrase enhances security but is optional. If you choose to use a passphrase, you will need to enter it each time you use the key.

Step 3: Copy the Public Key to the Remote Server

To enable key-based authentication, you need to copy the public key (id_rsa.pub) to the remote Debian 12 server. Use the following command:

ssh-copy-id username@remote_host

Replace username with your remote system’s username and remote_host with the IP address or hostname.

If ssh-copy-id is unavailable, manually append the key using:

cat ~/.ssh/id_rsa.pub | ssh username@remote_host 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

This command ensures the proper directory and file permissions are set.

Step 4: Verify SSH Key Authentication

Now, test the SSH login using key-based authentication:

ssh username@remote_host

If everything is set up correctly, you should be able to log in without entering a password (unless you set a passphrase for the key).

To enhance security, you can disable password authentication, forcing users to authenticate with SSH keys.

Edit the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Find and update the following lines:

PasswordAuthentication no
PubkeyAuthentication yes

Save the file and restart the SSH service:

sudo systemctl restart ssh

Step 6: Additional Security Enhancements

For extra security, consider these best practices:

  1. Use SSH Agent for Key Management: If you have a passphrase-protected key, you can use ssh-agent to manage your authentication session:

    eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa

  2. Change the Default SSH Port: Modify /etc/ssh/sshd_config to use a non-standard port:

    Port 2222

    Restart SSH:

    sudo systemctl restart ssh

  3. Limit SSH Access to Specific Users: Add allowed users in /etc/ssh/sshd_config:

    AllowUsers youruser

  4. Use Fail2Ban to Prevent Brute-Force Attacks: Install Fail2Ban:

    sudo apt install fail2ban

    Enable and start the service:

    sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Conclusion

Setting up SSH key-based authentication on Debian 12 Bookworm enhances security and convenience by eliminating password-based logins. By following the steps above, you can ensure a more secure remote access environment. Additionally, implementing extra security measures such as disabling password authentication and using Fail2Ban further protects your system from unauthorized access.

With SSH keys in place, you can now efficiently and securely manage your Debian servers without relying on passwords.


< How to Switch Users on the Debian 12 Bookworm SystemHow to Restrict Sudo Access to Specific Commands in Debian 12 Bookworm >