SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.
The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.
In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.
On the remote machine
Step 1
Install the secure shell server with the following command:
$ sudo apt install --yes openssh-server
Step 2
If you are using ufw as a host-based firewall
Configure ufw to allow connections to the secure shell server.
$ sudo ufw limit ssh
If you are using firewalld as a host-based firewall
Configure firewalld to allow connections to the secure shell server.
$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'
Step 3
Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.
$ sudo addgroup --system ssh-users
Add the user sid to the group ssh-users.
$ sudo adduser sid ssh-users
On the local machine
Step 4
Install the secure shell client with the following command.
$ sudo apt install openssh-client
Step 5
Generate a new key pair for the local user bookworm:
$ ssh-keygen -t ed25519 -o -a 100
Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.
Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server
The use of an appropriate passphrase to secure the private key is mandatory.
Step 6
Create the file ~/.ssh/config to configure the secure shell client.
$ nano ~/.ssh/config
Add the follwing minimal entry for the host debian-server.
Host debian-server Hostname 192.168.1.10 IdentitiesOnly yes
Step 7
Deploy the public key with the following command.
$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server
Step 8
Log into the remote machine.
$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server
When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].
The authenticity of host 'debian-server (192.168.1.10)' can't be established. ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])?
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
Step 9
On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.
$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'
Activate the modifications on the remote machine.
$ sudo systemctl restart ssh.service
Step 9
On the local machine, open a new terminal window and run the following command.
$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.
$ sudo sshd -T
All done!
For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.
The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.