SSH from Linux to Linux in 10 seconds

This article explains how to manage ssh keys to connect from one Linux machine to another. My PC is Debian 12 and I use ssh for administration tasks on servers.

My PC has a Debian 12 operating system — I do not use Microsoft Windows.

I have small bash script to automate my connection. There is server’s IP stored in env variable and two commands inside a script:

• ping for test connection availability
• ssh to make a connection with threeoptions:
• -C — commpression of all data
• -X — enables X11 forwarding (*for hackers — to run apps like Firefox or GParted remotly)
• -Y — enables trusted X11 forwarding (*for hackers — to run apps like Firefox or GParted remotly)

#!/bin/bash
S="188.68.237.191"
ping -c3 -w3 ${S}
ssh root@${S} -C -X -Y

adasiek @ devel in ~ |12:49:06  $ ls -la .ssh/id_rsa*
-rw------- 1 adasiek adasiek 1766 2020-03-30  .ssh/id_rsa
-rw-r--r-- 1 adasiek adasiek  411 2020-03-30  .ssh/id_rsa.pub

adasiek @ devel in ~ |12:49:22  $ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKL8eEn7NK5NtbmWiy+nWIgA1s81jxFHmrBIzDQjZCmvYNEzNO1OarpPsjuQr6L9BT6DxekeaMuxKjnNAlEnTIY+oN7z2txzqCK+yzgMRdl86glalh5dNCXwStnBHtUfvl46WK0K+nrbA9iZDCc9YGfO6++To8DlGiO1a1rAqiM6rnqm1fkvzjnZSI0SW4ewfiUWc6CtJb6Dg2Qo+06VAS5wFG+TG7VPqxTC4UPTBjAfQ8dWO7AgoQNz0NJMI4lxZ8OewdrF//yU7jvbhQkQCjL8K1YIGckDraoc+grpaeF3rsjtdcKxc8oVBSzMMGiTBvg3nK2P7ZN0opl+7WlfVd adasiek@adasiek-ThinkPad-X200

How to create SSH keys — generation process

I use ssh-rsaprivate and public keys for authorization. The command for generating pair of keys (private and public) is:

ssh-keygen -t rsa

When this command is running first time, it generates keys and writes them to directory /home/user/.ssh

• /home/user/.ssh/id_rsa — private key (keep it SECRET)
• /home/user/.ssh/id_rsa.pub — public key (to save to another computer, this is PUBLIC part)

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/python/.ssh/id_rsa): 
Created directory '/home/python/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/python/.ssh/id_rsa
Your public key has been saved in /home/python/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:GeFnitVuMeDFVg6+Jp19jw9RUzIpUpwZQcfRSQPMM8E python@devel
The key's randomart image is:
+---[RSA 3072]----+
|        o.o=XOO*o|
|       o *+o=Eo++|
|        =.B...o..|
|       o O *   ..|
|      . S B . o  |
|         +   . + |
|              o .|
|               o |
|                .|
+----[SHA256]-----+
$ 

The public key should be stored on server in /root/.ssh/autorized_keys file — we must remember to have special ACL on this file: -rw---- (only Read and Write for USER)

root@linux-admin:~# ls -la .ssh/
total 20
drwx------ 2 root root 4096 Aug  5 12:13 .
drwx------ 8 root root 4096 Aug  6 13:56 ..
-rw------- 1 root root  411 Aug  4 08:48 authorized_keys

In 2023 year, there is a new and better type of public-key signature algorithm — Ed25519.

Ed25519 was proposed by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang in their paper High-speed high-security signatures (doi.org/10.1007/s13389–012–0027–1) in 2011. More precisely, Ed25519 is an instance of the Edwards-curve Digital Signature Algorithm (EdDSA), where a twisted Edwards curve birationally equivalent to the curve called Curve25519 is used. Curve25599 is a very fast elliptic-curve-Diffie-Hellmann function that was proposed by Daniel J. Bernstein in his paper Curve25519: new Diffie-Hellman speed records in 2006.

More about it you can read on a blog: https://blog.peterruppel.de/ed25519-for-ssh/

The command to create such key is similar to rsa:

ssh-keygen -t ed25519 -C "adam.jurkiewicz.pythonista"

Option -C means comment.

Below you can see generation process, the rest of the commands is the same, we shoud use ssh-copy-id command to copy our key to server.

python@devel:~$  ssh-keygen -t ed25519 -C "adam.jurkiewicz.pythonista"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/python/.ssh/id_ed25519):        
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/python/.ssh/id_ed25519
Your public key has been saved in /home/python/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:vI6hH35y5UVcjmuKvtjPDBRUMx/FH3itKcZfQzSxuZM adam.jurkiewicz.pythonista
The key's randomart image is:
+--[ED25519 256]--+
|        ..+ .o++o|
|       .   + oo+=|
|        .  o.+o*.|
|       . .  B +.=|
|        S  o + E.|
|       . .. + . .|
|      o o+ +     |
|     o.B++o      |
|    ..===o+      |
+----[SHA256]-----+


python@devel:~$ ls -la .ssh/
razem 32
drwx------ 2 python python 4096 08-08 07:57 .
drwxr-xr-x 3 python python 4096 08-06 22:21 ..
-rw------- 1 python python  419 08-08 07:57 id_ed25519
-rw-r--r-- 1 python python  108 08-08 07:57 id_ed25519.pub

An easy way to copy public key to server.

A simple way to copy the public key is to use the command ssh-copy-id

First, let’s check that the ssh server configuration is correct. There are options in the /etc/ssh/sshd_config file and defaults should be ok, but we need to remember the appropriate value of the parameter PermitRootLogin — it sould be set to yes

PermitRootLogin Specifies whether root can log in using ssh(1).

The argument must be ‘’yes’’, ‘’without-password’’, ‘’forced-commands-only’’, or ‘’no’’. The default is ‘’yes’’.

If this option is set to ‘’without-password’’, password authentication is disabled for root.

If this option is set to ‘’forced-commands-only’’, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to ‘’no’’, root is not allowed to log in.

In our case, the command is of the form:

ssh-copy-id root@188.68.237.191

When we have our keys in proper location, we can connect using simple script:

That is all — we can do our adminstraton taks, for example checking processes or tests IP using https://www.ipify.org/

We can see our authentication and some „hackers” in log file /var/log/auth.log

Aug  6 14:22:14 linux-admin sshd[31610]: Accepted publickey for root from 31.178.171.170 port 60062 ssh2: RSA SHA256:GHDUfp2pukKe5L4Fi03i0iwGN/Sp0csr8k4pWGGazfg
Aug  6 14:22:14 linux-admin sshd[31610]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Aug  6 14:22:14 linux-admin systemd-logind[557]: New session 198 of user root.
Aug  6 14:22:14 linux-admin systemd: pam_unix(systemd-user:session): session opened for user root(uid=0) by (uid=0)
Aug  6 14:23:02 linux-admin sshd[31696]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=151.0.165.235  user=root
Aug  6 14:23:04 linux-admin sshd[31696]: Failed password for root from 151.0.165.235 port 57966 ssh2
Aug  6 14:23:04 linux-admin sshd[31696]: Received disconnect from 151.0.165.235 port 57966:11: Bye Bye [preauth]
Aug  6 14:23:04 linux-admin sshd[31696]: Disconnected from authenticating user root 151.0.165.235 port 57966 [preauth]

Finally, we can change the configuration of the server to accept logins only with the ssh key — we change the PermitRootLogin paremeter in the /etc/ssh/sshd_config file to the without-password value.

sed 's/PermitRootLogin yes/PermitRootLogin without-password/g' -i /etc/ssh/sshd_config

Then we restart the ssh server using the command:

systemctl restart ssh