[Linux] Securing a Debian server by Enabling passwordless Login

I. Abstract All of us know, there are lots of bad guys out there just trying to brute force our ssh ports. The following article provides information about the first steps to be performed when setting up a new webserver running Debian Etch. For security reasons we recommend applying these how to's before proceeding
  • Mandatory: How to secure your Debian server by updating the buggy openSSH Debian package (read tutorial here)
  • Optional: How to secure your Debian server by changing the SSH port number (read tutorial here)
The following howto will show you how to enable SSH login without a server based password (passwordless login) and how to disable password login in general on your server. II. Generate SSH public- private-key pair
  • Generate keypair on your Linux client machine (works on Cygwin and Mac OS X as well!) client$ mkdir ~/.ssh client$ chmod 700 ~/.ssh client$ cd .ssh client$ ssh-keygen -q -f id_rsa -t rsa
  • You will be asked to provide a passphrase to encrypt your private key. Although you might leave this empty, we strongly recommend to provide it - for you own safety
  • In the folder called .ssh you will then find those two files: id_rsa > contains private-key (encrypted with your passphrase) id_rsa.pub > contains public-key (to be put on your Etch Webserver)
III. Upload public-key to server
  • In detail: the output of id_rsa.pub (which in fact is a textfile) is pushed via ssh on your root’s homefolder and being saved there as id_rsa.remote: client$ cat id_rsa.pub | ssh root@yourdomain.net cat “>“ id_rsa.remote
IV. Activate public- private-key authentication
  • log in to your server client$ ssh root@yourdomain.net (provide your password)
  • you may install nano (if you like vim, stay with vim), imho nano is faster for simpler tasks, but vim is much more powerful, so having both is no loss ;-) server$ apt-get install nano
  • Edit SSH configuration to allow public-key login server$ nano /etc/ssh/sshd_config
  • Allow AuthorizedKeysFile only (still in sshd_config) AuthorizedKeysFile %h/.ssh/authorized_keys
  • Disallow Password driven login (still in sshd_config) # Change to no to disable tunnelled clear text passwords PasswordAuthentication no
  • Save and exit (in nano: ctrl + x)
  • restart ssh deamon server$ /etc/init.d/ssh restart
  • Go back to your root’s home folder server$ cd
  • Makedir .ssh server$ mkdir .ssh
  • Copy uploaded id_rsa.remote to .ssh folder server$ cp id_rsa.remote .ssh/authorized_keys
V. Test your configuration
  • Don’t log out of your server, instead open a second terminal on your client machine to test your new configuration: client2$ ssh root@yourdomain.net (provide the passphrase for your private-key)
  • If everything works well, congratulations you’re done, consider clicking our sponsor (non offensive Google Adsense) to help maintaining this project free for all of you...
VI. Kindly Sponsored by VII. Further steps If you didn't already do it. For further improving your server's security you probably want to change ssh port address from 22 to anything else? Read here, how to do that...
You can leave a response, or trackback from your own site.

One Response to “[Linux] Securing a Debian server by Enabling passwordless Login”

  1. […] First of all: log into your server via SSH as root. Make sure openSSH has been updated, a serious security flaw has been discovered some days ago concerning Debian based Linux distros. Make also sure you have secured your SSH access. We really recommend public-, private-key crypto for ssh login. […]

Leave a Reply