This quick guide shows my standard routine for setting up secure SSH on new fresh installs of Raspbian or Ubuntu VMs.
First if you are still using any system default user like "pi" or "root" or "admin", change this and create your own, custom user.
Lets start in this example with our new user name "funkymonkey":
sudo adduser funkymonkey
Give root (sudo) privileges to the new user:
sudo usermod -aG sudo funkymonkeyx
Generate your public and private key pair. The public key lives on the server, and the private key will be used to unlock access from any device that needs it. Run:
ssh-keygen
When asked where to put the file, take the default. You can choose whether or not to enter in a passphrase – having a passphrase means that you need both the private key and passphrase to gain access. It provides an additional layer of security.
Once your keys have been created, you will find them in ~/.ssh – there should be id_rsa (private key) and id_rsa.pub (public key) files in that directory. Now copy that key to the users authorized keys:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
This command will copy the public key to the user’s ~/.ssh/ directory as an authorized_keys file. You can now use the private key to authenticate with this server as user funkymonkey.
sshd config
Now we setup the ssh service to only accept key signed connections on our custom port. Open the config:
sudo nano /etc/ssh/sshd_config
First we change the port, find the line "#Port 22", uncomment and change to
Port 44
We choose port 44, but you can use whatever port you want, just remember to stick to Ports below 1023, as any port >= 1024 is a non-privileged port and a security risk. And avoid collision with standard port assignments, check this list.
Continue editing the file by scrolling down and find the "PermitRootLogin" option. Uncomment and change it to:
PermitRootLogin no
This disables root user login. Next scroll down further and find "PasswordAuthentication"...also uncomment and change it to:
PasswordAuthentication no
This disables password based authentication. (Private key authentication should already be enabled by default – you can verify this by ensuring that PubkeyAuthentication is set to ‘yes’ in the SSH config file).
Press CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit.
Download private key to your client device or tool (like Terminus)
Display our earlier created private key and copy&paste:
cat ~/.ssh/id_rsa
Select the entire contents of the file and copy the text to your clipboard. Paste and save the entire block either into a text file in a safe location or into your favorite ssh tool like Termius.
On a MAC OS for example save the text file at:
Macintosh HD/Users/YOURUSERNAME/.ssh/myserver_rsa
Once saved, you can delete the id_rsa file from the server (though, you should probably test connectivity first if this is your first time making these changes):
sudo rm ~/.ssh/id_rsa
Now to make all changes active and permanent reboot:
sudo reboot
Connect with new user and key
To connect in the future with your new user, custom port and own key, you need to define these variables at connect like:
ssh -i /Users/YOURUSERNAME/.ssh/myserver_rsa -p 44 [email protected]
"-i /Users/YOURUSERNAME/.ssh/myserver_rsa" defines the path to your keyfile.
"-p 44" defines your selected port.
"funkeymonkey" needs to be your selected username.
"@10.10.10.10" must be your IP or TLD.
Adapt these parameters to your chosen settings.
If you are using multiple servers with different users and keys, ssh tools like Termius or putty are definitely coming handy