Setup secure SSH to key only access with custom user/port on Raspbian/Ubuntu

This quick guide shows my standard routine for setting up secure SSH on new fresh installs of Raspbian or Ubuntu VMs.

First if you are still using any system default user like "pi" or "root" or "admin", change this and create your own, custom user.

Lets start in this example with our new user name "funkymonkey":

sudo adduser funkymonkey

Give root (sudo) privileges to the new user:

sudo usermod -aG sudo funkymonkeyx

Generate your public and private key pair. The public key lives on the server, and the private key will be used to unlock access from any device that needs it. Run:

ssh-keygen

When asked where to put the file, take the default. You can choose whether or not to enter in a passphrase – having a passphrase means that you need both the private key and passphrase to gain access. It provides an additional layer of security.

Once your keys have been created, you will find them in ~/.ssh – there should be id_rsa (private key) and id_rsa.pub (public key) files in that directory. Now copy that key to the users authorized keys:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

This command will copy the public key to the user’s ~/.ssh/ directory as an authorized_keys file. You can now use the private key to authenticate with this server as user funkymonkey.

sshd config

Now we setup the ssh service to only accept key signed connections on our custom port. Open the config:

sudo nano /etc/ssh/sshd_config

First we change the port, find the line "#Port 22", uncomment and change to

Port 44

We choose port 44, but you can use whatever port you want, just remember to stick to Ports below 1023, as any port >= 1024 is a non-privileged port and a security risk. And avoid collision with standard port assignments, check this list.

Continue editing the file by scrolling down and find the "PermitRootLogin" option. Uncomment and change it to:

PermitRootLogin no

This disables root user login. Next scroll down further and find "PasswordAuthentication"...also uncomment and change it to:

PasswordAuthentication no

This disables password based authentication. (Private key authentication should already be enabled by default – you can verify this by ensuring that PubkeyAuthentication is set to ‘yes’ in the SSH config file).

Press CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit.

Download private key to your client device or tool (like Terminus)

Display our earlier created private key and copy&paste:

cat ~/.ssh/id_rsa

Select the entire contents of the file and copy the text to your clipboard. Paste and save the entire block either into a text file in a safe location or into your favorite ssh tool like Termius.

On a MAC OS for example save the text file at:

Macintosh HD/Users/YOURUSERNAME/.ssh/myserver_rsa

Once saved, you can delete the id_rsa file from the server (though, you should probably test connectivity first if this is your first time making these changes):

sudo rm ~/.ssh/id_rsa

Now to make all changes active and permanent reboot:

sudo reboot

Connect with new user and key

To connect in the future with your new user, custom port and own key, you need to define these variables at connect like:

ssh -i /Users/YOURUSERNAME/.ssh/myserver_rsa -p 44 [email protected]

"-i /Users/YOURUSERNAME/.ssh/myserver_rsa" defines the path to your keyfile.
"-p 44" defines your selected port.
"funkeymonkey" needs to be your selected username.
"@10.10.10.10" must be your IP or TLD.
Adapt these parameters to your chosen settings.

If you are using multiple servers with different users and keys, ssh tools like Termius or putty are definitely coming handy

Published by Florian Müller in Development, Technology

Tags: key, linux, raspberrypi, raspbian, security, server, ssh, terminal, ubuntu