SSH Key Notes
I’ve needed to set up multiple servers for some of my projects and SSH in to do various configuration, and I thought I’d jot down some notes I found helpful.
I use SSH Keys
I prefer to use SSH keys over passwords for a few reasons- mostly because I think they’re safer (nice discussion here) and once configured, they’re also very easy to use and flexible.
1. SSH User on Server
Ideally you’ll disable SSH root access and avoid using root. Instead, you’ll want to create a new user, give user the permissions you’d like (e.g. allow su to root maybe but not perform sudo operations), and disable root SSH access. This stack exchange question is useful regarding this.
2. Using SSH on a different port
Not long after I had my servers up, I happened to be doing some troubleshooting and noticed constant port scans and login attempts. This was somewhat concerning, but it’s apparently fairly typical. However, I like to set up my SSH port to be something other than 22 for this reason.
You can do this pretty easily by changing /etc/ssh/sshd_config file. Change the line with #Port 22 to not be commented out and chose another port. E.g. port 1034.
A minor nitpick is to choose a port between 1 and 1023. This is a root priviledged port range meaning only root can reserve these ports. You can read more here. Arguably this guidance is outdated, but I still follow it.
3. Setting up client key
On your machine, or machine that will act as client[0], you want to create the SSH key:
ssh-keygen -t rsa -b 4096
I personally do not use a passphrase to make things easier for me :)
Next, upload the key to the server:
ssh-copy-id -p 1034 -i ~/.ssh/my_ssh_key deploy_user@192.168.1.15
Finally ,let’s test the configuration works:
ssh -p 1034 -i ~/.ssh/my_ssh_key deploy_user@192.168.1.15
4. Configure firewall
We’ll need to update our firewall so we can actually SSH in.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 1034/tcp
# If this is a web server, you'd also likely want ports 80 & 443 open
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw reload
Check results:
sudo ufw status
If you’re using a VPS at a major provider like Vultr or Hostinger, check to see if you have any firewalls configured for you VPS as well.
5. Configure future usage
Okay, so you have an SSH key but it’s a PITA to use! You can update your (not the server’s) SSH config file to make it much easier to use.
Add/update entries as an alias to ~/.ssh/config like so:
Host personal-server
HostName 192.168.1.15
User root
IdentityFile ~/.ssh/my_ssh_key
Port 1034
Host production-server
HostName 192.168.1.30
User deploy_user
IdentityFile ~/.ssh/my_production_ssh_key
Port 1034
Now you can ssh easily:
ssh personal-server
Will also work with tools like scp
Always learning
If there are other recommendations on how to keep things secure or better configure SSH keys, I’m always open to suggestions.
[0] This could actually be the server in cases where the server does a git pull request for example- maybe in some deploy scenario that requires the server to git checkout a repo. In this case, you’ll also want to add the key to GitHub as a “Deploy key”
Enjoy Reading This Article?
Here are some more articles you might like to read next: