Installation & Basic Setup
Installing OpenSSH Server
Install the OpenSSH server package to enable SSH access to your Debian 12 system:
Starting and Enabling SSH Service
Start the SSH service and enable it to start automatically at boot:
sudo systemctl enable ssh
Checking SSH Status
Verify that the SSH service is running properly:
Basic SSH Connections
Connect to Remote Server
Connect to a remote server using username and hostname/IP:
Connect with Specific Port
Connect to a server using a non-default port:
Execute Remote Command
Run a single command on a remote server without opening an interactive session:
SSH with Verbose Output
Get detailed connection information for troubleshooting:
ssh -vv username@hostname # Level 2 verbosity
ssh -vvv username@hostname # Level 3 verbosity (most detailed)
SSH Key Management
Generate SSH Key Pair
Create a new SSH key pair (RSA 4096-bit recommended):
For Ed25519 (modern, recommended):
Copy Public Key to Remote Server
Securely copy your public key to a remote server for passwordless authentication:
Alternative method using cat:
Disable Password Authentication
After setting up key-based authentication, disable password logins for enhanced security:
# Set: PasswordAuthentication no
sudo systemctl reload ssh
Advanced SSH Usage
SSH Agent for Key Management
Use SSH agent to manage private keys and avoid entering passphrases repeatedly:
ssh-add ~/.ssh/id_rsa
ssh-add -l # List loaded keys
SSH Config File
Create a configuration file for simplified connections:
Example configuration:
HostName 192.168.1.100
User admin
Port 2222
IdentityFile ~/.ssh/myserver_key
Host *.example.com
User developer
IdentityFile ~/.ssh/work_key
Now connect with: ssh myserver
SSH Tunneling
Create secure tunnels for forwarding ports:
ssh -L local_port:destination_host:destination_port username@gateway
# Remote port forwarding
ssh -R remote_port:destination_host:destination_port username@gateway
# Dynamic port forwarding (SOCKS proxy)
ssh -D local_port username@gateway
SCP and SFTP
Securely copy files between systems:
scp /local/file.txt username@hostname:/remote/directory/
# Copy file from remote server
scp username@hostname:/remote/file.txt /local/directory/
# Start SFTP session
sftp username@hostname
Security Hardening
Change Default SSH Port
Edit the SSH configuration to use a non-standard port:
# Change: Port 2222
sudo ufw allow 2222/tcp
sudo systemctl restart ssh
Disable Root Login
Prevent direct root logins for better security:
# Set: PermitRootLogin no
sudo systemctl reload ssh
Allow Specific Users
Restrict SSH access to specific users only:
# Add: AllowUsers user1 user2
sudo systemctl reload ssh
Fail2Ban for Brute Force Protection
Install and configure Fail2Ban to block brute force attacks:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Enable SSH protection in the [sshd] section:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
Troubleshooting
Common Issues and Solutions
| Issue | Solution |
|---|---|
| Permission denied (publickey) | Verify correct permissions: ~/.ssh (700), ~/.ssh/authorized_keys (600) |
| Connection refused | Check if SSH service is running: sudo systemctl status ssh |
| Host key verification failed | Remove old key: ssh-keygen -R hostname |
| Too many authentication failures | Specify identity file: ssh -i ~/.ssh/key username@host |
Check SSH Logs
View SSH authentication logs for debugging:
Test SSH Configuration
Validate SSH server configuration before reloading: