How to Install SSH & Setup Passwordless Login in Debian 11 Bullseye

This tutorial shows how to install and setup SSH server in Debian 11, so users can connect remotely without password by authentication keys.

SSH, stands for Secure Shell, is a network protocol for remote login and data transfer. OpenSSH (aka OpenBSD Secure Shell) is a fork of SSH that’s available in Linux, macOS, and Windows own repositories.

Requirement:

In this tutorial, I’m going to access Debian 11 remotely from another Linux machine. So I’ll call Debian as host machine, and local computer used to access the host via SSH as client machine.

  • Host machine: Debian 11 Bullseye.
  • Client machine: Any other Linux system.

Install & Enable SSH Server:

Firstly, open terminal or connect to Debian command console. Then run command to install the OpenSSH server in the host machine:

sudo apt install openssh-server

Next, enable the ssh service so it starts automatically on startup via command:

sudo systemctl enable ssh

And, start the ssh service now in the Debian host via command:

sudo systemctl start ssh

To check its status, use command below. You can do more actions by replacing status with reload, restart, or stop.

sudo systemctl status ssh

The SSH server configuration files include /etc/ssh/sshd_config and files under “/etc/ssh/sshd_config.d” directory. Edit it via command sudo nano /etc/ssh/sshd_config and reload the service will apply change.

And finally, you may try to connect to Debian 11 via SSH using command (replace IP and user in command with your Debian server’s):

ssh [email protected]

Enable Passwordless Login via SSH Keys

OpenSSH supports key authentication to increase the security for connection. There are three different type of keys: ECDSA, ED25519, and RSA. RSA is most widely used and best supported, ECDSA is lighter and for machine with very low processing power. While, ED25519 offers better security than ECDSA and DSA and good performance. And, here I’m going to use ED25519 in this tutorial.

In the following commands, you need to replace KEY_NAME. And the USER is the username in Debian host that you want to access.

Generate SSH Keys

The key is generated in the client machine. In the computer you trying to remotely access Debian server, run command to create and go to .ssh as working directory:

mkdir -p ~/.ssh && cd ~/.ssh

Next, run command below to generate an ‘ed25519’ SSH key pair. Replace the KEY_NAME and COMMENT.

ssh-keygen -t ed25519 -f KEY_NAME  -C "COMMENT"

Set a password for the key or leave blank as it prompts and hit Enter. It will finally generated both private and public keys in .ssh folder.

Generate SSH Key Pair in Client Machine

For security reason, you may set the key pair permission so only current user has read & write permissions to them:

chmod 600 ~/.ssh/KEY_NAME*

Upload the Public Key to the Host:

The file ~/.ssh/authorized_keys in the Debian host machine is the place to store the public SSH keys.

In the local client computer, run command to get the public key content:

cat ~/.ssh/KEY_NAME.pub

And in the Debian host machine, create (if not exist) and edit the authorized_keys file via command:

nano ~/.ssh/authorized_keys

All you need is to copy the content (usually a single line) from client to the host and save it (Ctrl+X, type y, and hit Enter):

If you have figured out SSH login via normal password authentication, run this command in client PC will upload the public key to the host (replace [email protected]_IP):

cat ~/.ssh/KEY_NAME.pub | ssh [email protected]_IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

To be simple, the command ssh-copy-id -i KEY_NAME [email protected]_IP also do the trick!

And finally in the host, change the file permission to 644. See more about Linux file permission.

chmod 644 ~/.ssh/authorized_keys

Enable Passwordless Login:

If you have set password when creating the SSH key, it will asks for it everything time you login. For those don’t want to type them again and again, ‘ssh-agent’ is present to make life easier.

Firstly run command to start it:

eval 'ssh-agent'

Then run ssh-add command to add your key:

ssh-add ~/.ssh/KEY_NAME

That’s it!

Write SSH connection into config:

To make things simple, you may also write the SSH connection into a config file. Run command in the client machine to generate and edit the config file:

nano ~/.ssh/config

When the file opens in terminal, write following lines:

Host my_debian11
  HostName 172.67.154.173
  User merilyn
  IdentityFile ~/.ssh/debian_ed25519
  IdentitiesOnly yes

Here you need to change “my_debian11“, “merilyn“, and the “~/.ssh/debian_ed25519” to yours!

After saving the file, you may simply run “ssh my_debian11” to make the SSH connection.

Disable normal password login:

If everything is done successfully, you may disable normal password login so SSH Key is only choice to access the host.

To do so, edit the SSH configuration file in the host:

sudo nano /etc/ssh/sshd_config

When it opens, set PasswordAuthentication to no by removing # at the beginning if any and changing value to no.

Finally, reload the SSH service via sudo systemctl reload ssh. Enjoy!

Merilyn Ne
Hi, I'm Merilyn Ne, a computer geek working on Ubuntu Linux for many years and would like to write useful tips for beginners. Forgive me for language mistakes. I'm not a native speaker of English.