======Access your server using SSH======

>[[https://en.wikipedia.org/wiki/SSH_(Secure_Shell)|SSH]] or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. 

Using SSH, you can access your server (or a friend's desktop) without needing physical access. In this manual, we are going to set up OpenSSH on the client and the server. You will authenticate with your public key, which is more secure than plain password authentication.

=====Prerequisites=====
  * A running Debian (or [[wp>Category:Debian-based_distributions|Debian-based]]) **server**.
  * A Debian(-based) desktop or laptop (which we call the **client**).

=====Generate a keypair on your client=====

Install openssh-client on the client:
<code bash>sudo apt install openssh-client</code>

Generate a keypair:
<code bash>
ssh-keygen -t ed25519 -C "<comment>"
</code>

You will be asked to enter a self-chosen //private key passphrase//.

Get your generated public key, 

<code bash>cat ~/.ssh/id_ed25519.pub</code>

and copy the output (select it, right-click, copy).

=====Initialize the public key authentication=====

====(a) if you have physical access to your server====

On the **server**, install OpenSSH server:
<code bash>sudo apt install openssh-server</code>

Continue to follow the instructions at (b) to secure SSH using public key authentication.

====(b) if you have SSH access to your server====

On the **client**, access your server using password-authentication:
<code bash>ssh <username>@example.com</code>

You are now on the **server**. Create the ''authorized_keys'' file:
<code bash>
cd ~
mkdir .ssh
chmod 700 .ssh
cd .ssh
nano authorized_keys
</code>

Paste your public key in this file (~/.ssh/authorized_keys).
Save the file and exit GNU Nano.

Change permissions to this file:
<code bash>chmod 600 authorized_keys</code>

Open the SSH configuration file:

<code bash>sudo nano /etc/ssh/sshd_config</code>

In that configuration file, turn off root login and password authentication:
<code file /etc/ssh/sshd_config>
PermitRootLogin no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
</code>

Restart the SSH daemon (process):
<code bash>sudo systemctl restart ssh.service</code>

Leave your current SSH session:
<code bash>exit</code>

Re-login into your server using SSH (on your **client**):
<code bash>ssh <username>@example.com</code>

SSH will not ask for your password anymore. Instead it will (probably) ask for your //private key passphrase//.

Leave your current SSH session:
<code bash>exit</code>

Congratulations, you can now safely login to your server using SSH public key authentication!

=====More information=====
For more advanced use cases, see [[https://wiki.quietlife.nl/doku.php?id=manuals:networking:ssh-tunnels|Connecting to a server's web interface with SSH]] on the Quietlife wiki.