Similar to what I wrote in New OpenSuSE Tumbleweed cannot ssh in but this time with Debian. This has to be done from a physical console login on the machine (or if it was a VM, from the hosting company’s console login desktop service). I’m logged in as root.
apt-get install vim
Debian is pretty bare-metal, man. This is probably good from a security and stability point-of-view.
cd /etc/ssh/cd /etc/ssh/Find PermitRootLogin and uncomment it, and change it to yes
Find #PubkeyAuthentication yes and uncomment it.
Find #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 and uncomment it and remove the second file authorized_keys2
Find PasswordAuthentication no and uncomment it and change it to yes – note that this is temporary!
Save and exit the sshd_config file. I’m not sure which service(s) would need to be restarted here, so I issue the reboot now command and watch the machine reboot. Today’s hardware is amazingly fast, compared to what we lived with a decade ago.
Now, from my remote machine, I ssh in as root. I get asked about accepting the private key, and get prompted for the password. Once I get in, I know I’m good to proceed to the next step.
ssh-copy-id root@host.domain
I get asked to put in my password again, and now public key logins are enabled, instead of password-based logins.
I log in as root again, but this time without a password. At this point, I do some customizations per How to make Ubuntu have a nice bash shell like OpenSuSE (although this is Debian). One nice thing is that ~/.bashrc already had aliases ready for ll being an alias for ls -l
Something I don’t understand is why I cannot copy / paste from the Debian ssh session. My guess is that is has something to do with LS_OPTIONS in the bashrc file. Anyway….
I still needed to add alias ..='cd ..' though.
I log out.
I log in as a non-root user, with a password.
ssh-copy-id user@host.domain
I log in as the non-root user, without a password. Same thing: I add the customizations I like, where I can edit with vim, from doing a less on a file, the .. alias for changing directory up one, and using PageUp to search history. I log out.
I log in as root again. Now, I need to give my non-root user sudo rights.
adduser whatever-the-non-root-user-is sudo
Back to editing /etc/ssh/sshd_config
Find PermitRootLogin and uncomment it, and change it to no
Find PasswordAuthentication yes and uncomment it and change it to no
And then I save and exit the file and reboot the box.
Now I can ssh as the non-root user, and I cannot log in via ssh as root. Also, no-one can attempt to log in with just a password. This is good.