Start by installing SSH.
apt install ssh systemctl enable ssh
For best practices you should disable root login and create a new user with sudo access.
Add the user to the sudo group.
usermod -aG sudo myuser
Whenever needed you should use sudo to execute binaries with root privileges. To pipe text use sudo in combination with tee.
If you know what you are doing you can switch to root with “sudo su”
Private Key Authentication
Instead of password authentication we will stick to private key authentication which uses asymmetric encryption.
If you use Linux copy your existing public key to the server and continue with configuration.
If you use Windows generate a new RSA key pair on the server and copy the private key to your pc.
You can use Puttygen to convert it into a ssh-2 key to use with PuTTY, FileZilla, WinSCP, etc.
ssh-keygen -b 4096 -t rsa -m PEM cat /tmp/key_rsa # copy the key
Activate the public key on the server and remove the private key.
ssh-copy-id -i /tmp/key_rsa.pub myuser@localhost rm /tmp/key*
Try to authenticate with your private key using SSH.
We disable all third party pam authentication modules, use SSH version 2, set a login grace timeout of 30 seconds, add a inactive timeout of 900 seconds, disable root login and force private key authentication.
cat << 'EOF' >> /etc/ssh/sshd_config UsePAM no Protocol 2 LoginGraceTime 30 ClientAliveInterval 900 ClientAliveCountMax 0 Banner /etc/issue.net DebianBanner no PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no AllowUsers myuser EOF
Adjust the last line “AllowUsers” with your user list, separated by space.
Make sure to keep a root SSH terminal open in case something goes wrong.
Restating the SSH service will not drop any open connections.
Restart SSH and try to authenticate with myuser using your private key.
systemctl restart ssh