Root Login

While it may not be recommended there are times when you may wish to enable root login remotely (at least temporarily while you are setting up a remote system) Debian stretch no longer automatically permits root login remotely so you have to enable it by editing the config file sshd_config The line you need to change is PermitRootLogin which you need to uncomment and change to yes

PermitRootLogin yes

now all you have to do is restart the sshd daemon with

service sshd restart

Login without having to type password

Using a key rather than a password is generally considered more secure (as long as you keep the key safe) so it is a good idea to do this as well as making it easier to log on to your servers.

ssh-keygen -t rsa -b 4096 -C myServerName_rsa -f myServerName_rsa

Will generate a keypair called myServerName_rsa and pub you then need to add the client key to your agent using ssh-add

ssh-add myServerName_rsa

And now copy its public pairing to the server

ssh-copy-id –i myServerName_rsa.pub myUserName@myServer

The “i” switch is short for identity (if you really care).

You will be prompted to attempt to log on at this stage although it probably will not work without running ssh-add first unless you explicitly specify the keyfile to use.

ssh-add myServerName_rsa

Now you need to create or edit the config file

vi ~/.ssh/config

In all cases you should put the following at the top of the file:

Host *
IdentitiesOnly=yes

If this is not present then you may get a “too many authentication errors” notification if you have a lot of clients.

For each client you will need to provide an entry similar to the following.

Host MyHostAlias
HostName myhost.fqdn   
User myusername
UseKeychain yes      
IdentityFile ~/.ssh/myServerName_rsa

While not entirely necessary, it is good practice to create an separate keyfile pair for each connection.

Host: This is the shortcut name of your connection

HostName: The IP or FQDN of the client

User: This is the username that you wish to use to log on

IdentityFile: The XXXX_rsa file that you generated with ssh-keygen (not the XXXX_rsa.pub)

You should now be able to log in to your client using its alias or domain name without using a password.

ssh myhost

Troubleshooting

If you are having issues automatically logging in then run sshd in debug mode

/path/to/sshd –d –d –d –d –d

The path is usually /usr/sbin/sshd; if you are using centryfy and have installed its own version of ssh then the path may be something like /usr/share/centrifydc/sbin/sshd

To find the path easily you can look it up along with the running process id.

ps –ef |grep sshd

should return the path along with the pid. You will need to kill the process eg.

kill -9 982538

Permissions:

If you are getting a permissions warning (something like “SSH Authentication Refused: Bad Ownership or Modes for Directory”) then you need to set the permissions as follows:

chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 600 ~/.ssh/yourkey_rsa
chmod 644 ~/.ssh/yourkey_rsa.pub