- Debian installed with
openssh-server(or equivalent) running
- Print the server's IP address and ECDSA fingerprint.
# on server ip addr show for f in /etc/ssh/*.pub; do ssh-keygen -lv -E sha256 -f $f; done
- Connect from the client, verifying the ascii-art fingerprint matches.
# on client ssh -o visualhostkey=yes -o FingerprintHash=sha256 [email protected]
Source: adapted from superuser answer
Allowing only public key authentication makes the SSH server more secure.
- If not already generated, make a key pair for your client.
# on client ssh-keygen -t rsa # enter secure local passphrase
- Copy the key to the remote server
# on client ssh-copy-id [email protected] # enter password
- Test the login
# on client # requires only local passphrase, not password ssh [email protected]
Repeat this process for each user, from all clients.
NOTE: Wait until you have physical access to the server before trying this step. There's a risk of locking yourself out when configuring this remotely. You may need to manually re-enable password authentication from the physical server console.
- Edit SSH config to deny password authentication.
sudo nano /etc/ssh/sshd_config # change "PasswordAuthentication" from "yes" to "no" sudo service sshd reload
- Setup ZFS storage