If you installed Debian 12(Bookworm), 11(Bullseye) / 10(Buster) from a CD or DVD ISO, chances are OpenSSH server is not configured or running on the system. OpenSSH (OpenBSD Secure Shell) is a set of computer applications created to provide encrypted communication sessions over a computer network using the Secure Shell (SSH) protocol. The OpenSSH project is developed as part of the OpenBSD project, led by Theo de Raadt.
In this post we will perform the installation and basic configuration of OpenSSH Server on Debian Desktop or Server edition. If you’re working on a Cloud instance created from Debian image the installation step is not a requirement. Before you can begin installation ensure official Debian APT repositories are configured in your Debian 12/11(Bullseye) and Debian 10(Buster) system.
1: Install OpenSSH Server package on Debian
Update OS package list:
$ sudo apt update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Hit:4 http://deb.debian.org/debian bullseye-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.Install openssh server by running the command shown as user with sudo privileges:
$ sudo apt install openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
openssh-sftp-server runit-helper
Suggested packages:
molly-guard monkeysphere ssh-askpass ufw
The following NEW packages will be installed:
openssh-server openssh-sftp-server runit-helper
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 446 kB of archives.
After this operation, 1,765 kB of additional disk space will be used.
Do you want to continue? [Y/n] yStart the ssh service using systemctl command:
sudo systemctl start sshAlso enable the service to start at system boot:
$ sudo systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable sshcheck service status to confirm it is running:
$ systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-02-11 12:15:01 EAT; 12min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 589 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 601 (sshd)
Tasks: 1 (limit: 7034)
Memory: 8.8M
CPU: 159ms
CGroup: /system.slice/ssh.service
└─601 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"The OpenSSH server reads configuration data from /etc/ssh/sshd_config, by default. The file contains keyword-argument pairs, one per line. All the lines starting with # and empty lines are interpreted as comments.
2: Copying SSH keys from Workstation
Check your Debian server IP address using ip command:
$ ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:22:22:b9 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.188/24 brd 192.168.1.255 scope global dynamic noprefixroute enp1s0
valid_lft 6324sec preferred_lft 6324sec
inet6 fe80::5054:ff:fe22:22b9/64 scope link noprefixroute
valid_lft forever preferred_lft foreverGenerate SSH keys if you don’t have them already (on your Workstation machine):
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cloudspinx/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cloudspinx/.ssh/id_rsa
Your public key has been saved in /home/cloudspinx/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:OYXlyX/3nXMdSz581TDOnl78PPXAv31h03GI39bu9x8 cloudspinx@debian
The key's randomart image is:
+---[RSA 3072]----+
| . |
| = . |
| . = .o. |
| o ..o.+o|
| S .o++O|
| . oBB#|
| +E&|
| . +#|
| .o#|
+----[SHA256]-----+Ping Debian operating system default interface IP address to confirm network connectivity from your workstation:
$ ping -c 2 192.168.1.188
PING 192.168.1.188 (192.168.1.188): 56 data bytes
64 bytes from 192.168.1.188: icmp_seq=0 ttl=64 time=0.259 ms
64 bytes from 192.168.1.188: icmp_seq=1 ttl=64 time=0.441 ms
--- 192.168.1.188 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.259/0.350/0.441/0.091 msCopy SSH key to the machine from your workstation:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.1.188' (ECDSA) to the list of known hosts.
[email protected]'s password: <INPUT-LOGIN-USER-PASSWORD>
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.Test if you’re able to SSH into Debian system without being prompted for user login password:
$ ssh [email protected]
Warning: Permanently added '192.168.1.188' (ECDSA) to the list of known hosts.
Linux debian-bullseye 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cloudsoinx@debian:~$3: Disabling root user SSH login (Optional)
For better security it is always recommended to disable root user ssh login to the system..
Edit SSH server configuration file and set parameter as shown below to completely disable root access via ssh:
$ sudo vim /etc/ssh/sshd_config
PermitRootLogin noIf you’ll prefer to allow root user authenticate with any allowed mechanism that is not password and not keyboardinteractive, set like below:
PermitRootLogin prohibit-passwordThis means you’ll be able to login as root user with SSH private key. But notice that public key should have been copied to the system in advance before SSH server service is restarted:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/techviewleo/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.1.188' (ECDSA) to the list of known hosts.
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.Then restart SSH service:
sudo systemctl restart ssh4: Disabling SSH Password Authentication (Optional)
To completely disallow password authentication set PasswordAuthentication keyword to no:
$ sudo vim /etc/ssh/sshd_config
PasswordAuthentication noRestart SSH service to update the settings:
sudo systemctl restart sshIf you login without passing private key matching public key uploaded to the server it will fail with an error:
$ ssh 192.168.1.188
[email protected]: Permission denied (publickey).We have another guide with detailed OpenSSH Server configuration. Use the following link to open the article.
