How to: Setup RSA Encrypted SSH on Ubuntu 24.04 Digital Ocean

Secure SSH for Digital Ocean on Ubuntu 24.04 LTS

Configure ufw

Replace andrew with the name of your user.

Replace yourdomain.com with the IP address or domain name of the server.

Create a new user which will be used to access the system instead of the root account.

# adduser andrew

Add the new user to the sudo group, thus granting them superuser access.

# usermod -aG sudo andrew

Set a secure password for the new user

# passwd andrew

Back up the /etc/ssh/sshd_config file

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

Change the ssh port in /etc/ssh/sshd_config to something other than 22, for example 220.

Disable root login in the file as well by changing PermitRootLogin yes to PermitRootLogin no

Disable password authentication

These are the changes to /etc/ssh/sshd_config

--- /etc/ssh/sshd_config.orig	2024-06-27 16:02:30.352753727 +0000
+++ /etc/ssh/sshd_config	2024-06-27 16:05:12.213357690 +0000
@@ -11,7 +11,7 @@

 Include /etc/ssh/sshd_config.d/*.conf

-#Port 22
+Port 220
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
@@ -30,7 +30,7 @@
 # Authentication:

 #LoginGraceTime 2m
-PermitRootLogin yes
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -54,7 +54,7 @@
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with

The /etc/ssh/sshd_config file should look like this once it's edited.

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 220
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Configure the ufw firewall to allow traffic on port 220.

# ufw allow 220/tcp

Ensure that ufw is enabled on the server.

# ufw enable
# systemctl enable --now ufw && reboot

The server now has a firewall setup and is remotely accessible by a secure method.

Generate ssh keys for the superuser account on the client machine with the following command

$ ssh-keygen -a 5 -t ed25519

This generates keys with the ed25519 algorithm. Do not append flag -t ed25519 if the server will be accessed by clients running versions of ssh < 6.5 which do not support ed25519.

If the default file name for the RSA keys is used for ssh-keygen, the keys will be output into the user's /home/$USER/.ssh as two files of format id_xxNNNNN, id_xxNNNNN.pub. Otherwise the files will be output wherever specified in the wizard. In the following example the keys were specified to be output output as the files /home/andrew/.ssh/id_rsa_yourdomain and /home/andrew/.ssh/id_rsa_yourdomain

$ ssh-keygen -a 5 -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/andrew/.ssh/id_ed25519): /home/andrew/.ssh/id_rsa_yourdomain
Created directory '/home/andrew/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/andrew/.ssh/id_rsa_yourdomain
Your public key has been saved in /home/andrew/.ssh/id_rsa_yourdomain.pub
The key fingerprint is:
SHA256:EMKUjDqS86d0ULqQsvZaG0tgQhvuyyI9Nc/9j1d3wEU andrew@beryllium
The key's randomart image is:
+--[ED25519 256]--+
|     .o*+      .E|
|      o ..      .|
| o o +  .    . . |
|    =    .    o  |
|oB * +  S      . |
|=.. B         . o|
| o.* B .     . ..|
|+.* .   .  ..    |
|   o     .oo.    |
+----[SHA256]-----+

Add the keys to the server with the following command

$ ssh-copy-id -p 220 -i /home/andrew/.ssh/id_rsa_yourdomain andrew@yourdomain.com

Create a local file /home/andrew/.ssh/config to manage the different keys used for different ssh sessions.

#Your Server ssh config!
Host yourdomain.com
  HostName yourdomain.com
  User andrew
  IdentityFile /home/andrew/.ssh/id_rsa_yourdomain
  Port 220

It is now possible to log into the server with this command.

$ ssh yourdomain.com

Now that there are keys in place, it is no longer necessary to use passwords. Set PasswordAuthentication no in the /etc/ssh/sshd_config file and reboot.

The server is now configured to use ssh keys.