SSH public key authentication: Difference between revisions

(7 intermediate revisions by 5 users not shown)

Line 1:

SSH key authentication uses a [https://en.wikipedia.org/wiki/Public-key_cryptography pair of cryptographic keys]; a private key stored on the client and a public key placed on the server in order to verify identity without transmitting passwords over the network.

On NixOS, SSH key authentication is typically managed using [[SSH|OpenSSH]], which is included by default and can be configured both declaratively in configuration.nix and interactively using standard SSH tools.

== Generating an SSH key pair ==

To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server):

~~[user@your-machine]~~ $ ssh-keygen -f ~/.ssh/another-machine

$ ssh-keygen -f ~/.ssh/another-machine

~~[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine another-machine-host-or-ip~~

$ ssh-copy-id -i ~/.ssh/another-machine -p22 another-machine-host-or-ip

~~</syntaxhighlight>~~

~~In case <code>another-machine</code> uses another port for SSH connections use this command instead:~~

~~<syntaxhighlight lang="console">~~

~~[user@your-machine]~~ $ ssh-copy-id -i ~/.ssh/another-machine -~~p1234~~ another-machine-host-or-ip

</syntaxhighlight>

~~Now~~ the public key ~~is stored on the~~ <code>another-machine</code> in <code>~~/home/user~~/.ssh/authorized_keys</code>

This copies the public key to <code>another-machine</code>, placing it in the user’s <code>~/.ssh/authorized_keys</code> file.

On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file:

~~[user@clientmachine]~~ $ ssh -i ~/.ssh/another-machine another-machine-host-or-ip

$ ssh -i ~/.ssh/another-machine another-machine-host-or-ip

</syntaxhighlight>

The connection should ~~work~~ without password.

The connection should now succeed without prompting for a password.

To make the SSH client automatically use the key file, we add ~~this~~ to ~~<code>/home/~~user~~/.ssh/config</code>~~:

To make the SSH client automatically use the key file, add a host entry to your per-user SSH configuration file:

<~~syntaxhighlight~~>

{{file|~/.ssh/config|bash|

Host another-machine

HostName 192.168.1.105 # another-machine-host-or-ip

Line 32:

Line 34:

IdentitiesOnly yes

IdentityFile ~/.ssh/another-machine

</~~syntaxhighlight~~>

</nowiki>

}}

== SSH agent ==

A ssh private key, for which a phrase is defined, can be clumsy if you use it multiple times. It is possible to store the private key identity in a ssh-agent. The ssh-agent uses the ssh private key identity when you issue a ssh command, for instance when using ssh to connect.

Line 42:

Line 46:

</syntaxhighlight>

NixOS will ~~starta~~ user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>.

NixOS will start a user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>.

It provides also the environment variable $SSH_AUTH_SOCK which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000.

It provides also the environment variable <code>$SSH_AUTH_SOCK</code> which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000.

If you want to use a ssh key pair for authenticating, you can add this to the ssh-agent using the command ssh-add entering the phrase only once.

~~[user@your-machine]~~ $ ssh-add .ssh/id_rsa

$ ssh-add ~/.ssh/id_rsa

Enter passphrase for .ssh/id_rsa:

Enter passphrase for /home/user/.ssh/id_rsa:

Identity added: .ssh/id_rsa (myaccounts@mymachine)

Identity added: /home/user/.ssh/id_rsa (myaccounts@mymachine)

</syntaxhighlight>

If you store the ssh public key with the command ssh-copy-id on <code>another-machine</code> as shown above, you can logon without giving a password or phrase.

== SSH server ~~config~~ ==

== SSH server configuration ==

You can manage SSH authorized public keys declaratively by adding them to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|

users.users."myUser".openssh.authorizedKeys.keys = [

"ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file

# note: ssh-copy-id will add user@your-machine after the public key

# but we can remove the "@your-machine" part

];

</nowiki>

}}

Alternatively, you can reference a custom file containing the authorized keys:

{{file|/etc/nixos/configuration.nix|nix|

users.users."user".openssh.authorizedKeys.keyFiles = [

/etc/nixos/ssh/authorized_keys

];

</nowiki>

}}

For additional configuration options, see the {{nixos:option|users.users.*.openssh}} module documentation.

~~Optionally~~, on ~~the~~ NixOS-based <code>another-machine</code>, ~~we can set <code>passwordAuthentication = false;</code> to require public key authentication for better security~~.

After configuring user keys, it is recommended to improve server security by disabling password-based authentication and requiring public key authentication. This can be done on a NixOS-based server (e.g. <code>another-machine</code>). For additional security measures, see [[SSH#Security hardening]].

<~~syntaxhighlight lang="nix"~~>

This can be configured in your system configuration:

services.openssh = {

enable = true;

{{file|/etc/nixos/configuration.nix|nix|

# require public key authentication for better security

settings.PasswordAuthentication = false;

services.openssh = {

settings.KbdInteractiveAuthentication = false;

enable = true;

~~#settings.PermitRootLogin = "yes"~~;

# require public key authentication for better security

settings.PasswordAuthentication = false;

settings.KbdInteractiveAuthentication = false;

};

</~~syntaxhighlight~~>

</nowiki>

}}

== Tips and tricks ==

=== KDE ===

~~We can also store~~ the ~~public~~ keys in <code>~~/etc/nixos/configuration.nix~~</code>:

By default, KDE prompts you to enter the passwords for your SSH keys to unlock them across session starts. To avoid being asked to unlock your SSH keys every time a session is restarted (e.g., after logging out or rebooting), you can use <code>ksshaskpass</code> to store the passwords. To enable this, make the following changes to your configuration:

~~users~~.~~users."user".openssh.authorizedKeys.keys~~ = [

programs.ssh = {

~~"ssh-rsa AAAAB3Nz....6OWM~~= ~~user" # content of authorized_keys file~~

startAgent = true;

~~# note: ssh-copy-id will add user@your-machine after the public key~~

enableAskPassword = true;

~~# but we can remove the~~ "~~@your-machine~~" ~~part~~

};

];

environment.variables = {

SSH_ASKPASS_REQUIRE = "prefer";

};

</syntaxhighlight>

~~...~~ or ~~use a custom path for the~~ <code>~~authorized_keys~~</code> ~~file:~~

After applying these changes, either log out (if you used <code>switch</code>) or reboot (if you used <code>boot</code> for the variables to take effect.

<~~syntaxhighlight lang="nix"~~>

When you use an SSH key for the first time, you will be prompted to enter its passphrase. <strong><em>Be sure to select the "Remember password" checkbox</strong></em> and the passphrase will be securely stored in the KDE Wallet and automatically retrieved across session restarts.

~~users.users.~~"~~user~~"~~.openssh.authorizedKeys.keyFiles = [~~

/~~etc/nixos/ssh/authorized_keys~~

];

</~~syntaxhighlight~~>

== See also ==

* [[SSH]]

* [[Distributed build]]

[[Category:Networking]]

[[Category:Server]]

@@ Line 1: / Line 1: @@
+SSH key authentication uses a [https://en.wikipedia.org/wiki/Public-key_cryptography pair of cryptographic keys]; a private key stored on the client and a public key placed on the server in order to verify identity without transmitting passwords over the network.
+On NixOS, SSH key authentication is typically managed using [[SSH|OpenSSH]], which is included by default and can be configured both declaratively in configuration.nix and interactively using standard SSH tools.
+== Generating an SSH key pair ==
 To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server):
 <syntaxhighlight lang="console">
-[user@your-machine] $ ssh-keygen -f ~/.ssh/another-machine
+$ ssh-keygen -f ~/.ssh/another-machine
-[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine another-machine-host-or-ip
+$ ssh-copy-id -i ~/.ssh/another-machine -p22 another-machine-host-or-ip
-</syntaxhighlight>
-In case <code>another-machine</code> uses another port for SSH connections use this command instead:
-<syntaxhighlight lang="console">
-[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine -p1234 another-machine-host-or-ip
 </syntaxhighlight>
-Now the public key is stored on the <code>another-machine</code> in <code>/home/user/.ssh/authorized_keys</code>
+This copies the public key to <code>another-machine</code>, placing it in the user’s <code>~/.ssh/authorized_keys</code> file.
 On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file:
 <syntaxhighlight lang="console">
-[user@clientmachine] $ ssh -i ~/.ssh/another-machine another-machine-host-or-ip
+$ ssh -i ~/.ssh/another-machine another-machine-host-or-ip
 </syntaxhighlight>
-The connection should work without password.
+The connection should now succeed without prompting for a password.
-To make the SSH client automatically use the key file, we add this to <code>/home/user/.ssh/config</code>:
+To make the SSH client automatically use the key file, add a host entry to your per-user SSH configuration file:
-<syntaxhighlight>
+{{file|~/.ssh/config|bash|
+<nowiki>
 Host another-machine
    HostName 192.168.1.105 # another-machine-host-or-ip
@@ Line 32: / Line 34: @@
    IdentitiesOnly yes
    IdentityFile ~/.ssh/another-machine
-</syntaxhighlight>
+</nowiki>
+}}
 == SSH agent ==
 A ssh private key, for which a phrase is defined, can be clumsy if you use it multiple times. It is possible to store the private key identity in a ssh-agent. The ssh-agent uses the ssh private key identity when you issue a ssh command, for instance when using ssh to connect.
@@ Line 42: / Line 46: @@
 </syntaxhighlight>
-NixOS will starta user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>.
+NixOS will start a user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>.
-It provides also the environment variable $SSH_AUTH_SOCK which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000.
+It provides also the environment variable <code>$SSH_AUTH_SOCK</code> which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000.
 If you want to use a ssh key pair for authenticating, you can add this to the ssh-agent using the command ssh-add entering the phrase only once.
 <syntaxhighlight lang="console">
-[user@your-machine] $ ssh-add .ssh/id_rsa
+$ ssh-add ~/.ssh/id_rsa
-Enter passphrase for .ssh/id_rsa:
+Enter passphrase for /home/user/.ssh/id_rsa:
-Identity added: .ssh/id_rsa (myaccounts@mymachine)
+Identity added: /home/user/.ssh/id_rsa (myaccounts@mymachine)
 </syntaxhighlight>
 If you store the ssh public key with the command ssh-copy-id on <code>another-machine</code> as shown above, you can logon without giving a password or phrase.
-== SSH server config ==
+== SSH server configuration ==
+You can manage SSH authorized public keys declaratively by adding them to your system configuration:
+{{file|/etc/nixos/configuration.nix|nix|
+<nowiki>
+  users.users."myUser".openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
+    # note: ssh-copy-id will add user@your-machine after the public key
+    # but we can remove the "@your-machine" part
+  ];
+</nowiki>
+}}
+Alternatively, you can reference a custom file containing the authorized keys:
+{{file|/etc/nixos/configuration.nix|nix|
+<nowiki>
+  users.users."user".openssh.authorizedKeys.keyFiles = [
+    /etc/nixos/ssh/authorized_keys
+  ];
+</nowiki>
+}}
+For additional configuration options, see the {{nixos:option|users.users.*.openssh}} module documentation.
-Optionally, on the NixOS-based <code>another-machine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication for better security.
+After configuring user keys, it is recommended to improve server security by disabling password-based authentication and requiring public key authentication. This can be done on a NixOS-based server (e.g. <code>another-machine</code>). For additional security measures, see [[SSH#Security hardening]].
-<syntaxhighlight lang="nix">
+This can be configured in your system configuration:
-services.openssh = {
-  enable = true;
+{{file|/etc/nixos/configuration.nix|nix|
-  # require public key authentication for better security
+<nowiki>
-  settings.PasswordAuthentication = false;
+  services.openssh = {
-  settings.KbdInteractiveAuthentication = false;
+    enable = true;
-  #settings.PermitRootLogin = "yes";
+    # require public key authentication for better security
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
 };
-</syntaxhighlight>
+</nowiki>
+}}
+== Tips and tricks ==
+=== KDE ===
-We can also store the public keys in <code>/etc/nixos/configuration.nix</code>:
+By default, KDE prompts you to enter the passwords for your SSH keys to unlock them across session starts. To avoid being asked to unlock your SSH keys every time a session is restarted (e.g., after logging out or rebooting), you can use <code>ksshaskpass</code> to store the passwords. To enable this, make the following changes to your configuration:
 <syntaxhighlight lang="nix">
-users.users."user".openssh.authorizedKeys.keys = [
+programs.ssh = {
-   "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
+   startAgent = true;
-   # note: ssh-copy-id will add user@your-machine after the public key
+   enableAskPassword = true;
-   # but we can remove the "@your-machine" part
+};
-];
+environment.variables = {
+   SSH_ASKPASS_REQUIRE = "prefer";
+};
 </syntaxhighlight>
-... or use a custom path for the <code>authorized_keys</code> file:
+After applying these changes, either log out (if you used <code>switch</code>) or reboot (if you used <code>boot</code> for the variables to take effect.
-<syntaxhighlight lang="nix">
+When you use an SSH key for the first time, you will be prompted to enter its passphrase. <strong><em>Be sure to select the "Remember password" checkbox</strong></em> and the passphrase will be securely stored in the KDE Wallet and automatically retrieved across session restarts.
-users.users."user".openssh.authorizedKeys.keyFiles = [
-  /etc/nixos/ssh/authorized_keys
-];
-</syntaxhighlight>
 == See also ==
+* [[SSH]]
 * [[Distributed build]]
+[[Category:Networking]]
+[[Category:Server]]