SSH public key authentication: Difference between revisions
→KDE: Plasma is already configured to use ksshaskpass (https://github.com/NixOS/nixpkgs/blob/a00e7672cde5eb31142afcebe54978fa153d6ad0/nixos/modules/services/desktop-managers/plasma6.nix#L259) so we don't need to do it manually Tags: Mobile edit Mobile web edit |
No edit summary |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
SSH key authentication uses a [https://en.wikipedia.org/wiki/Public-key_cryptography pair of cryptographic keys]; a private key stored on the client and a public key placed on the server in order to verify identity without transmitting passwords over the network. | |||
On NixOS, SSH key authentication is typically managed using [[SSH|OpenSSH]], which is included by default and can be configured both declaratively in configuration.nix and interactively using standard SSH tools. | |||
== Generating an SSH key pair == | |||
To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server): | To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server): | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
$ ssh-keygen -f ~/.ssh/another-machine | |||
$ ssh-copy-id -i ~/.ssh/another-machine -p22 another-machine-host-or-ip | |||
</syntaxhighlight> | </syntaxhighlight> | ||
This copies the public key to <code>another-machine</code>, placing it in the user’s <code>~/.ssh/authorized_keys</code> file. | |||
On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file: | On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file: | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
$ ssh -i ~/.ssh/another-machine another-machine-host-or-ip | |||
</syntaxhighlight> | </syntaxhighlight> | ||
The connection should | The connection should now succeed without prompting for a password. | ||
To make the SSH client automatically use the key file, | To make the SSH client automatically use the key file, add a host entry to your per-user SSH configuration file: | ||
< | {{file|~/.ssh/config|bash| | ||
<nowiki> | |||
Host another-machine | Host another-machine | ||
HostName 192.168.1.105 # another-machine-host-or-ip | HostName 192.168.1.105 # another-machine-host-or-ip | ||
| Line 32: | Line 34: | ||
IdentitiesOnly yes | IdentitiesOnly yes | ||
IdentityFile ~/.ssh/another-machine | IdentityFile ~/.ssh/another-machine | ||
</ | </nowiki> | ||
}} | |||
== SSH agent == | == SSH agent == | ||
A ssh private key, for which a phrase is defined, can be clumsy if you use it multiple times. It is possible to store the private key identity in a ssh-agent. The ssh-agent uses the ssh private key identity when you issue a ssh command, for instance when using ssh to connect. | A ssh private key, for which a phrase is defined, can be clumsy if you use it multiple times. It is possible to store the private key identity in a ssh-agent. The ssh-agent uses the ssh private key identity when you issue a ssh command, for instance when using ssh to connect. | ||
| Line 44: | Line 48: | ||
NixOS will start a user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>. | NixOS will start a user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>. | ||
It provides also the environment variable $SSH_AUTH_SOCK which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000. | It provides also the environment variable <code>$SSH_AUTH_SOCK</code> which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000. | ||
If you want to use a ssh key pair for authenticating, you can add this to the ssh-agent using the command ssh-add entering the phrase only once. | If you want to use a ssh key pair for authenticating, you can add this to the ssh-agent using the command ssh-add entering the phrase only once. | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
$ ssh-add ~/.ssh/id_rsa | |||
Enter passphrase for .ssh/id_rsa: | Enter passphrase for /home/user/.ssh/id_rsa: | ||
Identity added: .ssh/id_rsa (myaccounts@mymachine) | Identity added: /home/user/.ssh/id_rsa (myaccounts@mymachine) | ||
</syntaxhighlight> | </syntaxhighlight> | ||
If you store the ssh public key with the command ssh-copy-id on <code>another-machine</code> as shown above, you can logon without giving a password or phrase. | If you store the ssh public key with the command ssh-copy-id on <code>another-machine</code> as shown above, you can logon without giving a password or phrase. | ||
== SSH server | == SSH server configuration == | ||
You can manage SSH authorized public keys declaratively by adding them to your system configuration: | |||
{{file|/etc/nixos/configuration.nix|nix| | |||
<nowiki> | |||
users.users."myUser".openssh.authorizedKeys.keys = [ | |||
"ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file | |||
# note: ssh-copy-id will add user@your-machine after the public key | |||
# but we can remove the "@your-machine" part | |||
]; | |||
</nowiki> | |||
}} | |||
Alternatively, you can reference a custom file containing the authorized keys: | |||
{{file|/etc/nixos/configuration.nix|nix| | |||
<nowiki> | |||
users.users."user".openssh.authorizedKeys.keyFiles = [ | |||
/etc/nixos/ssh/authorized_keys | |||
]; | |||
</nowiki> | |||
}} | |||
For additional configuration options, see the {{nixos:option|users.users.*.openssh}} module documentation. | |||
} | |||
After configuring user keys, it is recommended to improve server security by disabling password-based authentication and requiring public key authentication. This can be done on a NixOS-based server (e.g. <code>another-machine</code>). For additional security measures, see [[SSH#Security hardening]]. | |||
This can be configured in your system configuration: | |||
... | {{file|/etc/nixos/configuration.nix|nix| | ||
<nowiki> | |||
services.openssh = { | |||
enable = true; | |||
# require public key authentication for better security | |||
settings.PasswordAuthentication = false; | |||
settings.KbdInteractiveAuthentication = false; | |||
}; | |||
</nowiki> | |||
}} | |||
== Tips and tricks == | |||
== KDE == | === KDE === | ||
By default, KDE prompts you to enter the passwords for your SSH keys to unlock them across session starts. To avoid being asked to unlock your SSH keys every time a session is restarted (e.g., after logging out or rebooting), you can use <code>ksshaskpass</code> to store the passwords. To enable this, make the following changes to your configuration: | By default, KDE prompts you to enter the passwords for your SSH keys to unlock them across session starts. To avoid being asked to unlock your SSH keys every time a session is restarted (e.g., after logging out or rebooting), you can use <code>ksshaskpass</code> to store the passwords. To enable this, make the following changes to your configuration: | ||
| Line 109: | Line 124: | ||
== See also == | == See also == | ||
* [[SSH]] | |||
* [[Distributed build]] | * [[Distributed build]] | ||
[[Category:Networking]] | |||
[[Category:Server]] | |||