Official NixOS Wiki

SSH public key authentication: Difference between revisions

← Older edit
VisualWikitext
imported>Milahu
remove unnecessary server config
Phobos (talk | contribs)
19 edits
No edit summary
 
(16 intermediate revisions by 11 users not shown)
Line 1: Line 1:
Let's assume a <code>servermachine</code> is running NixOS. To setup a public key based SSH connection from <code>clientmachine</code> to <code>servermachine</code>:
SSH key authentication uses a [https://en.wikipedia.org/wiki/Public-key_cryptography pair of cryptographic keys]; a private key stored on the client and a public key placed on the server in order to verify identity without transmitting passwords over the network.
 
On NixOS, SSH key authentication is typically managed using [[SSH|OpenSSH]], which is included by default and can be configured both declaratively in configuration.nix and interactively using standard SSH tools.
 
== Generating an SSH key pair ==
 
To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server):


<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
[user@clientmachine] $ ssh-keygen -f ~/.ssh/servermachine
$ ssh-keygen -f ~/.ssh/another-machine
[user@clientmachine] $ ssh-copy-id -i ~/.ssh/servermachine servermachine
$ ssh-copy-id -i ~/.ssh/another-machine -p22 another-machine-host-or-ip
</syntaxhighlight>
</syntaxhighlight>


Now the public key is stored on the <code>servermachine</code> in <code>/home/user/.ssh/authorized_keys</code>
This copies the public key to <code>another-machine</code>, placing it in the user’s <code>~/.ssh/authorized_keys</code> file.
 
Note: On the <code>clientmachine</code>, we created the public key file in the non-standard path <code>~/.ssh/servermachine</code>, so later we must use <code>ssh -i ~/.ssh/servermachine servermachine</code> to send our public key.


Now we must tell the SSH client to send the public key:
On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file:


<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
$ ssh -i ~/.ssh/another-machine another-machine-host-or-ip
</syntaxhighlight>
</syntaxhighlight>


The connection should work without password.
The connection should now succeed without prompting for a password.


To make the SSH client automatically use the public key file, we add this to <code>/home/user/.ssh/config</code>:
To make the SSH client automatically use the key file, add a host entry to your per-user SSH configuration file:


<syntaxhighlight>
{{file|~/.ssh/config|bash|
Host servermachine
<nowiki>
   HostName 192.168.1.105
Host another-machine
   HostName 192.168.1.105 # another-machine-host-or-ip
   #Port 22
   #Port 22
   #User user
   #User user
Line 28: Line 33:
   # Prevent using ssh-agent or another keyfile, useful for testing
   # Prevent using ssh-agent or another keyfile, useful for testing
   IdentitiesOnly yes
   IdentitiesOnly yes
   IdentityFile ~/.ssh/servermachine
   IdentityFile ~/.ssh/another-machine
</syntaxhighlight>
</nowiki>
}}


== SSH server config ==
== SSH agent ==


Optionally, on the <code>servermachine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication, usually for better security.
A ssh private key, for which a phrase is defined, can be clumsy if you use it multiple times. It is possible to store the private key identity in a ssh-agent. The ssh-agent uses the ssh private key identity when you issue a ssh command, for instance when using ssh to connect.


To define NixOS to setup a ssh-agent, add this to your configuration:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
services.openssh = {
programs.ssh.startAgent = true;
  enable = true;
#  passwordAuthentication = false; # default true
#  permitRootLogin = "yes";
#  challengeResponseAuthentication = false;
};
</syntaxhighlight>
</syntaxhighlight>


We can also store the public keys in <code>/etc/nixos/configuration.nix</code>:
NixOS will start a user systemd service with the ssh-agent at login. You can see the service with the command <code>systemctl --user status ssh-agent</code>.
 
It provides also the environment variable <code>$SSH_AUTH_SOCK</code> which refers to <code>/run/user/1000/ssh-agent</code> , in this case for user id 1000.


<syntaxhighlight lang="nix">
If you want to use a ssh key pair for authenticating, you can add this to the ssh-agent using the command ssh-add entering the phrase only once.
users.users."user".openssh.authorizedKeys.keys = [
 
  "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
<syntaxhighlight lang="console">
  # note: ssh-copy-id will add user@clientmachine after the public key
$ ssh-add ~/.ssh/id_rsa
  # but we can remove the "@clientmachine" part
Enter passphrase for /home/user/.ssh/id_rsa:
];
Identity added: /home/user/.ssh/id_rsa (myaccounts@mymachine)
</syntaxhighlight>
</syntaxhighlight>


... or use a custom path for the <code>authorized_keys</code> file:
If you store the ssh public key with the command ssh-copy-id on <code>another-machine</code> as shown above, you can logon without giving a password or phrase.
 
== SSH server configuration ==
 
You can manage SSH authorized public keys declaratively by adding them to your system configuration:
 
{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
  users.users."myUser".openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
    # note: ssh-copy-id will add user@your-machine after the public key
    # but we can remove the "@your-machine" part
  ];
</nowiki>
}}
 
Alternatively, you can reference a custom file containing the authorized keys:
 
{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
  users.users."user".openssh.authorizedKeys.keyFiles = [
    /etc/nixos/ssh/authorized_keys
  ];
</nowiki>
}}
 
For additional configuration options, see the {{nixos:option|users.users.*.openssh}} module documentation.
 
After configuring user keys, it is recommended to improve server security by disabling password-based authentication and requiring public key authentication. This can be done on a NixOS-based server (e.g. <code>another-machine</code>). For additional security measures, see [[SSH#Security hardening]].
 
This can be configured in your system configuration:
 
{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
  services.openssh = {
    enable = true;
    # require public key authentication for better security
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
};
</nowiki>
}}
 
== Tips and tricks ==
 
=== KDE ===
 
By default, KDE prompts you to enter the passwords for your SSH keys to unlock them across session starts. To avoid being asked to unlock your SSH keys every time a session is restarted (e.g., after logging out or rebooting), you can use <code>ksshaskpass</code> to store the passwords. To enable this, make the following changes to your configuration:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
users.users."user".openssh.authorizedKeys.keyFiles = [
programs.ssh = {
   /etc/nixos/ssh/authorized_keys
  startAgent = true;
];
  enableAskPassword = true;
};
 
environment.variables = {
   SSH_ASKPASS_REQUIRE = "prefer";
};
</syntaxhighlight>
</syntaxhighlight>
After applying these changes, either log out (if you used <code>switch</code>) or reboot (if you used <code>boot</code> for the variables to take effect.
When you use an SSH key for the first time, you will be prompted to enter its passphrase. <strong><em>Be sure to select the "Remember password" checkbox</strong></em> and the passphrase will be securely stored in the KDE Wallet and automatically retrieved across session restarts.


== See also ==
== See also ==


* [[SSH]]
* [[Distributed build]]
* [[Distributed build]]
[[Category:Networking]]
[[Category:Server]]
Retrieved from "https://wiki.nixos.org/wiki/SSH_public_key_authentication"