Official NixOS Wiki

SSH public key authentication: Difference between revisions

Newer edit →
imported>Milahu
VisualWikitext
imported>Milahu
Created page with "Let's assume a <code>servermachine</code> is running NixOS. To setup a public key based SSH connection from <code>clientmachine</code> to <code>servermachine</code>: <syntaxh..."
 
imported>Milahu
remove unnecessary server config
Line 10: Line 10:
Note: On the <code>clientmachine</code>, we created the public key file in the non-standard path <code>~/.ssh/servermachine</code>, so later we must use <code>ssh -i ~/.ssh/servermachine servermachine</code> to send our public key.
Note: On the <code>clientmachine</code>, we created the public key file in the non-standard path <code>~/.ssh/servermachine</code>, so later we must use <code>ssh -i ~/.ssh/servermachine servermachine</code> to send our public key.


Now, on the <code>servermachine</code>, we must tell the SSH server, where to find the <code>authorized_keys</code> file. To <code>/etc/nixos/configuration.nix</code> we add:
Now we must tell the SSH client to send the public key:
 
<syntaxhighlight lang="console">
[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
</syntaxhighlight>
 
The connection should work without password.
 
To make the SSH client automatically use the public key file, we add this to <code>/home/user/.ssh/config</code>:
 
<syntaxhighlight>
Host servermachine
  HostName 192.168.1.105
  #Port 22
  #User user
 
  # Prevent using ssh-agent or another keyfile, useful for testing
  IdentitiesOnly yes
  IdentityFile ~/.ssh/servermachine
</syntaxhighlight>
 
== SSH server config ==
 
Optionally, on the <code>servermachine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication, usually for better security.


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
services.openssh = {
services.openssh = {
   enable = true;
   enable = true;
  authorizedKeysFiles = [ ".ssh/authorized_keys" ];
#  passwordAuthentication = false; # default true
#  passwordAuthentication = false;  
#  permitRootLogin = "yes";
#  permitRootLogin = "yes";
#  challengeResponseAuthentication = false;
#  challengeResponseAuthentication = false;
};
};
</syntaxhighlight>
</syntaxhighlight>
Optionally, we can set <code>passwordAuthentication = false;</code> to require public key authentication, usually for better security.
Now we must tell the SSH client to send the public key:
<syntaxhighlight lang="console">
[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
</syntaxhighlight>
The connection should work without password.
== Alternative config ==


We can also store the public keys in <code>/etc/nixos/configuration.nix</code>:
We can also store the public keys in <code>/etc/nixos/configuration.nix</code>:
Line 51: Line 61:
];
];
</syntaxhighlight>
</syntaxhighlight>
== See also ==
* [[Distributed build]]
Retrieved from "https://wiki.nixos.org/wiki/SSH_public_key_authentication"