SSH public key authentication: Difference between revisions

From NixOS Wiki
← Older editNewer edit →
VisualWikitext
imported>Brogolem35
No edit summary
imported>Almino
m Just to make things easier to understand
Line 1: Line 1:
To setup a public key based SSH connection from <code>clientmachine</code> to <code>servermachine</code>:
To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server):


<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
[user@clientmachine] $ ssh-keygen -f ~/.ssh/servermachine
[user@your-machine] $ ssh-keygen -f ~/.ssh/another-machine
[user@clientmachine] $ ssh-copy-id -i ~/.ssh/servermachine servermachine
[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine another-machine-host-or-ip
</syntaxhighlight>
</syntaxhighlight>


Now the public key is stored on the <code>servermachine</code> in <code>/home/user/.ssh/authorized_keys</code>
Now the public key is stored on the <code>another-machine</code> in <code>/home/user/.ssh/authorized_keys</code>


On the <code>clientmachine</code>, we stored the key file in the non-standard path <code>~/.ssh/servermachine</code>, so we must tell the SSH client to use the key file:
On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file:


<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
[user@clientmachine] $ ssh -i ~/.ssh/another-machine another-machine-host-or-ip
</syntaxhighlight>
</syntaxhighlight>


Line 19: Line 19:


<syntaxhighlight>
<syntaxhighlight>
Host servermachine
Host another-machine
   HostName 192.168.1.105
   HostName 192.168.1.105 # another-machine-host-or-ip
   #Port 22
   #Port 22
   #User user
   #User user
Line 26: Line 26:
   # Prevent using ssh-agent or another keyfile, useful for testing
   # Prevent using ssh-agent or another keyfile, useful for testing
   IdentitiesOnly yes
   IdentitiesOnly yes
   IdentityFile ~/.ssh/servermachine
   IdentityFile ~/.ssh/another-machine
</syntaxhighlight>
</syntaxhighlight>


== SSH server config ==
== SSH server config ==


Optionally, on the NixOS-based <code>servermachine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication for better security.
Optionally, on the NixOS-based <code>another-machine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication for better security.


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 48: Line 48:
users.users."user".openssh.authorizedKeys.keys = [
users.users."user".openssh.authorizedKeys.keys = [
   "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
   "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
   # note: ssh-copy-id will add user@clientmachine after the public key
   # note: ssh-copy-id will add user@your-machine after the public key
   # but we can remove the "@clientmachine" part
   # but we can remove the "@your-machine" part
];
];
</syntaxhighlight>
</syntaxhighlight>

Revision as of 19:18, 24 October 2023

To setup a public key based SSH connection from your-machine (client) to another-machine (server): 

[user@your-machine] $ ssh-keygen -f ~/.ssh/another-machine
[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine another-machine-host-or-ip

Now the public key is stored on the another-machine in /home/user/.ssh/authorized_keys

On your-machine, we stored the key file in the non-standard path ~/.ssh/another-machine, so we must tell the SSH client to use the key file: 

[user@clientmachine] $ ssh -i ~/.ssh/another-machine another-machine-host-or-ip

The connection should work without password.

To make the SSH client automatically use the key file, we add this to /home/user/.ssh/config: 

Host another-machine
  HostName 192.168.1.105 # another-machine-host-or-ip
  #Port 22
  #User user

  # Prevent using ssh-agent or another keyfile, useful for testing
  IdentitiesOnly yes
  IdentityFile ~/.ssh/another-machine

SSH server config

Optionally, on the NixOS-based another-machine, we can set passwordAuthentication = false; to require public key authentication for better security. 

services.openssh = {
  enable = true;
  # require public key authentication for better security
  settings.PasswordAuthentication = false;
  settings.KbdInteractiveAuthentication = false;
  #settings.PermitRootLogin = "yes";
};

We can also store the public keys in /etc/nixos/configuration.nix: 

users.users."user".openssh.authorizedKeys.keys = [
  "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
  # note: ssh-copy-id will add user@your-machine after the public key
  # but we can remove the "@your-machine" part
];

... or use a custom path for the authorized_keys file: 

users.users."user".openssh.authorizedKeys.keyFiles = [
  /etc/nixos/ssh/authorized_keys
];

See also

Retrieved from "https://wiki.nixos.org/w/index.php?title=SSH_public_key_authentication&oldid=9434"