SSH public key authentication
Let's assume a servermachine is running NixOS. To setup a public key based SSH connection from clientmachine to servermachine:
[user@clientmachine] $ ssh-keygen -f ~/.ssh/servermachine
[user@clientmachine] $ ssh-copy-id -i ~/.ssh/servermachine servermachine
Now the public key is stored on the servermachine in /home/user/.ssh/authorized_keys
Note: On the clientmachine, we created the public key file in the non-standard path ~/.ssh/servermachine, so later we must use ssh -i ~/.ssh/servermachine servermachine to send our public key.
Now we must tell the SSH client to send the public key:
[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
The connection should work without password.
To make the SSH client automatically use the public key file, we add this to /home/user/.ssh/config:
Host servermachine
HostName 192.168.1.105
#Port 22
#User user
# Prevent using ssh-agent or another keyfile, useful for testing
IdentitiesOnly yes
IdentityFile ~/.ssh/servermachineSSH server config
Optionally, on the servermachine, we can set passwordAuthentication = false; to require public key authentication, usually for better security.
services.openssh = {
enable = true;
# passwordAuthentication = false; # default true
# permitRootLogin = "yes";
# challengeResponseAuthentication = false;
};
We can also store the public keys in /etc/nixos/configuration.nix:
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
# note: ssh-copy-id will add user@clientmachine after the public key
# but we can remove the "@clientmachine" part
];
... or use a custom path for the authorized_keys file:
users.users."user".openssh.authorizedKeys.keyFiles = [
/etc/nixos/ssh/authorized_keys
];