Difference between revisions of "SSH public key authentication"
From NixOS Wiki
(rename challengeResponseAuthentication to kbdInteractiveAuthentication) |
m (rollback unauthorized mass edits) Tag: Rollback |
||
| (6 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| − | To setup a public key based SSH connection from <code> | + | To setup a public key based SSH connection from <code>your-machine</code> (client) to <code>another-machine</code> (server): |
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| − | [user@ | + | [user@your-machine] $ ssh-keygen -f ~/.ssh/another-machine |
| − | [user@ | + | [user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine another-machine-host-or-ip |
</syntaxhighlight> | </syntaxhighlight> | ||
| − | Now the public key is stored on the <code> | + | In case <code>another-machine</code> uses another port for SSH connections use this command instead: |
| + | <syntaxhighlight lang="console"> | ||
| + | [user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine -p1234 another-machine-host-or-ip | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Now the public key is stored on the <code>another-machine</code> in <code>/home/user/.ssh/authorized_keys</code> | ||
| − | On | + | On <code>your-machine</code>, we stored the key file in the non-standard path <code>~/.ssh/another-machine</code>, so we must tell the SSH client to use the key file: |
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| − | [user@clientmachine] $ ssh -i ~/.ssh/ | + | [user@clientmachine] $ ssh -i ~/.ssh/another-machine another-machine-host-or-ip |
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 19: | Line 24: | ||
<syntaxhighlight> | <syntaxhighlight> | ||
| − | Host | + | Host another-machine |
| − | HostName 192.168.1.105 | + | HostName 192.168.1.105 # another-machine-host-or-ip |
#Port 22 | #Port 22 | ||
#User user | #User user | ||
| Line 26: | Line 31: | ||
# Prevent using ssh-agent or another keyfile, useful for testing | # Prevent using ssh-agent or another keyfile, useful for testing | ||
IdentitiesOnly yes | IdentitiesOnly yes | ||
| − | IdentityFile ~/.ssh/ | + | IdentityFile ~/.ssh/another-machine |
</syntaxhighlight> | </syntaxhighlight> | ||
== SSH server config == | == SSH server config == | ||
| − | Optionally, on the NixOS-based <code> | + | Optionally, on the NixOS-based <code>another-machine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication for better security. |
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 37: | Line 42: | ||
enable = true; | enable = true; | ||
# require public key authentication for better security | # require public key authentication for better security | ||
| − | + | settings.PasswordAuthentication = false; | |
| − | + | settings.KbdInteractiveAuthentication = false; | |
| − | # | + | #settings.PermitRootLogin = "yes"; |
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 48: | Line 53: | ||
users.users."user".openssh.authorizedKeys.keys = [ | users.users."user".openssh.authorizedKeys.keys = [ | ||
"ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file | "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file | ||
| − | # note: ssh-copy-id will add user@ | + | # note: ssh-copy-id will add user@your-machine after the public key |
| − | # but we can remove the "@ | + | # but we can remove the "@your-machine" part |
]; | ]; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Latest revision as of 11:04, 6 April 2024
To setup a public key based SSH connection from your-machine (client) to another-machine (server):
[user@your-machine] $ ssh-keygen -f ~/.ssh/another-machine
[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine another-machine-host-or-ip
In case another-machine uses another port for SSH connections use this command instead:
[user@your-machine] $ ssh-copy-id -i ~/.ssh/another-machine -p1234 another-machine-host-or-ip
Now the public key is stored on the another-machine in /home/user/.ssh/authorized_keys
On your-machine, we stored the key file in the non-standard path ~/.ssh/another-machine, so we must tell the SSH client to use the key file:
[user@clientmachine] $ ssh -i ~/.ssh/another-machine another-machine-host-or-ip
The connection should work without password.
To make the SSH client automatically use the key file, we add this to /home/user/.ssh/config:
Host another-machine
HostName 192.168.1.105 # another-machine-host-or-ip
#Port 22
#User user
# Prevent using ssh-agent or another keyfile, useful for testing
IdentitiesOnly yes
IdentityFile ~/.ssh/another-machineSSH server config
Optionally, on the NixOS-based another-machine, we can set passwordAuthentication = false; to require public key authentication for better security.
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
#settings.PermitRootLogin = "yes";
};
We can also store the public keys in /etc/nixos/configuration.nix:
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
# note: ssh-copy-id will add user@your-machine after the public key
# but we can remove the "@your-machine" part
];
... or use a custom path for the authorized_keys file:
users.users."user".openssh.authorizedKeys.keyFiles = [
/etc/nixos/ssh/authorized_keys
];