Difference between revisions of "SSH public key authentication"

Revision as of 11:58, 24 October 2021

Let's assume a servermachine is running NixOS. To setup a public key based SSH connection from clientmachine to servermachine:

[user@clientmachine] $ ssh-keygen -f ~/.ssh/servermachine
[user@clientmachine] $ ssh-copy-id -i ~/.ssh/servermachine servermachine

Now the public key is stored on the servermachine in /home/user/.ssh/authorized_keys

Note: On the clientmachine, we created the public key file in the non-standard path ~/.ssh/servermachine, so later we must use ssh -i ~/.ssh/servermachine servermachine to send our public key.

Now we must tell the SSH client to send the public key:

[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine

The connection should work without password.

To make the SSH client automatically use the public key file, we add this to /home/user/.ssh/config:

Host servermachine
  HostName 192.168.1.105
  #Port 22
  #User user

  # Prevent using ssh-agent or another keyfile, useful for testing
  IdentitiesOnly yes
  IdentityFile ~/.ssh/servermachine

SSH server config

Optionally, on the servermachine, we can set passwordAuthentication = false; to require public key authentication, usually for better security.

services.openssh = {
  enable = true;
#  passwordAuthentication = false; # default true
#  permitRootLogin = "yes";
#  challengeResponseAuthentication = false;
};

We can also store the public keys in /etc/nixos/configuration.nix:

users.users."user".openssh.authorizedKeys.keys = [
  "ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
  # note: ssh-copy-id will add user@clientmachine after the public key
  # but we can remove the "@clientmachine" part
];

... or use a custom path for the authorized_keys file:

users.users."user".openssh.authorizedKeys.keyFiles = [
  /etc/nixos/ssh/authorized_keys
];

@@ Line 10: / Line 10: @@
 Note: On the <code>clientmachine</code>, we created the public key file in the non-standard path <code>~/.ssh/servermachine</code>, so later we must use <code>ssh -i ~/.ssh/servermachine servermachine</code> to send our public key.
-Now, on the <code>servermachine</code>, we must tell the SSH server, where to find the <code>authorized_keys</code> file. To <code>/etc/nixos/configuration.nix</code> we add:
+Now we must tell the SSH client to send the public key:
+<syntaxhighlight lang="console">
+[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
+</syntaxhighlight>
+The connection should work without password.
+To make the SSH client automatically use the public key file, we add this to <code>/home/user/.ssh/config</code>:
+<syntaxhighlight>
+Host servermachine
+  HostName 192.168.1.105
+  #Port 22
+  #User user
+  # Prevent using ssh-agent or another keyfile, useful for testing
+  IdentitiesOnly yes
+  IdentityFile ~/.ssh/servermachine
+</syntaxhighlight>
+== SSH server config ==
+Optionally, on the <code>servermachine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication, usually for better security.
 <syntaxhighlight lang="nix">
 services.openssh = {
    enable = true;
-  authorizedKeysFiles = [ ".ssh/authorized_keys" ];
+#  passwordAuthentication = false; # default true
-#  passwordAuthentication = false;
 #  permitRootLogin = "yes";
 #  challengeResponseAuthentication = false;
 };
 </syntaxhighlight>
-Optionally, we can set <code>passwordAuthentication = false;</code> to require public key authentication, usually for better security.
-Now we must tell the SSH client to send the public key:
-<syntaxhighlight lang="console">
-[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
-</syntaxhighlight>
-The connection should work without password.
-== Alternative config ==
 We can also store the public keys in <code>/etc/nixos/configuration.nix</code>:
@@ Line 51: / Line 61: @@
 ];
 </syntaxhighlight>
+== See also ==
+* [[Distributed build]]