Difference between revisions of "SSH public key authentication"
(Created page with "Let's assume a <code>servermachine</code> is running NixOS. To setup a public key based SSH connection from <code>clientmachine</code> to <code>servermachine</code>: <syntaxh...") |
(remove unnecessary server config) |
||
Line 10: | Line 10: | ||
Note: On the <code>clientmachine</code>, we created the public key file in the non-standard path <code>~/.ssh/servermachine</code>, so later we must use <code>ssh -i ~/.ssh/servermachine servermachine</code> to send our public key. | Note: On the <code>clientmachine</code>, we created the public key file in the non-standard path <code>~/.ssh/servermachine</code>, so later we must use <code>ssh -i ~/.ssh/servermachine servermachine</code> to send our public key. | ||
− | Now | + | Now we must tell the SSH client to send the public key: |
+ | |||
+ | <syntaxhighlight lang="console"> | ||
+ | [user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | The connection should work without password. | ||
+ | |||
+ | To make the SSH client automatically use the public key file, we add this to <code>/home/user/.ssh/config</code>: | ||
+ | |||
+ | <syntaxhighlight> | ||
+ | Host servermachine | ||
+ | HostName 192.168.1.105 | ||
+ | #Port 22 | ||
+ | #User user | ||
+ | |||
+ | # Prevent using ssh-agent or another keyfile, useful for testing | ||
+ | IdentitiesOnly yes | ||
+ | IdentityFile ~/.ssh/servermachine | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == SSH server config == | ||
+ | |||
+ | Optionally, on the <code>servermachine</code>, we can set <code>passwordAuthentication = false;</code> to require public key authentication, usually for better security. | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
services.openssh = { | services.openssh = { | ||
enable = true; | enable = true; | ||
− | + | # passwordAuthentication = false; # default true | |
− | # passwordAuthentication = false; | ||
# permitRootLogin = "yes"; | # permitRootLogin = "yes"; | ||
# challengeResponseAuthentication = false; | # challengeResponseAuthentication = false; | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
We can also store the public keys in <code>/etc/nixos/configuration.nix</code>: | We can also store the public keys in <code>/etc/nixos/configuration.nix</code>: | ||
Line 51: | Line 61: | ||
]; | ]; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | == See also == | ||
+ | |||
+ | * [[Distributed build]] |
Revision as of 11:58, 24 October 2021
Let's assume a servermachine
is running NixOS. To setup a public key based SSH connection from clientmachine
to servermachine
:
[user@clientmachine] $ ssh-keygen -f ~/.ssh/servermachine
[user@clientmachine] $ ssh-copy-id -i ~/.ssh/servermachine servermachine
Now the public key is stored on the servermachine
in /home/user/.ssh/authorized_keys
Note: On the clientmachine
, we created the public key file in the non-standard path ~/.ssh/servermachine
, so later we must use ssh -i ~/.ssh/servermachine servermachine
to send our public key.
Now we must tell the SSH client to send the public key:
[user@clientmachine] $ ssh -i ~/.ssh/servermachine servermachine
The connection should work without password.
To make the SSH client automatically use the public key file, we add this to /home/user/.ssh/config
:
Host servermachine
HostName 192.168.1.105
#Port 22
#User user
# Prevent using ssh-agent or another keyfile, useful for testing
IdentitiesOnly yes
IdentityFile ~/.ssh/servermachine
SSH server config
Optionally, on the servermachine
, we can set passwordAuthentication = false;
to require public key authentication, usually for better security.
services.openssh = {
enable = true;
# passwordAuthentication = false; # default true
# permitRootLogin = "yes";
# challengeResponseAuthentication = false;
};
We can also store the public keys in /etc/nixos/configuration.nix
:
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3Nz....6OWM= user" # content of authorized_keys file
# note: ssh-copy-id will add user@clientmachine after the public key
# but we can remove the "@clientmachine" part
];
... or use a custom path for the authorized_keys
file:
users.users."user".openssh.authorizedKeys.keyFiles = [
/etc/nixos/ssh/authorized_keys
];