[configuring key-only ssh access]

On 9/22/2020 at 10:16 AM, tuxbass said:

What's the _unraid way_ of turning on key-only login access to unraid host?

Can see there are some set of keys in /boot/config/ssh but there's no sshd_config found under /boot to enforce their usage. Why are there keys under boot/config/ssh to begin with if they're not used?

 

Just to be clear, the goal is to secure ssh access so no bad actor on LAN can wreak havoc.

 

There were two main things that I had to do to make this work across reboots:

1. The path "/root/.ssh" is a symlink to "/boot/config/ssh/root/" -- so, any keys added to /root/.ssh/authorized_keys should persist across reboots.
2. Copying "/etc/ssh/sshd_config" to "/boot/config/ssh/sshd_config" and only editing the copy in "/boot/config/ssh/sshd_config".  This way, changes to the sshd_config file should be persistent across reboots as well.

 In my particular case, the actual changes I made to "/boot/config/ssh/sshd_config" were the 3 lines below (which already exist in the file; I just uncommented/changed where needed):

 

PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no

 

Once the changes to "/boot/config/ssh/sshd_config" have been made, you should be able to just restart the SSH daemon via "/etc/rc.d/rc.sshd restart". There's a section in that script that copies the contents over from /boot/config/ssh/* over to /etc/ssh/* (minus directories). Search for "sshd_start" in the script to see the actual section that does this.

 

This has worked for me & I've been using this setup for quite some time.