Passwordless SSH login


Recommended Posts

13 hours ago, ionred said:

fc-ps-urd1-diagnostics-20210427-2146.zip 111.34 kB · 0 downloads

 

Here you go. In the meantime, I added it back to my go file. Hopefully it doesn't just start working and then fill up my authorized keys file :)

 

Remove the "SSH Config Tool" plugin, it is likely what is overwriting your files. It hasn't been updated since 2019 so it doesn't know about the changes in 6.9. 

 

TBH your system has more plugins than I have ever seen installed at once :) I'd highly recommend removing as many as you can, the fewer plugins you have the better. Less potential conflicts like this one, less that can go wrong.

 

 

Also, you should run

touch /boot/config/modprobe.d/i915.conf

and remove these lines from your go script:

modprobe i915
chmod -R 777 /dev/dri

per https://wiki.unraid.net/Manual/Release_Notes/Unraid_OS_6.9.0#GPU_Driver_Integration

 

  • Thanks 2
Link to comment
8 minutes ago, ljm42 said:

 

Remove the "SSH Config Tool" plugin, it is likely what is overwriting your files. It hasn't been updated since 2019 so it doesn't know about the changes in 6.9. 

 

TBH your system has more plugins than I have ever seen installed at once :) I'd highly recommend removing as many as you can, the fewer plugins you have the better. Less potential conflicts like this one, less that can go wrong.

 

Both good points. I've removed the plugin along with 7 or 8 others that I know for sure I don't use. 

 

Unfortunately, I'm currently running a preclear on a new disk so I won't be able to check until tomorrow, but crossing my fingers this is it!

  • Like 1
Link to comment
25 minutes ago, ljm42 said:

Also, you should remove these lines from your go script:




modprobe i915
chmod -R 777 /dev/dri

per https://wiki.unraid.net/Manual/Release_Notes/Unraid_OS_6.9.0#GPU_Driver_Integration

 

 

 

That's fantastic (if it works!). Getting Intel QuickSync to pass through to the dockers in the past has always been a huge issue. 

 

@Hoopster I know you also had similar problems with modprobe i915 for quicksync/QSV. Did this work out for you on 6.9.1+?

Edited by ionred
Link to comment
3 minutes ago, ionred said:

I know you also had similar problems with modprobe i915 for quicksync/QSV. Did this work out for you on 6.9.1+?

Yes, I no longer have anything in the 'go' file related to i915 drivers. I used the 'touch' method to create a blank i915.conf file as explained in the link and have no problem with QSV working for Plex and HandBrake.

  • Thanks 1
Link to comment
  • 2 months later...

I'm trying to create a simple method to switch between 2 operating systems which share a common GPU.  I created 2 scripts in script editor to shut down the working operating system and boot the other.  However I don't want the user to access the unraid GUI.  Is it possible to run these scripts from the operating system vm interface by clicking an icon?

Link to comment
  • 2 months later...
On 10/19/2016 at 11:12 AM, ken-ji said:

A slightly better way to maintain the keys across reboots is to

* copy the authorized_keys file to /boot/config/ssh/root.pubkeys

* copy /etc/ssh/sshd_config to /boot/config/ssh

* modify /boot/config/sshd_config to set the following line

AuthorizedKeysFile      /etc/ssh/%u.pubkeys
 

 

This will allow you to keep the keys on the flash always and let the ssh startup scripts do all the copying.

Hi @ken-ji what does the %u do? Could you enlighten me? Thanks.

Link to comment
  • 4 weeks later...

Hi all,

Updated to 6.10.0-rc2 and i can't anymore ssh into my unraid as root.

a tail /var/log/syslog gives:

 

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]


but ssh-rsa is enabled in sshd_config:
 

#ssh -Q PubkeyAcceptedAlgorithms

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

 

And:
 

# ssh -Q PubkeyAcceptedKeyTypes

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]


I double checked the autorized_keys and it's correct.

I'm literally getting mad.

Any idea?

Thanks.
 

Link to comment
11 hours ago, trurl said:

You should always read the release thread before updating.

 

Wich of course i did.

 

It is now mandatory to define a root password.  We also created a division in the Users page to distinguish root from other user names.  The root UserEdit page includes a text box for pasting SSH authorized keys.

For new configurations, telnet, ssh, and ftp are disabled by default.

 

My configuration isn't "new".
SSH is enable.

root password is defined since day 1.

My SSH key is where it's supposed to be and shows in my users/root configuration in the webui.

My clients (Putty, WinSCP) are up to date.
 

Link to comment
12 hours ago, dhstsw said:

Hi all,

Updated to 6.10.0-rc2 and i can't anymore ssh into my unraid as root.

a tail /var/log/syslog gives:

 

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]


but ssh-rsa is enabled in sshd_config:
 

#ssh -Q PubkeyAcceptedAlgorithms

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

 

And:
 

# ssh -Q PubkeyAcceptedKeyTypes

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]


I double checked the autorized_keys and it's correct.

I'm literally getting mad.

Any idea?

Thanks.
 

that's the wrong command. Not sure on what's the values in 6.10rc2 but in 6.9.2 its

root@MediaStore:~# sshd -T | grep pubkeyaccepted
pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa

ssh-rsa is at the very end

Link to comment
  • 2 months later...

Hi all, I'm running Unraid 6.9.2 and trying to setup passwordless ssh access to my Unraid server. For me this thread became quite messy over the years and I am unsure at which point we are now.

 

I am trying to setup up @ken-ji's way and have put the authorized_keys file in /boot/config/ssh/root. Do I need to copy the sshd_config to the same location as well and change "AuthorizedKeysFile" to /etc/ssh/root?

 

Am i totally wrong or on the right way?

 

It would be very helpful if someone could write down the necessary steps again. Many thanks in advance.

Edited by monarc
Link to comment

As of 6.9.2 the only thing you really need to do is generate your ssh keys and stick them in the correct place

either /root/.ssh or /boot/config/ssh/root (/root/.ssh is a symlink to this)

root@MediaStore:~# ls -al /root/
total 32
drwx--x---  6 root root   260 Jan 18 11:20 ./
drwxr-xr-x 20 root root   440 Jan 17 06:58 ../
-rw-------  1 root root 13686 Jan 17 11:29 .bash_history
-rwxr-xr-x  1 root root   316 Apr  8  2021 .bash_profile*
drwxr-xr-x  4 root root    80 Oct 29 10:21 .cache/
drwx------  5 root root   100 Nov 30 06:02 .config/
lrwxrwxrwx  1 root root    30 Apr  8  2021 .docker -> /boot/config/plugins/dockerMan/
-rw-------  1 root root   149 Jan 18 11:20 .lesshst
drwx------  3 root root    60 Oct 29 10:21 .local/
-rw-------  1 root root  1024 Nov 13 00:36 .rnd
lrwxrwxrwx  1 root root    21 Apr  8  2021 .ssh -> /boot/config/ssh/root/
drwxr-xr-x  5 root root   280 Jan 16 10:23 .vscode-server/
-rw-r--r--  1 root root   351 Jan 18 00:00 .wget-hsts
root@MediaStore:~# ls -l /root/.ssh/
total 32
-rw------- 1 root root  418 Mar  9  2021 authorized_keys
-rw------- 1 root root  883 Mar  9  2021 id_rsa
-rw------- 1 root root  209 Apr 19  2021 id_rsa.pub
-rw------- 1 root root 3869 Jul 24 08:59 known_hosts
root@MediaStore:~# ls -l /boot/config/ssh/root/
total 32
-rw------- 1 root root  418 Mar  9  2021 authorized_keys
-rw------- 1 root root  883 Mar  9  2021 id_rsa
-rw------- 1 root root  209 Apr 19  2021 id_rsa.pub
-rw------- 1 root root 3869 Jul 24 08:59 known_hosts

 

  • Like 1
Link to comment

Thanks for your quick reply @ken-ji!

 

Looks good I guess, but even after "/etc/rc.d/rc.sshd restart" I am asked to enter my "normal" root password to login.

 

root@Unraid:~# ls -al /root/
total 12
drwx--x---  6 root root 220 Jan  2 22:14 ./
drwxr-xr-x 20 root root 460 Jan 15 21:39 ../
-rw-------  1 root root 494 Jan 17 18:41 .bash_history
-rwxr-xr-x  1 root root 316 Apr  7  2021 .bash_profile*
drwx------  3 root root  60 Jan  2 22:14 .cache/
drwx------  4 root root  80 Jan  2 22:14 .config/
lrwxrwxrwx  1 root root  30 Apr  7  2021 .docker -> /boot/config/plugins/dockerMan/
drwx------  3 root root  60 Nov  4 13:25 .freeipmi/
drwx------  3 root root  60 Jan  2 22:14 .local/
lrwxrwxrwx  1 root root  21 Apr  7  2021 .ssh -> /boot/config/ssh/root/
-rw-r--r--  1 root root 281 Jan 18 00:10 .wget-hsts
root@Unraid:~# ls -l /root/.ssh/
total 20
-rw------- 1 root root 393 Jan 17 18:13 authorized_keys
-rw------- 1 root root  86 May  4  2021 config
-rw------- 1 root root 192 May  4  2021 known_hosts
-rw------- 1 root root 387 May  4  2021 unraidbackup_id_ed25519
-rw------- 1 root root  82 May  4  2021 unraidbackup_id_ed25519.pub
root@Unraid:~# ls -l /boot/config/ssh/root/
total 20
-rw------- 1 root root 393 Jan 17 18:13 authorized_keys
-rw------- 1 root root  86 May  4  2021 config
-rw------- 1 root root 192 May  4  2021 known_hosts
-rw------- 1 root root 387 May  4  2021 unraidbackup_id_ed25519
-rw------- 1 root root  82 May  4  2021 unraidbackup_id_ed25519.pub
root@Unraid:~#

 

Is there anything else I forgot? Do I have to edit /etc/ssh/sshd_conf or is  .ssh/authorized_keys for AuthorizedKeysFile okay? Is "/etc/rc.d/rc.sshd restart" enough or do I have to reboot my Unraid so passwordless login will start to work?

Link to comment

hmm, I am not sure if I understand you right, but my private key I have generated along with the pub key is on my PC and I am using it in mobaxterm to login into Unraid. The pub key I have copy&pasted in the authorized_keys file.

 

I used MobaKeyGen to generate Piblic and Private Key.

 

I haven't had these issues with our servers so far?!

Link to comment

ah. you need to rename the public key unraidbackup_id_ed25519.pub to authorized_keys

then you can delete the private key from Unraid

I thought you were trying to ssh to other servers from Unraid. My case uses both hence the authorized_keys and id_rsa files

 

In a nutshell
 

* Generate private and public keys
* on the server you are going to access, append the public key to authorized_keys file, creating it if it doesn't exist.
The typical location is /root/.ssh/authorized_keys
* make sure the ownership is -rw------- (600)

 

Link to comment

why do I have to rename unraidbackup_id_ed25519.pub if I already have created authorized_keys with my public key in it.

 

According to /root/.ssh/config the key pair unraidbackup_id_ed25519 belongs to backup.unraid.net. Sounds for me like the something the MyServer plugin created?!

 

Sorry, all still a bit unclear to me.... 🙈

Edited by monarc
Link to comment

My mistake, I'm not using any of the unraid.net services and I missed the authorized_keys files

Are you able to generate logs or diagnostics from your client?

I simply use the builtin ssh client in Windows, Mac and Linux all the time so I usually just run it with ssh -v to see why ssh client is being made to do password authentication.

Link to comment

the keytype and bits depends on your needs but the simplest command is
 

ssh-keygen -C "comment so you know which key this is" -f path/to/private_key -m pem -N ""

 

This creates the keypair /tmp/mykey and /tmp/mykey.pub using the rsa format (with 1024bits I think)

`-C "comment"` adds a comment at the end of the public key so you can tell which public key it is later on.
`-N ""` specifies an empty passphrase which is used to encrypt/decrypt the private key (This could be use to "safely" store the private key in certain places)
`-m pem` is a function for interoperability of the private key with older ssh implementations (if it works without for you then you can skip specifying it)

You can specify `-t ecdsa` or `-t ed25519` to use those key formats if needed.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.