Passwordless SSH login


Recommended Posts

Sorry guys, but I haven't had problems with this on any other of my server. I don't know what I'm doing wrong. Would someone be so nice and could please write a step by step guide for setting up Unraid with ssh keys so login is possible without a simple password.

 

Thanks in advance. Much appreciated.

Link to comment
  • 6 months later...
On 1/20/2022 at 5:23 PM, monarc said:

Sorry guys, but I haven't had problems with this on any other of my server. I don't know what I'm doing wrong. Would someone be so nice and could please write a step by step guide for setting up Unraid with ssh keys so login is possible without a simple password.

 

Thanks in advance. Much appreciated.

 

I know there are better solutions than mine, but since you ask, I'd like to share my own solution, step by step. If you want a very simple solution (with minor issue), you may skip to the end and read the P.S. section.

 

The key point of using SSH client without a password is the file '~root/.ssh/authorized_keys', my solution is to create a folder to save it and restore it in the next boot.

 

1. Create a folder on the UnRAID flash, I use /boot/config/misc/ssh

 

mkdir -p /boot/config/misc/ssh

 

    I'll put the setup scripts and SSH keys in this folder.
    
2. Copy the current client keys into the above folder:

 

cp /root/.ssh/authorized_keys /boot/config/misc/ssh/

    
3. Also copy the UnRAID's SSH client keys (so I can ssh from UnRAID to other servers without password), my key files have the names id_rsa, id_rsa.pub:

 

cp /root/.ssh/id* /boot/config/misc/ssh/

    
4. Create a script to copy these files back into root's .ssh folder in the next boot, I create a file /boot/config/misc/ssh/setup_ssh_client.sh, contents shown below:

 

#!/bin/bash

SSH_DIR=/root/.ssh
mkdir -p ${SSH_DIR}
chmod 750 ${SSH_DIR}

cp /boot/config/misc/ssh/authorized_keys ${SSH_DIR}/
cp /boot/config/misc/ssh/id_rsa ${SSH_DIR}/
cp /boot/config/misc/ssh/id_rsa.pub ${SSH_DIR}/

chmod 600 ${SSH_DIR}/authorized_keys
chmod 600 ${SSH_DIR}/id_rsa

    
    The script simply creates the /root/.ssh (if it doesn't exist), and then copies all the keys I saved earlier into it.
    
5. Now I need to find a way to let my script run during the next boot, the script '/boot/config/go' is executed at the very end of the bootstrap, so it's an ideal place to start my script, I modified it and added the following lines at the end:

 

cp /boot/config/misc/ssh/setup_ssh_client.sh /tmp/
chmod a+x /tmp/setup_ssh_client.sh
/tmp/setup_ssh_client.sh

 

    Note: since the scripts on /boot can't be executed, I have to copy it to /tmp to run.

 

5. Done.

 

To test if the above settings work, erase current /root/.ssh folder (backup it first if you want), and then manually enter the commands in step 5 one by one, your .ssh folder should be restored, otherwise something's wrong in the above procedures.

From now on, each time /root/.ssh/authorized_keys is changed, I need to redo step 2 to copy it back to the flash, fortunately I don't have to this often becuase the clients don't change frequently.

 

P.S. AFAIK, there's a very simple way to accomplish 'ssh to UnRAID without password', create a folder on flash, say /boot/config/ssh_keys, then make /root/.ssh a symbolic link to the folder, that's as easy as adding a line in /boot/config/go:

 

ln -s /boot/config/ssh_keys /root/.ssh

 

and it's done. But it has a minor issue, when you issue rsync commands from UnRAID, you may get some errors as shown below:

 

hostfile_replace_entries: link /root/.ssh/known_hosts to /root/.ssh/known_hosts.old: Operation not permitted
update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted

 

the rsync will still run though. I just don't like these error messages, so I prefer my way.

Edited by georgez
Link to comment
  • 2 weeks later...
  • 1 month later...

It seems to work to login with a key. I removed the password in my entry and only selected used the authrized_keys line in the sshd_config. But for some reason, even after changing

PasswordAuthentication yes
PermitEmptyPasswords yes

to

PasswordAuthentication no
PermitEmptyPasswords no

 

and executing a

Quote

/etc/rc.d/rc.sshd stop

/etc/rc.d/rc.sshd start

from the GUI web terminal, i can still login with a password only...

 

-edit-

Just rebooted the machine. On boot i can still login with just root+password (had copied the sshd_config file to /boot/config/ssh/

 

-edit2-

Seem to have fixed it:

Change

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication no

to

# Change to no to disable s/key passwords
KbdInteractiveAuthentication no

 

Edited by Tuumke
fixed
Link to comment
  • 2 months later...

Hi guys.

 

A few years ago I followed this thread to be able to automatize the backup of different servers in my local network, everything was working great until I updated one of my sercers from Unraid 6.9.2 to 6.11.5.

 

I have a cron job that backups some folders from this unraid machine to a Synology, and suddenly that job doesn´t work anymore, the command used is:

 

rsync -av -e "ssh -i /root/.ssh/synokey" '/mnt/user/Podcasts' "[email protected]:'/volume1/Discoteca/Podcast/'"  --progress

 

The error I get is:

 

hostfile_replace_entries: link /root/.ssh/known_hosts to /root/.ssh/known_hosts.old: Operation not permitted
update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted
sending incremental file list
rsync: mkdir "/volume1/homes/Backup/'/volume1/Discoteca/Podcast/'" failed: No such file or directory (2)
rsync error: error in file IO (code 11) at main.c(689) [Receiver=3.1.2]

 

Other unraid servers in my network can backup to and from the synology without problems using the same keys, not sure what am I doing wrong.

 

If you need any more info please feel free to ask, I fell like if I was hammering my head against a wall.

Link to comment
1 hour ago, Sanduleak said:

Hi guys.

 

A few years ago I followed this thread to be able to automatize the backup of different servers in my local network, everything was working great until I updated one of my sercers from Unraid 6.9.2 to 6.11.5.

 

I have a cron job that backups some folders from this unraid machine to a Synology, and suddenly that job doesn´t work anymore, the command used is:

 

rsync -av -e "ssh -i /root/.ssh/synokey" '/mnt/user/Podcasts' "[email protected]:'/volume1/Discoteca/Podcast/'"  --progress

 

The error I get is:

 

hostfile_replace_entries: link /root/.ssh/known_hosts to /root/.ssh/known_hosts.old: Operation not permitted
update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted
sending incremental file list
rsync: mkdir "/volume1/homes/Backup/'/volume1/Discoteca/Podcast/'" failed: No such file or directory (2)
rsync error: error in file IO (code 11) at main.c(689) [Receiver=3.1.2]

 

Other unraid servers in my network can backup to and from the synology without problems using the same keys, not sure what am I doing wrong.

 

If you need any more info please feel free to ask, I fell like if I was hammering my head against a wall.

Try running the following command on both hosts:
ssh-keyscan -H TARGET_HOST >> ~/.ssh/known_hosts

Link to comment
6 hours ago, ICDeadPpl said:

Try running the following command on both hosts:
ssh-keyscan -H TARGET_HOST >> ~/.ssh/known_hosts

 

I have tried that before, but tried it again just in case.

 

In unraid The result I get is:

# 192.168.2.31:22 SSH-2.0-OpenSSH_8.2
# 192.168.2.31:22 SSH-2.0-OpenSSH_8.2
# 192.168.2.31:22 SSH-2.0-OpenSSH_8.2
# 192.168.2.31:22 SSH-2.0-OpenSSH_8.2
# 192.168.2.31:22 SSH-2.0-OpenSSH_8.2

 

When I try the commande in the Synology it returns error, I assume that is due to different internal structure in both systems.

 

After that I try again

 

rsync -av -e "ssh -i /root/.ssh/synokey" '/mnt/user/Podcasts' "[email protected]:'/volume1/Discoteca/Podcast/'"  --progress

 

And the error I get is a bit different:

 

sending incremental file list
rsync: mkdir "/volume1/homes/Backup/'/volume1/Discoteca/Podcast/'" failed: No such file or directory (2)
rsync error: error in file IO (code 11) at main.c(689) [Receiver=3.1.2]

 

And again I'm stuck.

 

Of course my other unraid servers can rsync from and to the synology without problems, is just this one.

 

Not sure if I am correct but the line "Sending incremental file list" makes me think that the connection is really there but the problem starts when rsync starts the transference, does that make any sense?.

 

Thanks a lot for your help...

Link to comment

is rsa key still supported for authentication? because I have in my logs

 

userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

 

I tried to add PubkeyAcceptedKeyTypes +ssh-rsa in sshd_config, but sill no ssh-rsa after

 

root@MNAS:/boot/config/ssh# sshd -T | grep -i ssh-rsa
root@MNAS:/boot/config/ssh# 
root@MNAS:/boot/config/ssh# ssh -Q PubkeyAcceptedAlgorithms | grep ssh-rsa
ssh-rsa
[email protected]


 

Link to comment
  • 4 weeks later...

This worked for me:

 

in /boot/config/ssh/sshd_conf added:

 

HostKeyAlgorithms=ssh-rsa,[email protected]
PubkeyAcceptedAlgorithms=+ssh-rsa,[email protected]

 

Either reboot or "cp /boot/config/ssh/sshd_conf /etc/ssh/" and restart sshd.

 

Ref: https://unix.stackexchange.com/questions/674582/how-to-enable-ssh-rsa-in-sshd-of-openssh-8-8

 

Edit:

I also just noticed on my secondary system that in sshd_conf I had to enable PubkeyAuthentication as it was #commented :

 

PubkeyAuthentication yes

 

Edit+:

Additionally, if you are desiring to sign in as an alternate user to root, do not forget to setup their home directory & shell in /boot/config/passwd and /etc/passwd

 

Edited by neurocis
Link to comment
10 hours ago, neurocis said:

if you are desiring to sign in as an alternate user to root,

The correct answer to this is to set up a VM environment with all the appropriate tools and such.

 

Unraid is NOT designed to be used as a general multipurpose linux box, it's an appliance with limited command line tools. Only root is allowed access to the command line.

 

I know you can force it to do things it's not designed to do, but you will be fighting an uphill battle with each update possibly breaking your workarounds. Much better to let the Unraid OS be an appliance and host your containers, VM's and storage. Set up a VM as your daily driver.

  • Like 1
  • Thanks 1
Link to comment
  • 4 weeks later...

Okay, I am completely baffled. Everything was working fine until a few days ago. I'm not aware of anything I changed on the server. No added plugins or anything, no updates. But now whenever I try to connect from anywhere with my SSH key, it fails and asks for a password. At this point I'd be fine with wiping out my configuration and generating new keys if it would get things working (which I tried, unsuccessfully).

 

I manage 2 unRAID servers, and this happened on both of them, and it happens from any client I try to connect with, and also happens trying to connect from unRAID server 1 to server 2 (and vice versa).

 

Here is the output from an ssh -v attempt:

 

OpenSSH_9.1p1, OpenSSL 1.1.1s  1 Nov 2022
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to remote-server [remote-server] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1
debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to remote-server:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:vxx/X/xxxxxXXX#xXXX#xxxxxxxxxxxxxxxxxxxxxxx
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'remote-server' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:14
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:xx/X/xxxxxXXX#xXXX#xxxxxxxxxxxxxxxxxxxxxxx
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:vxx/X/xxxxxXXX#xXXX#xxxxxxxxxxxxxxxxxxxxxxx
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
(root@remote-server) Password:


Could someone list the steps for the current unRAID version, 6.11.5, to set up passwordless SSH key access from scratch, including the key generation command?

Edited by BBoYTuRBo
Link to comment
43 minutes ago, JorgeB said:

Do you have the parity check tuning plugin? There was another report that it might have changed permissions.

If this plugin is changing permissions during its install can you point me to where they are getting changed?  That would mean there was mistake made when building the plugin that needs correcting and the plugin re-issuing.  I checked on my system and I cannot spot any that have changed.

Link to comment
12 minutes ago, JorgeB said:

What don't know what's being changed, but there was another report about it, in the plugin support thread.

Just spotted that post.

 

I have compared permissions on a server with the plugin installed and one without it and cannot spot any difference in permissions anywhere along the path it uses.  I will have to wait and see if anyone else can pin it down further.  I guess I could simply rebuild the plugin package and reissue it but that seems a bit pointless if I have not changed anything.

Link to comment

I haven't updated the parity check tuning plugin (still on 2022.12.05) and also have the issue of not being able to login anymore

-edit-

 

Also, when trying to update that plugin:
plugin: updating: parity.check.tuning.plg plugin: downloading: parity.check.tuning-2023.02.10.txz ... plugin: parity.check.tuning-2023.02.10.txz download failure: Invalid URL / Server error response Executing hook script: post_plugin_checks

 

-edit2-

a reboot of the system resolved it for me (not having updated the plugin). Don't think it's related to the plugin

 

-edit-3

Come to think of it, i think i was trying to SSH into my VM which wasn't powered on... So not 100% sure with the above

Edited by Tuumke
Link to comment
  • 5 months later...
  • 2 months later...

Putting the SSH key in "Users" in the GUI has worked for me for sshing into the unraid server.

But.... what if I need to go the other way around?  I want to ssh from my unraid server to another host. Very simply:

unraid$ ssh user@my_machine 'ls -al'

"my_machine" isn't a problem, it has the public key.  But will unraid lose the id_pub files in /root/.ssh on reboot?

Even better, I've taken to using a config file my other machine.  I can specify hostname by IP Address if so desired, set up alias, specify username, etc.   It has really simplified my life.   Will /root/.ssh/config survive a reboot?

(I know I could try it, but I'm in the middle of building parity - it'll be a while before I can test it.)
 

 

Link to comment

Guys,

There is a command (use_ssl no or yes) to enable or disable SSL/TLS on UNRAID's Management Access.

Does anyone knows if there is something similar to change USE_SSH= to "yes" or "no" inside /usr/local/emhttp/state/var.ini

And enable or disable SSH within the system?

Aditionally, I'll try to edit use_ssl .ini to change USE_SSH.

Thank you!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.