monarc Posted January 20, 2022 Share Posted January 20, 2022 Sorry guys, but I haven't had problems with this on any other of my server. I don't know what I'm doing wrong. Would someone be so nice and could please write a step by step guide for setting up Unraid with ssh keys so login is possible without a simple password. Thanks in advance. Much appreciated. Quote Link to comment
georgez Posted August 6, 2022 Share Posted August 6, 2022 (edited) On 1/20/2022 at 5:23 PM, monarc said: Sorry guys, but I haven't had problems with this on any other of my server. I don't know what I'm doing wrong. Would someone be so nice and could please write a step by step guide for setting up Unraid with ssh keys so login is possible without a simple password. Thanks in advance. Much appreciated. I know there are better solutions than mine, but since you ask, I'd like to share my own solution, step by step. If you want a very simple solution (with minor issue), you may skip to the end and read the P.S. section. The key point of using SSH client without a password is the file '~root/.ssh/authorized_keys', my solution is to create a folder to save it and restore it in the next boot. 1. Create a folder on the UnRAID flash, I use /boot/config/misc/ssh mkdir -p /boot/config/misc/ssh I'll put the setup scripts and SSH keys in this folder. 2. Copy the current client keys into the above folder: cp /root/.ssh/authorized_keys /boot/config/misc/ssh/ 3. Also copy the UnRAID's SSH client keys (so I can ssh from UnRAID to other servers without password), my key files have the names id_rsa, id_rsa.pub: cp /root/.ssh/id* /boot/config/misc/ssh/ 4. Create a script to copy these files back into root's .ssh folder in the next boot, I create a file /boot/config/misc/ssh/setup_ssh_client.sh, contents shown below: #!/bin/bash SSH_DIR=/root/.ssh mkdir -p ${SSH_DIR} chmod 750 ${SSH_DIR} cp /boot/config/misc/ssh/authorized_keys ${SSH_DIR}/ cp /boot/config/misc/ssh/id_rsa ${SSH_DIR}/ cp /boot/config/misc/ssh/id_rsa.pub ${SSH_DIR}/ chmod 600 ${SSH_DIR}/authorized_keys chmod 600 ${SSH_DIR}/id_rsa The script simply creates the /root/.ssh (if it doesn't exist), and then copies all the keys I saved earlier into it. 5. Now I need to find a way to let my script run during the next boot, the script '/boot/config/go' is executed at the very end of the bootstrap, so it's an ideal place to start my script, I modified it and added the following lines at the end: cp /boot/config/misc/ssh/setup_ssh_client.sh /tmp/ chmod a+x /tmp/setup_ssh_client.sh /tmp/setup_ssh_client.sh Note: since the scripts on /boot can't be executed, I have to copy it to /tmp to run. 5. Done. To test if the above settings work, erase current /root/.ssh folder (backup it first if you want), and then manually enter the commands in step 5 one by one, your .ssh folder should be restored, otherwise something's wrong in the above procedures. From now on, each time /root/.ssh/authorized_keys is changed, I need to redo step 2 to copy it back to the flash, fortunately I don't have to this often becuase the clients don't change frequently. P.S. AFAIK, there's a very simple way to accomplish 'ssh to UnRAID without password', create a folder on flash, say /boot/config/ssh_keys, then make /root/.ssh a symbolic link to the folder, that's as easy as adding a line in /boot/config/go: ln -s /boot/config/ssh_keys /root/.ssh and it's done. But it has a minor issue, when you issue rsync commands from UnRAID, you may get some errors as shown below: hostfile_replace_entries: link /root/.ssh/known_hosts to /root/.ssh/known_hosts.old: Operation not permitted update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted the rsync will still run though. I just don't like these error messages, so I prefer my way. Edited August 6, 2022 by georgez Quote Link to comment
BRiT Posted August 6, 2022 Share Posted August 6, 2022 No need for all those complicated steps at all. As already posted, support for this is built into unraid since 6.9.2. I suggest reading and comprehending the following post: Quote Link to comment
jazzy192 Posted August 17, 2022 Share Posted August 17, 2022 Hello, I followed Spaceinvader Ones great video for this but when I try and upload it to my server with ssh-copy-id [email protected] it asks for my root password which I assume is the web-guy login but it doesn't work? I dont have a ssh password setup for Unraid yet as this is what I'm trying to do. ANy ideas? Quote Link to comment
BRiT Posted August 17, 2022 Share Posted August 17, 2022 I suggest you READ the previous post. Quote Link to comment
Tuumke Posted September 18, 2022 Share Posted September 18, 2022 (edited) It seems to work to login with a key. I removed the password in my entry and only selected used the authrized_keys line in the sshd_config. But for some reason, even after changing PasswordAuthentication yes PermitEmptyPasswords yes to PasswordAuthentication no PermitEmptyPasswords no and executing a Quote /etc/rc.d/rc.sshd stop /etc/rc.d/rc.sshd start from the GUI web terminal, i can still login with a password only... -edit- Just rebooted the machine. On boot i can still login with just root+password (had copied the sshd_config file to /boot/config/ssh/ -edit2- Seem to have fixed it: Change # Change to no to disable s/key passwords #KbdInteractiveAuthentication no to # Change to no to disable s/key passwords KbdInteractiveAuthentication no Edited September 21, 2022 by Tuumke fixed Quote Link to comment
Sanduleak Posted December 7, 2022 Share Posted December 7, 2022 Hi guys. A few years ago I followed this thread to be able to automatize the backup of different servers in my local network, everything was working great until I updated one of my sercers from Unraid 6.9.2 to 6.11.5. I have a cron job that backups some folders from this unraid machine to a Synology, and suddenly that job doesn´t work anymore, the command used is: rsync -av -e "ssh -i /root/.ssh/synokey" '/mnt/user/Podcasts' "[email protected]:'/volume1/Discoteca/Podcast/'" --progress The error I get is: hostfile_replace_entries: link /root/.ssh/known_hosts to /root/.ssh/known_hosts.old: Operation not permitted update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted sending incremental file list rsync: mkdir "/volume1/homes/Backup/'/volume1/Discoteca/Podcast/'" failed: No such file or directory (2) rsync error: error in file IO (code 11) at main.c(689) [Receiver=3.1.2] Other unraid servers in my network can backup to and from the synology without problems using the same keys, not sure what am I doing wrong. If you need any more info please feel free to ask, I fell like if I was hammering my head against a wall. Quote Link to comment
ICDeadPpl Posted December 7, 2022 Share Posted December 7, 2022 1 hour ago, Sanduleak said: Hi guys. A few years ago I followed this thread to be able to automatize the backup of different servers in my local network, everything was working great until I updated one of my sercers from Unraid 6.9.2 to 6.11.5. I have a cron job that backups some folders from this unraid machine to a Synology, and suddenly that job doesn´t work anymore, the command used is: rsync -av -e "ssh -i /root/.ssh/synokey" '/mnt/user/Podcasts' "[email protected]:'/volume1/Discoteca/Podcast/'" --progress The error I get is: hostfile_replace_entries: link /root/.ssh/known_hosts to /root/.ssh/known_hosts.old: Operation not permitted update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted sending incremental file list rsync: mkdir "/volume1/homes/Backup/'/volume1/Discoteca/Podcast/'" failed: No such file or directory (2) rsync error: error in file IO (code 11) at main.c(689) [Receiver=3.1.2] Other unraid servers in my network can backup to and from the synology without problems using the same keys, not sure what am I doing wrong. If you need any more info please feel free to ask, I fell like if I was hammering my head against a wall. Try running the following command on both hosts: ssh-keyscan -H TARGET_HOST >> ~/.ssh/known_hosts Quote Link to comment
Sanduleak Posted December 7, 2022 Share Posted December 7, 2022 6 hours ago, ICDeadPpl said: Try running the following command on both hosts: ssh-keyscan -H TARGET_HOST >> ~/.ssh/known_hosts I have tried that before, but tried it again just in case. In unraid The result I get is: # 192.168.2.31:22 SSH-2.0-OpenSSH_8.2 # 192.168.2.31:22 SSH-2.0-OpenSSH_8.2 # 192.168.2.31:22 SSH-2.0-OpenSSH_8.2 # 192.168.2.31:22 SSH-2.0-OpenSSH_8.2 # 192.168.2.31:22 SSH-2.0-OpenSSH_8.2 When I try the commande in the Synology it returns error, I assume that is due to different internal structure in both systems. After that I try again rsync -av -e "ssh -i /root/.ssh/synokey" '/mnt/user/Podcasts' "[email protected]:'/volume1/Discoteca/Podcast/'" --progress And the error I get is a bit different: sending incremental file list rsync: mkdir "/volume1/homes/Backup/'/volume1/Discoteca/Podcast/'" failed: No such file or directory (2) rsync error: error in file IO (code 11) at main.c(689) [Receiver=3.1.2] And again I'm stuck. Of course my other unraid servers can rsync from and to the synology without problems, is just this one. Not sure if I am correct but the line "Sending incremental file list" makes me think that the connection is really there but the problem starts when rsync starts the transference, does that make any sense?. Thanks a lot for your help... Quote Link to comment
Meldrak Posted December 14, 2022 Share Posted December 14, 2022 is rsa key still supported for authentication? because I have in my logs userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] I tried to add PubkeyAcceptedKeyTypes +ssh-rsa in sshd_config, but sill no ssh-rsa after root@MNAS:/boot/config/ssh# sshd -T | grep -i ssh-rsa root@MNAS:/boot/config/ssh# root@MNAS:/boot/config/ssh# ssh -Q PubkeyAcceptedAlgorithms | grep ssh-rsa ssh-rsa [email protected] Quote Link to comment
neurocis Posted January 12 Share Posted January 12 (edited) This worked for me: in /boot/config/ssh/sshd_conf added: HostKeyAlgorithms=ssh-rsa,[email protected] PubkeyAcceptedAlgorithms=+ssh-rsa,[email protected] Either reboot or "cp /boot/config/ssh/sshd_conf /etc/ssh/" and restart sshd. Ref: https://unix.stackexchange.com/questions/674582/how-to-enable-ssh-rsa-in-sshd-of-openssh-8-8 Edit: I also just noticed on my secondary system that in sshd_conf I had to enable PubkeyAuthentication as it was #commented : PubkeyAuthentication yes Edit+: Additionally, if you are desiring to sign in as an alternate user to root, do not forget to setup their home directory & shell in /boot/config/passwd and /etc/passwd Edited January 12 by neurocis Quote Link to comment
JonathanM Posted January 12 Share Posted January 12 10 hours ago, neurocis said: if you are desiring to sign in as an alternate user to root, The correct answer to this is to set up a VM environment with all the appropriate tools and such. Unraid is NOT designed to be used as a general multipurpose linux box, it's an appliance with limited command line tools. Only root is allowed access to the command line. I know you can force it to do things it's not designed to do, but you will be fighting an uphill battle with each update possibly breaking your workarounds. Much better to let the Unraid OS be an appliance and host your containers, VM's and storage. Set up a VM as your daily driver. 1 1 Quote Link to comment
BBoYTuRBo Posted February 10 Share Posted February 10 (edited) Okay, I am completely baffled. Everything was working fine until a few days ago. I'm not aware of anything I changed on the server. No added plugins or anything, no updates. But now whenever I try to connect from anywhere with my SSH key, it fails and asks for a password. At this point I'd be fine with wiping out my configuration and generating new keys if it would get things working (which I tried, unsuccessfully). I manage 2 unRAID servers, and this happened on both of them, and it happens from any client I try to connect with, and also happens trying to connect from unRAID server 1 to server 2 (and vice versa). Here is the output from an ssh -v attempt: OpenSSH_9.1p1, OpenSSL 1.1.1s 1 Nov 2022 debug1: Reading configuration data /root/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to remote-server [remote-server] port 22. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type 0 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1 debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to remote-server:22 as 'root' debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: [email protected] debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:vxx/X/xxxxxXXX#xXXX#xxxxxxxxxxxxxxxxxxxxxxx debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'remote-server' is known and matches the ED25519 host key. debug1: Found key in /root/.ssh/known_hosts:14 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:xx/X/xxxxxXXX#xXXX#xxxxxxxxxxxxxxxxxxxxxxx debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug1: Will attempt key: /root/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]> debug1: kex_input_ext_info: [email protected]=<0> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:vxx/X/xxxxxXXX#xXXX#xxxxxxxxxxxxxxxxxxxxxxx debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ecdsa_sk debug1: Trying private key: /root/.ssh/id_ed25519 debug1: Trying private key: /root/.ssh/id_ed25519_sk debug1: Trying private key: /root/.ssh/id_xmss debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive (root@remote-server) Password: Could someone list the steps for the current unRAID version, 6.11.5, to set up passwordless SSH key access from scratch, including the key generation command? Edited February 10 by BBoYTuRBo Quote Link to comment
JorgeB Posted February 10 Share Posted February 10 17 minutes ago, BBoYTuRBo said: Everything was working fine until a few days ago. Do you have the parity check tuning plugin? There was another report that it might have changed permissions. Quote Link to comment
BBoYTuRBo Posted February 10 Share Posted February 10 (edited) 14 minutes ago, JorgeB said: Do you have the parity check tuning plugin? I do. And it looks like it was updated 02/08, which would be around the time my problems started. I guess I'll try removing it and rebooting? Edited February 10 by BBoYTuRBo Quote Link to comment
JorgeB Posted February 10 Share Posted February 10 6 minutes ago, BBoYTuRBo said: I guess I'll try removing it and rebooting? Not sure just removing will fix it, but it might, try it. Quote Link to comment
itimpi Posted February 10 Share Posted February 10 43 minutes ago, JorgeB said: Do you have the parity check tuning plugin? There was another report that it might have changed permissions. If this plugin is changing permissions during its install can you point me to where they are getting changed? That would mean there was mistake made when building the plugin that needs correcting and the plugin re-issuing. I checked on my system and I cannot spot any that have changed. Quote Link to comment
BBoYTuRBo Posted February 10 Share Posted February 10 I didn't see any changes to the permissions of anything in my ~/.ssh folder/files, but after removing the plugin and rebooting I am able to connect with my SSH keys again. Quote Link to comment
JorgeB Posted February 10 Share Posted February 10 50 minutes ago, itimpi said: If this plugin is changing permissions during its install can you point me to where they are getting changed? I don't know what's being changed, but there was another report about it, in the plugin support thread. Quote Link to comment
itimpi Posted February 10 Share Posted February 10 12 minutes ago, JorgeB said: What don't know what's being changed, but there was another report about it, in the plugin support thread. Just spotted that post. I have compared permissions on a server with the plugin installed and one without it and cannot spot any difference in permissions anywhere along the path it uses. I will have to wait and see if anyone else can pin it down further. I guess I could simply rebuild the plugin package and reissue it but that seems a bit pointless if I have not changed anything. Quote Link to comment
b0m541 Posted February 10 Share Posted February 10 6 hours ago, JorgeB said: I don't know what's being changed, but there was another report about it, in the plugin support thread. same problem here since Parity Check Tuning plugin got updated Quote Link to comment
Tuumke Posted February 11 Share Posted February 11 (edited) I haven't updated the parity check tuning plugin (still on 2022.12.05) and also have the issue of not being able to login anymore -edit- Also, when trying to update that plugin: plugin: updating: parity.check.tuning.plg plugin: downloading: parity.check.tuning-2023.02.10.txz ... plugin: parity.check.tuning-2023.02.10.txz download failure: Invalid URL / Server error response Executing hook script: post_plugin_checks -edit2- a reboot of the system resolved it for me (not having updated the plugin). Don't think it's related to the plugin -edit-3 Come to think of it, i think i was trying to SSH into my VM which wasn't powered on... So not 100% sure with the above Edited February 14 by Tuumke Quote Link to comment
BiLKiNiS Posted July 19 Share Posted July 19 I think know with 6.12 all you need to do is copy your public key in the input named "SSH authorized keys" on the users tab for the root user and then save This should add the key to the authorized list or create the file if it doesn't exist Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.