configuring key-only ssh access


tuxbass

Recommended Posts

What's the _unraid way_ of turning on key-only login access to unraid host?

Can see there are some set of keys in /boot/config/ssh but there's no sshd_config found under /boot to enforce their usage. Why are there keys under boot/config/ssh to begin with if they're not used?

 

Just to be clear, the goal is to secure ssh access so no bad actor on LAN can wreak havoc.

Link to comment
  • 3 weeks later...
On 10/2/2020 at 2:58 AM, tuxbass said:

Have you configured unraid SSH with key-only? If so, could you walk me through?
 

It should be just like any other SSH config setup. /root/.ssh is a soft link to /boot/config/ssh/root/ .

So inside /boot/config/ssh/root/ , create authorized_keys file via "touch authorized_keys".  Then you can copy and paste your info from you local machine's .ssh/id_rsa.pub key file. Remember to use the PUBLIC key file, not the private.

 

Link to comment
  • 3 years later...
  • 4 weeks later...
On 9/22/2020 at 10:16 AM, tuxbass said:

What's the _unraid way_ of turning on key-only login access to unraid host?

Can see there are some set of keys in /boot/config/ssh but there's no sshd_config found under /boot to enforce their usage. Why are there keys under boot/config/ssh to begin with if they're not used?

 

Just to be clear, the goal is to secure ssh access so no bad actor on LAN can wreak havoc.

 

There were two main things that I had to do to make this work across reboots:

  1. The path "/root/.ssh" is a symlink to "/boot/config/ssh/root/" -- so, any keys added to /root/.ssh/authorized_keys should persist across reboots.
  2. Copying "/etc/ssh/sshd_config" to "/boot/config/ssh/sshd_config" and only editing the copy in "/boot/config/ssh/sshd_config".  This way, changes to the sshd_config file should be persistent across reboots as well.

 In my particular case, the actual changes I made to "/boot/config/ssh/sshd_config" were the 3 lines below (which already exist in the file; I just uncommented/changed where needed):

 

PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no

 

Once the changes to "/boot/config/ssh/sshd_config" have been made, you should be able to just restart the SSH daemon via "/etc/rc.d/rc.sshd restart". There's a section in that script that copies the contents over from /boot/config/ssh/* over to /etc/ssh/* (minus directories). Search for "sshd_start" in the script to see the actual section that does this.

 

This has worked for me & I've been using this setup for quite some time.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.