Intro#
I was always too lazy to setup SSH keys and just kept on setting up more and more users and passwords. Maybe at some point in the future I’m going to look at a self-hosted PKI solution, but for now, I will use self-signed certificates.
Setting things up#
local PC#
First, I create my local key on my PC (I use Arch btw)
$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/_username_/.ssh/id_ed25519):
Created directory '/home/_username_/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/_username_/.ssh/id_ed25519
Your public key has been saved in /home/_username_/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:RLy4JBv7jMK5qYhRKwHB3af0rpMKYwE2PBhALCBV3G8 _username_@_hostname_
The key's randomart image is:
+--[ED25519 256]--+
|%oo=.. .. |
|== ..o.o. |
|== +o.. |
|+ o o.=oE |
|. *.oS |
| o..o... |
|o=.. +o |
|+o*.... |
|++++... |
+----[SHA256]-----+
Now I’m going to copy the public key to my home folder so I can reach it easily.
public key !cd /home/bjarne/.ssh/
cp /home/bjarne/.ssh/id_ed25519.pub ~
Add the key to new container in Proxmox#
Now I can easily use it for example in Proxmox when I setup a new LXC container:
Automatically add the key to existing servers#
For existing servers a handy tool exists to copy your newly generated public key to the server:
ssh-copy-id username@remote_host
In a live environment it looks like this:
[bjarne@pc ~]$ ssh-copy-id bjarne@nginx
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/bjarne/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
bjarne@nginx's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'bjarne@nginx'"
and check to make sure that only the key(s) you wanted were added.
Manually add the key to existing servers#
To manually add the key (for example if the ssh-copy-id tool does not exist) you must copy your public key to the authorized_keys directory on the server.
If you have SSH access you can copy the key contents through SSH to the server.
The easiest option is to open the SSH session in one terminal, open the public key on another and then just make a new file and copy & paste the content.
mkdir ~/.ssh
nano ~/.ssh/authorized_keys
Paste the key and then save and close nano.
Increase security#
The last touch is to disable password based authentication on the server. I would make sure that certificate based authN is working and that you have a way of last resort, like a console.
sudo nano /etc/ssh/sshd_config
And change the following line:
PasswordAuthentication no
After that restart the SSH service.
sudo systemctl restart ssh
