Use SSH keys on NetBSD for Passwordless Logins to Servers

Last edited on 2025-04-17 Tagged under  #ssh   #netbsd   #bsd   #server   #encrypt   #network   #shell 

Tested on NetBSD 10.1

Disable password logins on the SERVER in favour of using SSH keys for authentication. Create the necessary SSH keys on a NetBSD CLIENT that will be used to secure access to remote devices.



1. Start Here

On BOTH the NetBSD CLIENT and the SERVER

Create the .ssh directory and authorized_keys file in $HOME:

$ mkdir ~/.ssh && touch ~/.ssh/authorized_keys
$ chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

2. Create Public and Private Keys

On the NetBSD CLIENT

Create the SSH public/private key pair protected with a passphrase using ssh-keygen(1):

$ ssh-keygen -t ed25519 -C "$(whoami)@$(hostname -s)-$(date +%Y-%m-%d)" 

Start ssh-agent(1):

$ eval "$(ssh-agent -s)"

Add the newly-created SSH private key to the current session by running ssh-add(1):

$ ssh-add ~/.ssh/id_ed25519
Enter passphrase /home/<username>/.ssh/id_ed25519:

Any SSH logins launched during the session will now access this key stored in memory.

3. Share Public Key

On the NetBSD CLIENT

Upload the public key using ssh-copy-id(1) to the SERVER and append to the SERVER authorized_keys file:

$ ssh-copy-id -i ~/.ssh/id_ed25519.pub [remote_ip_address]

EXAMPLE
SERVER has a [remote_ip_address] of 178.123.1.456:

$ ssh-copy-id -i ~/.ssh/id_ed25519.pub 178.123.1.456

Verify key-based authentication is configured correctly by successfully logging in using ssh(1) without a password:

$ ssh -o PasswordAuthentication=no 178.123.1.456

4. Disable Password Logins

On the SERVER

After verifying the SERVER can be accessed remotely using SSH keys, open sshd_config(5) for editing:

# vi /etc/ssh/sshd_config

Disable password authentication with these modifications:

PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no

As an additional security measure, change the port (by default port 22) that SSH listens for connections. Changing this to a dynamic or private port between 49152 through 65535 will frustrate automated attacks.

EXAMPLE
Modify the SERVER listening port from #Port 22 to Port 52222:

Port 52222

Save changes and exit.

Restart SSH:

  • On FreeBSD and NetBSD servers:
# service sshd restart
  • On OpenBSD servers:
# rcctl restart sshd
  • On Linux servers using systemd:
# systemctl restart ssh

On the NetBSD CLIENT

While remaining logged into SERVER, open another terminal and verify the changes by attempting a new login using password authentication (which should fail):

$ ssh -p 52222 -o PreferredAuthentications=password -o PubkeyAuthentication=no 178.123.1.456
<username>@178.123.1.456: Permission denied (publickey).

Verify key-based authentication continues to work as before:

$ ssh -p 52222 178.123.1.456

Device is now secured to accept only SSH key authentication for logins.

5. Create An Alias

On the NetBSD CLIENT

Create an alias for the SERVER in the user ssh_config(5):

$ vi ~/.ssh/config

Add an alias for SERVER named myserver:

Host myserver
  HostName 178.123.1.456
  Port 52222

Save changes and exit.

Now a login to SERVER is simply:

$ ssh myserver

6. Key Management

On the NetBSD CLIENT

Keychain is an SSH key manager which "acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session."

Install:

# pkgin install keychain

Flush all cached keys from memory:

$ keychain --clear                  

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It verifies that key files specified on the command-line are known to ssh-agent and prompts for a password if necessary. Finally, it saves the ssh-agent environment variables to ~/.keychain/$HOSTNAME-sh, so that subsequent logins and cron jobs can source the file and make passwordless SSH connections.

To start keychain the next time you login, open .profile for editing:

$ vi ~/.profile

Add:

# Use keychain as frontend to ssh-agent and ssh-add.
if command -v keychain 2>&1 >/dev/null
then
  keychain --agents ssh $HOME/.ssh/id_ed25519
  . $HOME/.keychain/$HOSTNAME-sh
fi

Save changes and exit.

NOTE
If using tmux(1), enable persistent SSH key management across sessions by editing .tmux.conf:

$ vi ~/.tmux.conf

Add:

set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"

Save changes and exit.

Good stuff!

You can like, share, or comment on this post on the Fediverse 💬

Thanks for reading! Read other posts?

» Next: Manual NetBSD Installation with Disk Encryption

« Previous: Use SSH keys on Linux for Passwordless Logins to Servers