Secure remote access to NetBSD devices using SSH keys
Disable password logins and switch to SSH key-based authentication to secure access to remote machines.
SERVER is running NetBSD and is configured for SSH logins from a (Debian) Linux CLIENT.
1. On both SERVER and CLIENT: Create ~/.ssh
Create an SSH directory in $HOME:
mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
2. On the SERVER: Start SSH
If not already configured during NetBSD's install, add sshd to /etc/rc.conf:
echo "sshd=YES" >> /etc/rc.conf
Start:
service sshd start
3. On the CLIENT: Aliases
Create ~/.ssh/config to hold aliases with the login options for a server.
Example (for user foo):
Host home-server
HostName 192.168.1.23
Port 22
User foo
Test:
$ ssh home-server
foo@192.168.1.23's password:
4. On the CLIENT: Generate keys
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname -s)-$(date +%F)"
5. On the CLIENT: Upload key to server
Upload the public key to the server and append to ~/.ssh/authorized_keys:
ssh-copy-id -i ~/.ssh/id_ed25519.pub home-server
Notify SSH that you have keys by running ssh-add:
$ ssh-add
Enter passphrase for /home/foo/.ssh/id_ed25519:
Identity added: /home/foo/.ssh/id_ed25519 (/home/foo/.ssh/id_ed25519)
All SSH sessions launched from this console will access this user key stored in memory.
Test the connection before disabling password logins:
ssh home-server
No request for a passphrase indicates SSH key authentication is properly configured.
6. On the SERVER: Disable password logins
Make the following modifications in /etc/ssh/sshd_config:
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
Restart SSH:
service sshd restart
7. On the CLIENT and SERVER: Key management
Keychain is an OpenSSH key manager. From the package description:
When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to
~/.keychain/$HOSTNAME-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.
7.1 On the CLIENT
Install:
apt install keychain
For the bash shell, configure ~/.bashrc:
# Use `keychain` for ssh-agent management
if [[ -x /usr/bin/keychain ]]; then
keychain ~/.ssh/id_ed25519
. "${HOME}/.keychain/${hostname}-sh"
fi
7.2 On the SERVER
Install:
pkgin install keychain
For the bash shell, configure ~/.bashrc:
# Use `keychain` for ssh-agent management
if [[ -x /usr/pkg/bin/keychain ]]; then
keychain ~/.ssh/id_ed25519
. "${HOME}/.keychain/${hostname}-sh"
fi
7.3 On the CLIENT and SERVER
Flush all cached keys from memory:
keychain --clear
If using tmux terminal multiplexer, enable persistent SSH key management across sessions by editing ~/.tmux.conf:
set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"
You can like, share, or comment on this post on the Fediverse 💬
» Next: Install NetBSD 10 with (almost) full disk encryption
« Previous: Minimal Debian Bookworm