SSH

ssh keys

SSH Keys are primarily used for authentication when connecting to remote servers via the Secure Shell (SSH) protocol. An SSH key pair consists of a public key (placed on the server) and a private key (kept by the user). When a user attempts to connect, the server challenges the client using the public key, and the client proves its identity by demonstrating knowledge of the corresponding private key.

ssh agent

The SSH agent is a helper program that stores private SSH keys in memory, often in an unencrypted form after the passphrase has been entered once. This allows users to access multiple SSH-secured resources without repeatedly entering their passphrases for each connection. For fish Shell:

$ eval (ssh-agent -c)

Currently i’ve configured ssh keys in Alpine Linux gitlab, github, sr.ht.

Backing up to a server using BTRFS and SSH

Part 1: The goal of this first part of the task is to be able to send commands via ssh from my server computer to my desktop computer. To use ssh in this way, my server computer becomes the “Client” (where I ssh from) and the desktop computer becomes the “Server” (where I ssh to). I will refer to them as Client and Server from here on out.

First, logging into a root session using “sudo -i”, I prepared the Client for and created a secure key without a password:

–On the Client–

$ sudo -i
# mkdir /root/.ssh
# cd /root/.ssh
# ssh-keygen -f serverpass

“ssh-keygen” will prompt you for a password for the new key - just hit enter and your key will not require a password. “serverpass” is the name I choose. You can use something else.

Now we need to get the key onto the “server” (the desktop computer in this case). This requires root login and I don’t have a root password on my desktop (I use sudo) so I need to make one - which I will delete later:

–On the Server–

$ sudo passwd

I will also allow root access via ssh using a password - again, a generally ill-advisable way to configure your computer, but it will also be temporary. This requires 2 edits of /etc/ssh/sshd_config and a restart of the ssh server program:

–On the Server–

In the file, /etc/ssh/sshd_config look for these two lines:

PermitRootLogin prohibit-password
PasswordAuthentication no

and change them to:

PermitRootLogin yes
PasswordAuthentication yes

and save the edits. Then restart the ssh server:

$ sudo service ssh restart
$ sudo systemctl restart sshd.service on arch

Now we need to send the secure key to the Server:

–On the Client–

Code:

ssh-copy-id -i ~/.ssh/serverpass root@server

Now we can lock the Server back down:

–On the Server–

In the file, /etc/ssh/sshd_config look for these two lines:

Look for these two lines:

PermitRootLogin yes
PasswordAuthentication yes

and change them to:

PermitRootLogin without-password
PasswordAuthentication no

and save the edits. Then restart the ssh server:

  $ sudo service ssh restart
$ sudo systemctl restart sshd.service on arch

Finally, remove the root password:

$ sudo passwd root -d

You should now be able to log in as root on the Server from the Client:

–On the Client–

$ ssh -i ~/.ssh/serverpass root@server

The “@server” would need to be either the IP address of the Server computer, like “ root@192.169.1.100 ” or the hostname of the Server computer. In my case, the computer on the receiving end of the ssh command (the Server) is my office desktop so I use “root@office”.

Part 2

The goal of this second part of the first task is to simplify the sending ssh commands and access.

As of now, you must specify the identity file with each SSH command. Also, it’s generally safer to use non-standard ports for SSH. I tend to use a different port for all my computers. This means each time I send a command from the Client to the Server, I must specify the location of the identity file, the port, and the user name and hostname or IP of the Server computer and any command. I don’t want to have to remember all that, so I with a simple config file on the Client and can reduce:

Instead of $ ssh -i ~/.ssh/serverpass root@office -p 2345 ls to simply $ ssh office ls

The config file is kept in the home folder of the user under the .ssh folder. The dot preceding ssh means the folder is hidden and the file named config is not there by default. In this case, I’m attempting to connect my root user to access the root user on the other computer, so I need the put the config file under root.ssh/. In it I will put all the needed info for the ssh command to automatically access.

–On the Client–

Edit the file root.ssh/config

This will open an empty editor window - since the file doesn’t exist yet. Now paste or type this into it, using the correct pieces for your system(s):

Code:

Host office
  Port 2345
  User root
  Hostname office
  IdentityFile ~/.ssh/serverpass
and save and exit nano.

The first line - “Host office” means I can now issue a command using just “ssh office” followed by the command, or open a terminal window on the office computer using “ssh office”.

I usually take the final step of adding this to my ~/.bash_aliases file to shorten it even further:

alias office=‘ssh office’

send the backup to the office computer:

btrfs send @Pictures_ro/ | ssh office "btrfs receive /mnt/server_backups"

Sources:

• https://www.kubuntuforums.net/forum/general/miscellaneous/btrfs/66911-backing-up-to-a-networked-computer-using-btrfs-and-ssh ↗
• https://www.strongdm.com/blog/ssh-passwordless-login ↗