aboutsummaryrefslogtreecommitdiffstats

Secure Shell (SSH)

Generate SSH key pair

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "lupin@example.com"

Hardware Key

ssh-keygen -o -a 100 -t ed25519-sk -f ~/.ssh/id_ed25519 -C "lupin@example.com"

Change private key permissions

chmod 600 ~/.ssh/id_ed25519

Client usage

To connect to a server, run:

ssh -p port user@server-address

port for default is 22

Copy SSH key

doas pacman -S xclip

xclip -sel clip < ~/.ssh/id_ed25519.pub

Configuration

The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:

nano -w ~/.ssh/config

# host-specific options
Host myserver
    HostName ssh.heckyel.ga
    IdentityFile ~/.ssh/id_ed25519
    user Snowden
    Port 22
    ServerAliveInterval 5

With such a configuration, the following commands are equivalent

ssh -p port user@server-address

ssh myserver

Server usage

Configuration

The SSH daemon configuration file can be found and edited in /etc/ssh/sshd_config.

To allow access only for some users add this line:

AllowUsers    user1 user2

To allow access only for some groups:

AllowGroups   group1 group2

To add a nice welcome message (e.g. from the /etc/issue file), configure the Banner option:

Banner /etc/issue

Copy public key to server

ssh-copy-id -i ~/.ssh/mykey.pub user@host

Securing the authorized_keys file

For additional protection, you can prevent users from adding new public keys and connecting from them.

In the server, make the authorized_keys file read-only for the user and deny all other permissions:

chmod 400 ~/.ssh/authorized_keys
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-04 10:33:50 +0000