Listing a public key in.ssh/authorizedkeys is necessary, but not sufficient for sshd (server) to accept it. If your private key is passphrase-protected, you'll need to give ssh (client) the passphrase every time. Or you can use ssh-agent, or a GNOME equivalent. Your updated trace. SSH login to TS-209 with a console application (e.g. Execute the following command, secure copy the idrsa.pub from TS-209 to TS-509, and save it as 'authorizedkeys'. # scp /.ssh/idrsa.pub.ssh/authorizedkeys 3. You might see a promoted message like below if this is the first time you are trying to access one NAS from another. SSH keys are used for password-less authentication from user to user when using the SSH protocol. SSH keys consists of a public/private key pair. You can think of a public/private key pair like this public key is a lock.
- Ssh Authorized Keys Permission
- Ssh Authorized Keys Location
- Ssh Authorized Key
- Ssh Authorized Keys Permissions
The problem is that you've made a directory called /.ssh/authorizedkeys. This is supposed to be a file. I'm not sure how this has happened, given that the commands you've listed should have just made the /.ssh directory and an authorizedkeys file within it. Remove the authorized keys directory on the remote machine, and replace with a file.
Below is a quick how-to for implementing public / private key authentication for SSH. This is by no means an exhaustive examination of the subject. *nix distributions vary slightly and further research may be needed.
- 3Setup Procedures
Why use Public Key Authentication?
Public key authentication is considered a more secure methods of authenticating the Secure Shell than the simple password challenge routine, a method often broken by brute-force attacks. In addition, public key authentication allows for automated login routines between machines, thus enabling a range of scripted jobs (think rsync or port tunneling). It can also simplify the login process without compromising password security.
How does it work?
Public key authentication uses a pair of computer generated keys - one public and one private – to authenticate between a host and a client. The public key is derived from the private key. When authenticating, the host machine compares the public key to the private key in order to verify the veracity of the public key. If the two match, access is granted. Security of the system is predicated on the security of the private key.
Setup Procedures
- Generate the needed Public and Private keys on the host.
- Transfer / append the public key to the authorized_keys file on the client.
- Login via Public Key Authentication.
Step by Step Example
The below setup description assumes that you are able to run terminal or a terminal application like Putty, and that you are familiar with basic commands. It doesn't take much.
Let's setup SSH public key authentication between your home computer (hereafter referred to as the “Host”) and your QNAP device (hereafter referred to as the “Client').
1. Login to the Host via SSH using your preferred terminal application and generate the public / private key pair. In terminal type the following at the command prompt:
Note: the -C switch is not required. It allows you to insert a comment that will appear in the authorized_keys file. It is helpful for identifying and managing keys within the authorized_keys file on the Client in the event that you have multiple key logins. Replace 'server comment field' with a machine name, IP address, date, or task name so that you can easily identify where and why a given key was created.
2. Execute the command and you should see the following output:
Note: “UserName” is the user account that you have logged into via SSH. Also note that the actual suggested path may vary slightly depending your system. You should accept the suggested location unless you have reason to do otherwise.
You will then be prompted for a passphrase that will be associated with this key.
The passphrase can be thought of as a password for the private key - it serves as an extra layer of protection as described below. If you leave this field blank you will generate keys that do not prompt for a passphrase. In other words, you will be logged in automatically via the secure public / private key handshake that you are in the process of setting up. It is highly recommended that you enter a passphrase unless you are setting up automated routines that require automatic login. See more detail below in “Security Notes.”
The keys have now been generated and are stored in the .ssh folder associated with the user account on the Host machine.
3. The final steps are to copy the public key to the Client and append it to the authorization_keys file. There are a number of ways to do this – you can copy the file to the Client and then append it (I like this method being the relative noob that I am. It involves more steps but is the easiest to complete without error. Those proficient with terminal commands will do it all in one step from the Host). Alternatively, you can open the id_rsa.pub file via a text editor like iv and copy the key text - then open the authorized_keys file on the Client and paste the text directly into the file. I will walk you through the noob method.
In the terminal navigate to the folder that contains the newly created keys – cd /User/UserName/.ssh and use the 'ls' list comand to see what is in that directory. You should see the following files:
- id_rsa
- id_rsa.pub
- known_hosts.
Type the following at the command prompt:
admin@ClientIPAddress is the address of your QNAP NAS (the Client) followed by the path on the Client where the public key needs to reside. You will be ask you for the password of the 'admin' account to login to the Client.
Enter the password to complete secure copy.
4. On the Client (QNAP NAS) navigate to the /etc/config/ssh folder and 'ls' to reveal the contents of the directory. You should see your id_rsa.pub file.
5. Now let's append this file to the authorized_keys file which needs to reside in this directory. Do not worry if authorized_keys file is not present. We will create it.
Type the following at the command prompt:
Note: You have to cut the key in the file to one line, and add ssh-rsa in at the very beginning.
Example
Set correct permissions
SSH daemon is really peacky about permissions. Create a .ssh folder within your home folder, copy /etc/config/ssh/authorized_keys to this folder and then make sure you have set your permissions as follows:
That's it. You should now be able to login using key authentication. Logout of the Client and attempt to login. If you created a passphrase for your id_rsa private key then you will be prompted for the passphrase. If you left the passphrase field blank when generating the keys then you will be logged in automatically.
The first time you login you may encounter a promoted message like below.
Type 'yes' to continue. After you accept the authenticity of the RSA key, the Client information is saved in the /Users/UserName/.ssh/known_hosts file. You will not be prompted again unless you remove this file.
Important
If the destination Client is a x86 series model, please execute the following command on the destination Client (TS-509) to make sure the folder permission has been set correctly. Because there might be a permission problem in earlier firmware versions in x86 model (e.g. TS-509)
Note
The procedure is the same when setting up key authentication between two NAS boxes. Simply follow the steps above substituting a NAS device for the Host and Client as per the above example.
Trouble Shooting
O'Reilly provides an excellent reasource for troubleshooting.
Security Notes
You must keep your private key secure! Security of public key authentication is dependent on your ability to secure the private key. You should avoid generating a key without a passphrase. If you have an unencrypted private key (no passphrase) stored on your workstation and if your workstation is compromised, your Client machines have been compromised too! If a hacker can obtain the private key they will have access to any client machines accessible with the public key. Further, in the event that your machine is compromised you should consider strongly the possibility that your keystrokes are being logged and therefore any private keys that ar protected by passphrases have likely been compromised.
In addition, you should never allow root-to-root trust between systems. Unfortunately, the firmware version of the QNAP NAS series is hardwired with a variant of OpenSSH that only permits ssh login by the root (admin) user. You are strongly encourage to update the SSH Daemon With OpenSSH as per How To Replace_SSH Daemon With OpenSSH. You can then setup named accounts for users or roles, granting as little root access as possible via sudo. You should also limit the 'from' access of the public keys, and if possible only allow specific public keys to run specific commands.
Original Example
Here is an example which tells you how to set up authorized_keys between two QNAP NAS units. For example, we have one TS-209 (10.8.12.209) & a TS-509 (10.8.12.33), and now I want to make it possible to SSH login to TS-509 from TS-209 without password.
1. SSH login to TS-209 with a console application (e.g. Putty)
Ssh Authorized Keys Permission
2. Execute the following command, secure copy the id_rsa.pub from TS-209 to TS-509, and save it as 'authorized_keys'.
3. You might see a promoted message like below if this is the first time you are trying to access one NAS from another. Simply type 'yes' and go to the next step.
4. And it will ask you for the password of the 'admin' account to login the destination host (10.8.12.33), just enter it and finish the secure copy command.
5. That's it! Now you should be able to SSH login to the TS-509 from TS-209 without password, the authorized_keys has been saved in the destination host (TS-509) under /etc/config/ssh/authorized_keys
Note
If the destination host is a x86 series model, please execute the following command in the destination host (TS-509) to make sure the folder permission has been set correctly. Because there might be a permission problem in earlier firmware versions in x86 model (e.g. TS-509)
With a secure shell (SSH) key pair, you can create a Linux virtual machine that uses SSH keys for authentication. This article shows you how to create and use an SSH RSA public-private key file pair for SSH client connections.
If you want quick commands, see How to create an SSH public-private key pair for Linux VMs in Azure.
To create SSH keys and use them to connect to a from a Windows computer, see How to use SSH keys with Windows on Azure. You can also use the Azure portal to create and manage SSH keys for creating VMs in the portal.
Overview of SSH and keys
SSH is an encrypted connection protocol that provides secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks. We recommend connecting to a VM over SSH using a public-private key pair, also known as SSH keys.
The public key is placed on your Linux VM.
The private key remains on your local system. Protect this private key. Do not share it.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it has the correct private key. If the client has the private key, it's granted access to the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.
Ssh Authorized Keys Location
Your public key can be shared with anyone, but only you (or your local security infrastructure) should have access to your private key.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
SSH keys use and benefits
When you create an Azure VM by specifying the public key, Azure copies the public key (in the .pub
format) to the ~/.ssh/authorized_keys
folder on the VM. SSH keys in ~/.ssh/authorized_keys
are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. By creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config
file.
If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates.
Generate keys with ssh-keygen
To create the keys, a preferred command is ssh-keygen
, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, and Windows 10. ssh-keygen
asks a series of questions and then writes a private key and a matching public key.
SSH keys are by default kept in the ~/.ssh
directory. If you do not have a ~/.ssh
directory, the ssh-keygen
command creates it for you with the correct permissions.
Basic example
The following ssh-keygen
command generates 4096-bit SSH RSA public and private key files by default in the ~/.ssh
directory. If an SSH key pair exists in the current location, those files are overwritten.
Detailed example
The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.
Command explained
ssh-keygen
= the program used to create the keys
-m PEM
= format the key as PEM
-t rsa
= type of key to create, in this case in the RSA format
-b 4096
= the number of bits in the key, in this case 4096
-C 'azureuser@myserver'
= a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.
-f ~/.ssh/mykeys/myprivatekey
= the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub
is generated in the same directory. The directory must exist.
-N mypassphrase
= an additional passphrase used to access the private key file.
Example of ssh-keygen
Saved key files
Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa
The key pair name for this article. Having a key pair named id_rsa
is the default; some tools might expect the id_rsa
private key file name, so having one is a good idea. The directory ~/.ssh/
is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen
creates the keys in the current working directory, not the default ~/.ssh
.
List of the ~/.ssh
directory
Key passphrase
Enter passphrase (empty for no passphrase):
It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.
Generate keys automatically during deployment
If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the --generate-ssh-keys
option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.
Provide SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the --ssh-key-value
option.
If you're not familiar with the format of an SSH public key, you can see your public key by running cat
as follows, replacing ~/.ssh/id_rsa.pub
with your own public key file location:
Output is similar to the following (here redacted):
If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, ~/.ssh/id_rsa.pub
) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip
).
If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.
To create a RFC4716 formatted key from an existing SSH public key:
SSH to your VM with an SSH client
With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):
If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your ~/.ssh/known_hosts
folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts
.)
If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Use ssh-agent to store your private key passphrase
To avoid typing your private key file passphrase with every SSH sign-in, you can use ssh-agent
to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent
.
Verify and use ssh-agent
and ssh-add
to inform the SSH system about the key files so that you do not need to use the passphrase interactively.
Now add the private key to ssh-agent
using the command ssh-add
.
The private key passphrase is now stored in ssh-agent
.
Use ssh-copy-id to copy the key to an existing VM
If you have already created a VM, you can add a new SSH public key to your Linux VM using ssh-copy-id
.
Create and configure an SSH config file
You can create and configure an SSH config file (~/.ssh/config
) to speed up log-ins and to optimize your SSH client behavior.
The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.
Create the file.
Ssh Authorized Key
Edit the file to add the new SSH configuration
Add configuration settings appropriate for your host VM. In this example, the VM name is myvm and the account name is azureuser.
You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.
Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the Host myvm
block in the SSH config file.
Ssh Authorized Keys Permissions
The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.
Next steps
Next up is to create Azure Linux VMs using the new SSH public key. Azure VMs that are created with an SSH public key as the sign-in are better secured than VMs created with the default sign-in method, passwords.