SSH key authentication for Storage Boxes
If you use SCP, SFTP, rsync or BorgBackup, you can log in using SSH key authentication without entering a password.
Depending on the SSH port of the Backup account/Storage Box you use, you may need to use a specific format for the public SSH key. The following keys are supported:
SSH Port | Key Format | Algorithms |
---|---|---|
22 | RFC4716 | RSA, ECDSA, ED25519 |
23 | Standard OpenSSH Format | RSA, ECDSA, ED25519, ED25519-sk, ECDSA-sk |
If you want to use the services over both ports, then you must store the public SSH key in both formats (RFC4716 and OpenSSH format) in the .ssh/authorized_keys
file. Please note that a new line should be at the end of the file.
Each sub-account requires its own authorized_keys file in the sub-account's directory.
Generating SSH keys
You can use ssh-keygen to generate a new pair of SSH keys:
server> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
cb:3c:a0:39:69:39:ec:35:d5:66:f3:c5:92:99:2f:e1 root@server
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| . = |
| . S = * o |
| . = = + + = |
| X o = E . |
| o + . . . |
| . |
+-----------------+
Warning: With the default settings, using ssh-keygen will overwrite an existing SSH key! As an alternative, with the parameter -f
, you can specify a different file path.
Upload
Please activate the SSH service of your Storage Box within Robot. Afterwards you can upload your public key with the following command for both Storage Box ports:
server> cat ~/.ssh/id_rsa.pub | ssh -p23 uXXXXX@uXXXXX.your-storagebox.de install-ssh-key
uXXXXX@uXXXXX.your-storagebox.de's password:
Key No. 1 (ssh-rsa user@host) was installed in RFC4716 format
Key No. 1 (ssh-rsa user@host) was installed in OpenSSH format
After this you can use the public SSH key to login without a password.
Manual
You can also upload your key manually. Therefor please use the following guides:
Extended SSH Service on Port 23 (SFTP/Rsync/BorgBackup)
Port 23 uses the one-line OpenSSH format of the public key.
Upload with ssh-copy-id (OpenSSH 8.5+)
You can use ssh-copy-id
to upload the new key:
ssh-copy-id -p 23 -s uXXXXX@uXXXXX.your-storagebox.de
Upload without ssh-copy-id / Manually
If you have an older OpenSSH client software, you can upload the public key also manual:
ssh -p 23 uXXXXX@uXXXXX.your-storagebox.de mkdir .ssh
scp -P 23 .ssh/id_rsa.pub uXXXXX@uXXXXX.your-storagebox.de:.ssh/authorized_keys
SSH Service on Port 22 (SFTP)
For the SSH service on port 22, you must convert your public key into the RFC4716 format and then upload it.
Converting your key to RFC4716 format
To convert the public SSH key into the correct format, enter the following command:
ssh-keygen -e -f .ssh/id_rsa.pub > .ssh/id_rsa_rfc.pub
The public SSH key should now look like the one below:
server> cat .ssh/id_rsa_rfc.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "<comment>"
AAAAB3NzaC1yc2EAAAABIwAAAQEAz+fh731CVfH3FPM0vK5hX7NT5HogdBEQ4ryGJIeVMv
mCQJWwrFtdWh1pXMyXsYzXq1xbjILgCZGn+H0qUBKopJaa/Pzsw5U0UyRgiFhU2k0eiHUq
pkiixTbHcLsCj3kjAv5i07wZJ/ot246hLQD1PtSQtcX7nHvhdhenOTGO+ccpM2KEdX1E64
eaTtO9Bf7X4OTXnRxS7tjYH9sls5DOunpvoIZLvbmcVw1+wMdJBXOAU6/tnkN5N3mYE4Hu
JjnRtBAI9MS9Tt3DNAp1K/udUHA6hfYf08fxYs9uwsCM793b7FczmVvHEIwIKszG7Jwiwo
Dqit4EExR8bNNCeD6D3Q==
---- END SSH2 PUBLIC KEY ----
Upload
Now upload the created file:
echo "mkdir .ssh" | sftp uXXXXX@uXXXXX.your-storagebox.de
scp .ssh/id_rsa_rfc.pub uXXXXX@uXXXXX.your-storagebox.de:.ssh/authorized_keys
Test
Depending on which SSH key format you have uploaded, you should be able to log in without a password on port 22 and/or 23:
sftp -P <22 or 23> <username>@<username>.your-storagebox.de
Connected to <username>.your-storagebox.de.
sftp> quit