This file is part of eRCaGuy_dotfiles: https://github.com/ElectricRCAircraftGuy/eRCaGuy_dotfiles
(click to expand)
- 1.
sshkey generation, setup, and configuration notes:- References:
- See also:
- Example of files you may have in your
~/.sshdir - Public/Private ssh generation and copying to your server's
~/.ssh/authorized_keysfile - How to configure ssh keys to easily push to / pull from GitHub
- SSH example aliases
- Auto-starting the the ssh-agent on a remote, ssh-based development machine
- 2. How to source a custom .bashrc file whenever you ssh into a remote Linux device
- 3. Dropbear setup and notes to remotely decrypt a LUKS-encrypted hard drive
- [EXCELLENT!] Great background information on what ssh keys are and how they work, as well as how to use and create them: https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
- [EXCELLENT!] Great, generic ssh key-generation steps and instructions, as well as how to add your public key to GitHub so you can access your repos remotely from the git command-line: https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
- How to run commands over ssh: https://www.cyberciti.biz/faq/unix-linux-execute-command-using-ssh/
~/.ssh$ tree
.
├── authorized_keys
├── config
├── id_ed25519
├── id_ed25519.pub
├── id_rsa
├── id_rsa.pub
├── id_rsa_dropbear
├── id_rsa_dropbear.pub
└── known_hostsHere is how to generate a new ssh public/private key combo and copy your public key to your server's ~/.ssh/authorized_keys file so you can have a password-less login into that server:
# 1. Generate a key
# See: https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
# When generating a key below, it is recommended that you DO add a password to encrypt and protect
# the key file when the keygen utility asks you to do so.
# A. (BEST) Use the ed25519 type because it is the most secure as of the year 2021 (prior to ed25519
# being created, `rsa` was the most secure)
ssh-keygen -t ed25519 -C "[email protected]"
#
# same as above, but manually specify the output file path
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "[email protected]"
#
#
# B. (OK if the ed25519 type is not supported) From the GitHub link above: "Note: If you are using a
# legacy system [GS note: or lightweight implementation, such as the Dropbear ssh server] that
# doesn't support the Ed25519 algorithm, use:"
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# 2. Add your ssh key to the `ssh-agent`
# See link above
# Ensure the ssh-agent is running (this starts the `ssh-agent`)
eval "$(ssh-agent -s)"
# Add your private key to it; update the path to your private key below, as required, based on what
# path you interactively selected above when generating the key
ssh-add ~/.ssh/id_ed25519
# Note: for Windows, see my answer here, instead: [Stack Overflow: How to get ssh-agent to load your
# private ssh keys and require their passwords only once per boot in Windows]
# (https://stackoverflow.com/a/76568760/4561887)
# Verify what keys have been added to the ssh-agent by listing (`-l`) currently-added keys.
# A. If you see "Could not open a connection to your authentication agent.", it means the
# `ssh-agent` has not been started yet, so you must start it with `eval "$(ssh-agent -s)"`.
# B. If you see "The agent has no identities.", it means the ssh-agent is running but you haven't
# added any ssh keys to it, so run `ssh-add path/to/private_key` to add a key to the agent.
ssh-add -l
# 3. Copy your **public** key to your server you'd like to log into.
# NB: **NEVER** share your private key. That lets other people act as you. Your public key, however,
# can be safely shared publicly.
#
# vvvvvvvvv
# Basically, you just need to copy the contents of your public key file ("~/.ssh/id_ed25519.pub" in
# the example above) into your server's "~/.ssh/authorized_keys" file is all. Below are a couple
# ways to do so.
# ^^^^^^^^^
# Option A: if you have password-based ssh login enabled on your server, you can copy your public
# key remotely to it like this:
# See: https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
# Update the path to the public key 'i'dentity file as required.
# >> NB: I need to test this: am I doing this right, or is the `-i` option for specifying the ssh
# connection itself which copies the .pub key? <<
# [NEED TO TEST THIS]
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@remote_host
# OR (same thing, but done manually) [NEED TO TEST THIS]:
scp ~/.ssh/id_ed25519.pub username@remote_host:~/.ssh && \
ssh username@remote_host 'cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys'
# Option B: if you do NOT have password-based ssh login enabled on your server, but you can
# NoMachine into it, then you can manually copy/paste the contents of your "~/.ssh/id_ed25519.pub"
# file, via the NoMachine GUI login, into your server's "~/.ssh/authorized_keys" file. You can also
# email the **public key** "~/.ssh/id_ed25519.pub" file to your remote server and graphically (via a
# GUI text editor) copy/paste it into your `~/.ssh/authorized_keys` file from your email, or
# whatever. If you have any problems with the instructions below, leave a comment or open an issue. I want to make sure they are super easy to follow for anyone, including beginners.
- The notes above.
- My answer here: Stack Overflow: How to use ssh keys to easily push to / pull from GitHub
- Configure your remote to use the ssh version of the GitHub repo address instead of the http version.
- Generate a public/private ssh key pair, and add the public key to your GitHub account manually via your web browser.
-
Configure your remote to use the ssh version of the GitHub repo address instead of the http version. Ex: For this repo of mine: https://github.com/ElectricRCAircraftGuy/eRCaGuy_hello_world, use this ssh URL: [email protected]:ElectricRCAircraftGuy/eRCaGuy_hello_world.git instead of this HTTPS one: https://github.com/ElectricRCAircraftGuy/eRCaGuy_hello_world.git:
# View your current remote servers and their URLs git remote -v # Set your `origin` remote server to use the ssh URL instead # of the HTTPS one git remote set-url origin https://github.com/ElectricRCAircraftGuy/eRCaGuy_hello_world.git
-
Generate a public/private ssh key pair, and add the public key to your GitHub account manually via your web browser. See my full notes on ssh stuff here [above]: https://github.com/ElectricRCAircraftGuy/eRCaGuy_dotfiles/tree/master/home/.ssh
# generate a public/private ssh key pair ssh-keygen -t ed25519 -C "[email protected]" # same as above, but manually specify the output file path ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "[email protected]" # Ensure the ssh-agent is running (this starts the `ssh-agent`) eval "$(ssh-agent -s)" # Add your private key to it; update the path to your private key below, as # required, based on what path you interactively selected above when # generating the key ssh-add ~/.ssh/id_ed25519 # Verify what keys have been added to the ssh-agent by listing # (`-l`) currently-added keys. # A. If you see "Could not open a connection to your authentication agent.", # it means the `ssh-agent` has not been started yet, so you must start it # with `eval "$(ssh-agent -s)"`. # B. If you see "The agent has no identities.", it means the ssh-agent is # running but you haven't added any ssh keys to it, so run `ssh-add # path/to/private_key` to add a key to the agent. ssh-add -l
Now log into github in a web browser and click on your profile image --> Settings --> SSH and GPG keys (on left) --> New SSH key --> copy and paste the contents of your .pub key file (ex: run
cat ~/.ssh/id_ed25519.pubon your Ubuntu machine to read the public key--adjust that path as necessary if you used a different file name) into GitHub here --> click "Add SSH key".Now, whenever you type
git pushit automatically works, using your ssh key.
You can set up custom ssh aliases in your ssh config file like this:
Add to your ~/.ssh.config file:
# Note: see `man ssh_config` for details
Host my-ssh-alias
HostName MY_HOSTNAME_OR_IP_ADDRESS
User root
Port 22
IdentityFile ~/.ssh/id_rsaChange MY_HOSTNAME_OR_IP_ADDRESS to whatever it should be; ex: 192.168.0.2.
Now call ssh my-ssh-alias to use this alias! That alias is the equivalent of calling ssh [email protected] -p 22 -i ~/.ssh/id_rsa from the command-line. Alternatively (this is what I usually do instead), instead of using an ssh config file alias, just add the following bash alias to your ~/.bashrc, ~/.bash_aliases, or (recommended) ~/.bash_aliases_private file instead. This is what I usually do, as I don't see any advantage whatsoever (yet, at least; UPDATE: one advantage is you can type ssh and press Tab Tab (Tab twice) to see an autocompleted list of ssh aliases you can ssh into!) to using ssh config file aliases over normal bashrc aliases, and I like keeping all my aliases together so it's less to manage:
alias my_ssh_alias="ssh [email protected] -p 22 -i ~/.ssh/id_rsa"Assuming you use both ssh config file aliases and normal bash aliases, the following three commands are now equivalent:
# 3 equivalent commands!
# 1. ssh config file alias
ssh my-ssh-alias
# 2. bash alias
my_ssh_alias
# 3. full ssh command manually typed in
ssh [email protected] -p 22 -i ~/.ssh/id_rsaWhen you graphically log in to a system, the window manager manages your ssh-agent for you. For example, on Ubuntu 18.04 and 20.04, gnome manages the ssh-agent by running this command that runs from the Startup Applications GUI when you first log in:
# Name: SSH Key Agent
/usr/bin/gnome-keyring-daemon --start --components=ssh # Command
# Comment: GNOME Keyring: SSH AgentWhen you ssh into this same Ubuntu machine, however, the gnome window manager does NOT get to run this application to ensure the ssh-agent is running and ready-to-go, so you must do it manually yourself, which can be a pain-in-the-butt. Here are some references on how this can be done:
- Google search for "make ssh-agent start at boot"
In short, which method you choose is a trade-off balance between security and convenience. The most-convenient technique is to remove your password on your private ssh key entirely so that you never have to type a password to decrypt your private ssh key, and the most secure technique is to not use the ssh-agent at all, so that you have to specify your private key and type your private ssh password every time you use it. The following approach is a balance between the two, favoring slightly more towards the side of convenience. It allows you to have a secure private ssh encryption key password but stores your ssh key in an open ssh-agent socket which is opened once per reboot! This means you only have type your private ssh key password once per reboot, which is great!
Simply copy and paste the following code block into your ~/.bash_aliases (preferred) or ~/.bashrc file on the computer you'd like it to run on. See also the notes just above the code block below.
Based on this answer: Unix & Linux: How can I run ssh-add automatically, without a password prompt? and my answer to that question too.
# Auto-start the ssh agent and add necessary keys once per reboot.
#
# This is recommended to be added to your ~/.bash_aliases (preferred) or ~/.bashrc file on any
# remote ssh server development machine that you generally ssh into, and from which you must ssh
# into other machines or servers, such as to push code to GitHub over ssh. If you only graphically
# log into this machine, however, there is no need to do this, as Ubuntu's Gnome window manager,
# for instance, will automatically start and manage the `ssh-agent` for you instead.
#
# See:
# https://github.com/ElectricRCAircraftGuy/eRCaGuy_dotfiles/tree/master/home/.ssh#auto-starting-the-the-ssh-agent-on-a-remote-ssh-based-development-machine
# and my answer to "How can I run ssh-add automatically, without a password prompt?":
# https://unix.stackexchange.com/a/686110/114401
if [ ! -S ~/.ssh/ssh_auth_sock ]; then
echo "'ssh-agent' has not been started since the last reboot." \
"Starting 'ssh-agent' now."
eval "$(ssh-agent -s)"
ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
fi
export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
# see if any key files are already added to the ssh-agent, and if not, add them
ssh-add -l > /dev/null
if [ "$?" -ne "0" ]; then
echo "No ssh keys have been added to your 'ssh-agent' since the last" \
"reboot. Adding default keys now."
ssh-add ~/.ssh/id_*[!.pub]
fiSEE ALSO this keychain program as a possible alternative to my custom solution just above!: cyberciti.biz: keychain: Set Up Secure Passwordless SSH Access For Backup Scripts on Linux
This is very useful, for example, when ssh-ing into an embedded Linux device or a shared device where you all ssh into the same username--ex: root, but you do NOT want to share a startup file nor modify it for others. Rather, you want to have your own custom aliases and environment and coloring and things.
- How to use
sshpass -pandsshpass -f: https://stackoverflow.com/questions/50096/how-to-pass-password-to-scp/13955428#13955428 - How to use
sshpass -fas though it wassshpass -p, but in a more-secure way, using process substitution (<()): https://stackoverflow.com/questions/24454037/pass-a-password-to-ssh-in-pure-bash/24455773#24455773 - [my question on process substitution] How to load files in
shfrom file descriptor 3 (/dev/fd/3), since process substitution works inbashbut NOT inshshells, and since/dev/fd/0is already taken up as stdin,/dev/fd/1is stdout, and/dev/fd/2is stderr: https://unix.stackexchange.com/questions/676676/sh-syntax-error-unexpected-when-attempting-process-substitution-on-an-e/676681#676681 - How to restore Ubuntu's default
~/.bashrcfile from/etc/skel/.bashrc: https://askubuntu.com/questions/404424/how-do-i-restore-bashrc-to-its-default/404428#404428 - [answer to my question] How to do it when your target embedded Linux device has only the
busyboxashandshshells, NOT the regularbashshell: https://unix.stackexchange.com/questions/677145/ssh-start-a-specific-shell-ash-and-source-your-environment-on-the-remote-mac/677149#677149 - Read about how
ashuses thisENVenvironment variable in theashdocumentation here: https://linux.die.net/man/1/ash
# 1. Store your ssh password into a `~/pw` file.
# - NB: this is useful for embedded Linux devices where you may have a read-only filesystem in the
# home dir and cannot modify the target's `~/.ssh/authorized_keys` file as described above. But,
# storing a password into a raw file like this is otherwise NOT normally recommended.
echo "my_password" > ~/pw
# 2. Copy over your default Ubuntu `/etc/skel/.bashrc` file to the target device at
# `/tmp/.bashrc`, then ssh into the target device and load the `bash` shell (in case it otherwise
# has a default shell of `sh` or something) with the startup file you just copied over.
# - Note: the `-t` option passed to ssh forces the terminal to be a human-interactive "tty" style
# terminal, so that it won't just run the given command and close. Rather, it stays open and
# remains ready for interaction from you, the user.
sshpass -f ~/pw scp /etc/skel/.bashrc [email protected]:/tmp \
&& sshpass -f ~/pw ssh -t -o 'ServerAliveInterval 60' [email protected] 'bash --rcfile /tmp/.bashrc'Now, you can optionally make the above ssh command an alias like this. Notice that I've also added the -o 'ServerAliveInterval 60' option to help keep the connection open (similar to what I recommend in my answer here).
# Manually add something like this to your ~/.bash_aliases (recommended) or ~/.bashrc file on the PC
# you are ssh-ing FROM:
alias gs_ssh="sshpass -f ~/pw scp /etc/skel/.bashrc [email protected]:/tmp \
&& sshpass -f ~/pw ssh -t -o 'ServerAliveInterval 60' [email protected] 'bash --rcfile /tmp/.bashrc'"
# Re-source your ~/.bashrc file when done adding the alias above for the first time. Note that if on
# Ubuntu this also automatically re-sources your ~/.bash_aliases file if you have one!
. ~/.bashrc
# Use the alias created above to connect to the board
gs_sshAlternatively, here is how to apply Ubuntu's settings for ALL users who log into the root username on the target device
If your target filesystem's home directory is NOT read-only, you can affect the environment for ALL users like this:
# Secure-copy over Ubuntu's default .profile AND .bashrc files to the target's home dir
sshpass -f ~/pw scp /etc/skel/.profile /etc/skel/.bashrc [email protected]:~
# Now ssh in
# A. using sshpass which automatically types the password for you
sshpass -f ~/pw ssh -t [email protected] 'bash --login'
# OR B. using normal ssh
ssh -t [email protected] 'bash --login'2.2. When your target Linux device does NOT have the bash shell, and you must use the busybox ash (preferred) or sh shell instead
Here are some basic, dumbed-down ~/.profile and ~/.bashrc configuration files you can use for your target embedded Linux device if you like:
~/.profile_for_remote:
# Source the .bashrc file
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi~/.bashrc_for_remote:
# Set Prompt String 1 (PS1) variable to show colors, present working dir (pwd), and to set the
# terminal title to the current folder (all but setting the terminal title is borrowed from Ubuntu)
PS1_NO_TITLE='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
TITLE='[$(hostname)] $(basename "$(pwd)")'
# Set the PS1 title escape sequence; see "Customizing the terminal window title" here:
# https://wiki.archlinux.org/index.php/Bash/Prompt_customization#Customizing_the_terminal_window_title
# See also my `gs_set_title()` bash function somewhere around here:
# https://github.com/ElectricRCAircraftGuy/eRCaGuy_dotfiles/blob/master/home/.bash_aliases#L250
ESCAPED_TITLE="\[\e]2;${TITLE}\a\]"
PS1="${PS1_NO_TITLE}${ESCAPED_TITLE}"
# Add `ll` aliases (all borrowed from Ubuntu's default /etc/skel/.bashrc file)
alias ls='ls --color=auto'
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'# ssh into an embedded Linux device, loading your custom config (.bashrc) file into BusyBox's
# `ash` terminal, if `bash` is not available
sshpass -f ~/pw scp ~/.bashrc_for_remote [email protected]:/tmp/.bashrc \
&& sshpass -f ~/pw ssh -t -o 'ServerAliveInterval 60' [email protected] 'export ENV=/tmp/.bashrc; ash'Now, use the following alias to ssh into the target device and auto-configure your ash shell environment at the same time.
See this answer to my question here, as well as my comment underneath it. Notice that the key part of the alias below for use with the target ash shell is the 'export ENV=/tmp/.bashrc; ash' command part at the end. Read about how ash uses this ENV environment variable in the ash man pages documentation online here: https://linux.die.net/man/1/ash.
# ensure ~/pw contains your password, assuming you want to do this instead of using ssh keys
echo 'my_ssh_password' > ~/pw
# Also ensure you've create the `~/.bashrc_for_remote` file with the contents above.
# Add this alias to your ~/.bash_aliases file on the machine you will be ssh-ing FROM
alias gs_ssh="sshpass -f ~/pw scp ~/.bashrc_for_remote [email protected]:/tmp/.bashrc \
&& sshpass -f ~/pw ssh -t -o 'ServerAliveInterval 60' [email protected] 'export ENV=/tmp/.bashrc; ash'"
# Re-source your ~/.bashrc file when done adding the alias above for the first time. Note that if on
# Ubuntu this also automatically re-sources your ~/.bash_aliases file if you have one!
. ~/.bashrc
# Use the alias created above to connect to the board
gs_sshHow to use the Dropbear ssh server to remotely decrypt your LUKS-encrypted Linux hard drive after reboot so you can then ssh in.
- Google search for "configure dropbear to decrypt drive"
- *****How to unlock LUKS using Dropbear SSH keys remotely in Linux
Follow the link just above from CyberCiti.biz. Here's the gist of it:
# Firt, install Linux Ubuntu with LVM and LUKS encryption. Done.
# Note: you can manually see kernel boot dirs like this:
ls -1 /boot/*$(uname -r)*
# "vmlinuz is my Linux kernel, and initrd contains Linux drivers, RAID support, Dropbear ssh server,
# and other stuff to boot the Linux system."
# View which of your partitions and mounts are under type "crypto_LUKS" as "LVM2_member" types.
# These are encrypted.
lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT
# and
sudo cat /etc/crypttab# Install dropbear-initramfs onto the computer you'd like to ssh INTO
sudo apt update
sudo apt install dropbear-initramfs
# You may see some warnings, such as “dropbear: WARNING: Invalid authorized_keys file, remote
# unlocking of cryptroot via SSH won't work!“. Just ignore these warnings for now, as we are about
# to set up a custom dropbear authorized_keys file at "/etc/dropbear-initramfs/authorized_keys" in
# the coming steps anyway.
# Edit the "/etc/dropbear-initramfs/config" file
sudo nano /etc/dropbear-initramfs/config
# Manually uncomment the "DROPBEAR_OPTIONS" line by deleting the `#` char, and make it look like
# this (again, withOUT the `#` char and withOUT the spaces in front):
# DROPBEAR_OPTIONS="-s -p 2222 -j -k -I 60"
# See `man dropbear` for all of these options.
# - The `-s` disables password logins, for security, allowing only ssh key-based logins.
# - The `-p 2222` sets the port to 2222. The default ssh port is always 22, so it's more secure to
# make it anything other than this, as this automatically makes it harder for an adversary to
# know to attack this port. `2222` is just an example. Set it to any number 1 through 65535,
# favoring a higher number, as many of the lower ports are already taken! See:
# https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# - The `-j` disables local port forwarding.
# - The `-k` disables remote port forwarding.
# - The `-I 60` sets an "idle timeout" of 60 seconds, disconnecting any ssh connection which is
# idle for longer than this.
# Optionally add `-b /etc/dropbear/banner` too if you'd like to have dropbear display a certain
# text banner whenever someone ssh's into it.
# Save and exit the editor.
# Optionally configure a static IP for your Dropbear ssh server, by editing your
# "/etc/initramfs-tools/initramfs.conf" file. Ex: adding this line to that file:
# IP=192.168.2.19::192.168.2.254:255.255.255.0:debian
# ...means:
# IPv4 = 192.168.2.19
# Gateway = 192.168.2.254
# Netmask = 255.255.255.0
# Hostname = debian
#
# [MY PREFERENCE] I prefer to set a static IP in my DHCP server in my router, however, rather than
# inside my PC. So, optionally do that if you like.
# Update your initramfs filesystem image to be used at boot; this brings in the changes we made
# to the "/etc/dropbear-initramfs/config" config file just above.
sudo update-initramfs -u -v
# On the computer you'd like to ssh FROM:
# 1. Create rsa-based ssh keys for login (dropbear doesn't yet support the better ed25519 type)
ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/.ssh/id_rsa_dropbear
# 2. Ensure the ssh-agent is running
eval "$(ssh-agent -s)"
# 3. Add your ssh key to the `ssh-agent`
ssh-add ~/.ssh/id_ed25519
# One way or another, append the **public** ("~/.ssh/id_rsa_dropbear.pub") key just generated above
# on the ssh-FROM-computer to the "/etc/dropbear-initramfs/authorized_keys" file on the
# SSH-TO-computer.
# See the "FILES" section of `man dropbear` and read all about the "Authorized Keys" file options
# you can add just before your public key entry.
# =======> The form of each line entry is this: <=======
# [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
# So, make your entry look like this:
# no-port-forwarding,no-agent-forwarding,no-x11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp...
# The man pages say: "Restrictions are comma separated, with double quotes around spaces in
# arguments." Note that the `command="/bin/cryptroot-unlock"` part is optional. You can completely
# leave it out if you want--you'll just have to manually type the command each time you ssh into
# the dropbear server is all.
# When done configuring "/etc/dropbear-initramfs/config"
# and "/etc/dropbear-initramfs/authorized_keys" above, you can view the contents of all files
# like this, just to double-check them:
sudo grep --color=always '' /etc/dropbear-initramfs/*
# Now that you've added a public ssh key to your dropbear
# server's "/etc/dropbear-initramfs/authorized_keys" file: Update your initramfs filesystem image
# to be used at boot to bring in these changes.
sudo update-initramfs -u -v
# Reboot your server
sudo reboot
# Ping the server (the ssh TO computer) from your ssh FROM computer to see when it's alive:
ping 192.168.2.19
# ssh into your dropbear server from your FROM computer; be sure to use "root" as your username
# for this connection so you can unlock your LUKS encryption **as root**! Use the port you set
# previously on the server above.
ssh [email protected] -p 2222 -i ~/.ssh/id_rsa_dropbear
# If you have the `command="/bin/cryptroot-unlock"` part in
# the "/etc/dropbear-initramfs/authorized_keys" file on the server, that command will automatically
# be run and let you type in the password to decrypt your LUKS encryption.
# If you do NOT have that command as part of the authorized_keys file, type it manually now that
# you've sshed into dropbear:
cryptroot-unlock
# Type in your LUKS encryption password. The dropbear ssh connection will automatically close, and
# the system will boot. Give it a minute or so and then ssh in like normal!Useful aliases for your ~/.bash_aliases_private file:
alias gs_ssh='ssh -X -o "ServerAliveInterval 60" [email protected]'
alias gs_ssh_dropbear='ssh [email protected] -p 2222 -i ~/.ssh/id_rsa_dropbear'Now, after rebooting your server computer, the process to decrypt its LUKS hard drive and ssh in will simply be:
# Reboot server, then:
gs_ssh_dropbear
# Manually type LUKS decryption password now, and wait ~60 seconds, then:
gs_ssh
# Done! You're in!Keywords: ssh instructions; ssh readme; ssh public/private key setup; ssh public-private key setup; set up your public and private ssh keys