Howto enable SSH public key authentication on Ubiquiti AirOS v5.5.8 (e.g. Airgrid, NanoStation2)
About SSH Keys
SSH keys provide a more secure way of logging into a Ubiquiti AirOS device with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.
Step One—Create the RSA Key Pair
The first step is to create the key pair on the Aircontrol Server machine (OR it be your computer):
ssh-keygen -t rsa
Step Two—Store the Keys and Passphrase
Once you have entered the Gen Key command, you will get a few more questions:
Enter file in which to save the key (/home/demo/.ssh/id_rsa):
You can press enter here, saving the file to the user home (in this case, my example user is called demo).
Enter passphrase (empty for no passphrase):
It's up to you whether you want to use a passphrase. Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else. Should a passphrase-protected private key fall into an unauthorized users possession, they will be unable to log in to its associated accounts until they figure out the passphrase, buying the hacked user some extra time. The only downside, of course, to having a passphrase, is then having to type it in each time you use the Key Pair.
The entire key generation process looks like this:
ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/demo/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Your identification has been saved in /home/demo/.ssh/id_rsa.Enter same passphrase again:The key fingerprint is:Your public key has been saved in /home/demo/.ssh/id_rsa.pub.+--[ RSA 2048]----+4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a The key's randomart image is: | .oo. || . o + o . || . o.E | | + . o | | . = = . | | = S = . | | o + = + | | . o |+-----------------+| |
The public key is now located in /home/demo/.ssh/id_rsa.pub The private key (identification) is now located in /home/demo/.ssh/id_rsa
Step Three—Copy the Public Key
Once the key pair is generated, it's time to place the public key on the Ubiquity AirOS device that we want to use.
You can copy the public key into the Ubiquity AirOS device's authorized_keys file with below steps command. Make sure to replace the example username and IP address below.
[demo@localhost ~]$ echo -e "cd /etc/persistent/\nmkdir ssh\nchmod 700 ssh\nln -s ssh/ .ssh\nexit" | ssh ubnt@10.10.10.10 Pseudo-terminal will not be allocated because stdin is not a terminal. ubnt@10.10.10.10's password: [demo@localhost ~]$ cat ~/.ssh/id_rsa.pub | ssh ubnt@10.10.10.10 'cat >> /etc/persistent/.ssh/authorized_keys' ubnt@10.10.10.10's password: [demo@localhost ~]$ echo -e "save" | ssh ubnt@10.10.10.10 Pseudo-terminal will not be allocated because stdin is not a terminal. Found Active on[1] ... Found Backup1 on[2] ... Storing Active[2] ... [%100] Active->Backup[1] ... [%100] [demo@localhost ~]$
Once you have copied your SSH keys unto your server and ensured that you can log in with the SSH keys alone, with command below
ssh ubnt@10.10.10.10
You might also like:
Intertronix Security Stickers Tamper Evident and Security Labels Solutions: Custom Holograms, Authentication Stickers and Warranty Seals.
Intertronix Security Stickers Tamper Evident and Security Labels Solutions: Custom Holograms, Authentication Stickers and Warranty Seals.
Comments