Certificates: only tears

  • I have a new DIY NAS with OMV, works well. I have spent hours trying to generate and use a certificate instead of the SSH login for root (also tried with another user), so that I can log in and update OMV automatically by a Plink + shell script. No matter what I try-- having searched the Internet many times-- I get "Cannot use the certificate" or "Certificate refused" kinds of errors upon SSH login attempts. I tried certs imported into the OMV Web interface as well as ones that were just added there anew. The certs appear to be saved without errors in OMV. I am then specifying a local private key in Putty or a Plink command line-- and neither works.


    Guides on this are hard to find and vary widely in the instructions. Some of the guides and posts available online simply do not work. I tried a variety of keygen commands. From what I can tell, I can successfully generate the private & public key pairs, and the special Putty format, but I am still not succeeding.


    My goal is to be able to use a certificate from one of my computers, so that I am not prompted for the SSH login password, which I also do not want to save or use in a command line on that computer. I'd like to preserve the password login for other computers.


    I'm starting to think that this is not possible. Am I wrong? What is the way?;(

  • mikeyww

    Changed the title of the thread from “Certificates” to “Certificates: only tears”.
  • Thank you for the link. Through trial and error, I was able to make this work. Below, I have provided the guide.

    OpenMediaVault SSH setup for local Windows workstation to bypass login passwords

    - Windows working directory for key files: c:\Users\[username]\.ssh\

    Puttygen

    - Generate keys on the local Windows computer

    - Save public key as id_rsa.pub

    -- This SSH2 public key is not needed. It will lead to a harmless error message upon ssh login. To prevent this error message, move this file to a different directory, or rename it.

    - Save private key as id_rsa.ppk

    -- This can be used with Putty and WinSCP (see below).

    - Conversions -> Export OpenSSH key -> id_rsa

    -- Windows will use this RSA private key upon ssh login, instead of asking for the user's password.

    -- Put this private key into c:\Users\[username]\.ssh\

    - Copy and paste public key from Puttygen's edit field into a new file called authorized_keys

    OMV Web interface

    - Add user: ssh-user-access

    - Add to group: ssh

    - In /etc/passwd, find the path to this user's directory

    - Example: /srv/dev-disk-by-label-[filesystemlabel]/public/ssh-user-access

    - Create directory .ssh in that directory

    - Copy authorized_keys to this .ssh directory

    Access SSH from CMD or Powershell

    - ssh root@192.168.1....

    - ssh ssh-user-access@192.168.1....

    - Other users will require a password

    Access from Putty & WinSCP

    - Putty: in SSH -> Auth, provide the path to id_rsa.ppk

    - WinSCP: Edit -> Advanced -> SSH -> Authentication -> Private key file -> provide the path to id_rsa.ppk

    References

    [GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)


    [GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)


    https://unix.stackexchange.com…ic-invalid-format-warning

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!