DeviceUmbrel Home (2024)
Model numberU130121
Serial numberU240500333

I usually use private/public rsa keys to ssh between my computers. Home server always asks for password, which is OK but does not allow me to run automated crond rsync scripts.
My questions are: if I change the sshd_config file (displayed below) to login ONLY with rsa key,
a) will the graphical terminal work?
b) I think I need a .ssh folder with keys etc in the /home/umbrel Correct?
c) setting up the rsa only log in one could lock himself up for ever. Only rebooting with a console would give you a way to unlock. I do not see a way to do it with Home Server. I hope there is one.

Clip of sshd_config file:

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
Hostkey /etc/ssh/KenPaoloServers_id_rsa
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

HostKeyAlgorithms +ssh-rsa,ssh-dss

Ciphers and keying

#RekeyLimit default none

Logging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

Expect .ssh/authorized_keys2 to be disregarded by default in future.

#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

Hey @Samara ,

From my understanding, the graphical terminal accessible from http://umbrel.local/ should still work even if you require SSH keys and disable password login.

This is because rather than going through SSH, the Umbrel daemon spawns a pty pseudo-terminal and forwards it using a WebSocket connection. This is true for both app and umbrelOS terminal sessions.

Secondly, you are correct that you need a .ssh folder with the public keys configured for the device(s) you are going to be SSH-ing in from.

In the event you lose the ability to access the umbrelOS terminal through SSH, you should be able to change the configuration through the web terminal or, as you correctly mentioned - you can plug in a keyboard and display to the Umbrel Home and use the traditional username-password login method to access your Umbrel and regain full access again.

Note you do not need to reboot to do this, the console should always be available, if you can’t see the prompt after plugging in the display & keybaord, just press enter a few times and it should appear.