# SSH Key-Based Access — Runbook (SSOT) > **Last updated:** 2026-07-10 > **Owner:** `server-audit/` > Quick ref: [host.md](../../host.md) | Inventori: [server.md](../server.md) Dokumen ini adalah **Single Source of Truth** untuk setup SSH passwordless dari laptop Windows (OpenSSH) ke infrastruktur GeoNet. --- ## Prasyarat | Item | Nilai | |------|-------| | Shell | **PowerShell** (bukan CMD) | | Client | Windows OpenSSH (`ssh`, `scp`) | | Network | Terhubung ke LAN `10.100.1.x` | | Key storage | `%USERPROFILE%\.ssh\` (tidak di-commit ke git) | --- ## Key inventory (laptop) | Key file | Algoritma | Dipakai untuk | Alias config | |----------|-----------|---------------|--------------| | `id_rsa_geonet_laptop` | RSA 4096 | `.24`, `.25`, `.26` (Linux root) | `reverse-proxy`, `main-db`, `ollama` | | `id_ed25519_mailcow` | ed25519 | `.28` Mailcow | `mailcow` | | `id_rsa_mikrotik` | RSA | MikroTik `.1` port 255 | — | | `id_ed25519_geonet_proxmox` | ed25519 | Windows Server `.14`, `.51`, `.52` | `multimedia`, `dev51-base` | | `id_ed25519` | ed25519 | QNAP `.10` | — | **Dibuat sesi 2026-07-10:** `id_rsa_geonet_laptop`, `id_ed25519_mailcow`, `~/.ssh/config` --- ## `~/.ssh/config` (template) Salin ke `%USERPROFILE%\.ssh\config` di laptop: ``` Host reverse-proxy HostName 10.100.1.24 User root Port 22 IdentityFile ~/.ssh/id_rsa_geonet_laptop IdentitiesOnly yes MACs hmac-sha1 Host main-db HostName 10.100.1.25 User root Port 22 IdentityFile ~/.ssh/id_rsa_geonet_laptop IdentitiesOnly yes MACs hmac-sha1 Host ollama HostName 10.100.1.26 User root Port 22 IdentityFile ~/.ssh/id_rsa_geonet_laptop IdentitiesOnly yes MACs hmac-sha1 Host mailcow HostName 10.100.1.28 User root Port 22 IdentityFile ~/.ssh/id_ed25519_mailcow IdentitiesOnly yes ``` Template file: [scripts/ssh-config.example](../../scripts/ssh-config.example) --- ## Aturan MAC `hmac-sha1` Server **RHEL/CentOS** (reverse-proxy `.24`, main-db `.25`) membutuhkan: ```powershell -m hmac-sha1 # setara: -o MACs=hmac-sha1 ``` Server **Ubuntu** (Ollama `.26`, Mailcow `.28`) biasanya **tanpa** flag `-m`. **SCP** ke server lama: gunakan `-o MACs=hmac-sha1` (bukan `-m`). --- ## Setup per host ### 1. Reverse proxy — `10.100.1.24` ✅ | Item | Nilai | |------|-------| | OS | RHEL/CentOS (`proxy`) | | Key | `id_rsa_geonet_laptop` | | Alias | `ssh reverse-proxy` | | Status | **Key-only verified** 2026-07-10 | **Script (sekali):** ```powershell .\server-audit\scripts\setup-ssh-reverse-proxy.ps1 ``` **Manual one-liner:** ```powershell type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.24 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" ``` **Verifikasi:** ```powershell ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 root@10.100.1.24 -p 22 "echo KEY_AUTH_OK" # atau: ssh reverse-proxy "echo KEY_AUTH_OK" ``` **Debug auth (RHEL):** ```powershell ssh -m hmac-sha1 root@10.100.1.24 -p 22 "grep sshd /var/log/secure | tail -20" ``` --- ### 2. Main Database — `10.100.1.25` ✅ | Item | Nilai | |------|-------| | OS | RHEL/CentOS | | Key | `id_rsa_geonet_laptop` (sama dengan `.24`) | | Alias | `ssh main-db` | | Status | **Key-only verified** 2026-07-10 | **Script:** ```powershell .\server-audit\scripts\setup-ssh-main-db.ps1 ``` **Manual:** ```powershell type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.25 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" ``` --- ### 3. Mailcow — `10.100.1.28` ✅ | Item | Nilai | |------|-------| | OS | Ubuntu (`mailserver`) | | Key | `id_ed25519_mailcow` (dedicated) | | Alias | `ssh mailcow` | | Status | **Key-only verified** 2026-07-10 | **Script:** ```powershell .\server-audit\scripts\setup-ssh-mailcow.ps1 ``` **Manual (tanpa `-m`):** ```powershell type $env:USERPROFILE\.ssh\id_ed25519_mailcow.pub | ssh root@10.100.1.28 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" ``` **Debug auth (Ubuntu):** ```powershell ssh root@10.100.1.28 -p 22 "grep sshd /var/log/auth.log | tail -20" ``` --- ### 4. Ollama — `10.100.1.26` ✅ Key: `id_rsa_geonet_laptop` | User: **`geonet`** (bukan root) | Alias: `ssh ollama` Status: **Key-only verified** 2026-07-10 ```powershell ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 geonet@10.100.1.26 -p 22 "echo KEY_AUTH_OK" # atau: ssh ollama "echo KEY_AUTH_OK" ``` > `root@10.100.1.26` belum di-setup key — gunakan `geonet` untuk operasional. --- ### 5. MikroTik — `10.100.1.1` port 255 Key: `id_rsa_mikrotik` (RSA wajib — RouterOS 7.5) ```powershell ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha1 -p 255 admin@10.100.1.1 ``` Setup: `server-connection/scripts/setup-ssh-mikrotik.ps1` --- ### 6. AD-LDAP — `10.100.1.40` (Windows Server 2012 R2) ✅ | Item | Nilai | |------|-------| | OS | Windows Server 2012 R2 (`ad-server`) | | User | `Administrator` | | Key (laptop ini) | `id_rsa_geonet_laptop` | | Alias | `ssh ad-ldap` | | Authorized keys file | `C:\ProgramData\ssh\administrators_authorized_keys` | | Status | **Key-only verified** 2026-07-10 | **Penting Win2012 R2 / OpenSSH Windows:** - Akun Administrator **tidak** memakai `C:\Users\...\.ssh\authorized_keys` - Wajib file: `C:\ProgramData\ssh\administrators_authorized_keys` - ACL: hanya `SYSTEM` + `Administrators` (inheritance off) - `sshd_config` harus punya: ``` Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys ``` - MAC: `-m hmac-sha1` / `MACs hmac-sha1` - Host key pertama kali: `StrictHostKeyChecking=accept-new` (script sudah set) **Script (PowerShell):** ```powershell .\server-audit\scripts\setup-ssh-ad-ldap.ps1 ``` **Verifikasi:** ```powershell ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 Administrator@10.100.1.40 -p 22 "echo KEY_AUTH_OK" # atau: ssh ad-ldap "echo KEY_AUTH_OK" ``` > Laptop lain / ArcGIS / MULTIMEDIA masih boleh pakai `id_ed25519_geonet_proxmox` — key berbeda, boleh keduanya di `administrators_authorized_keys`. ### 7. Windows lain (Webserver, ArcGIS, MULTIMEDIA) Key legacy: `id_ed25519_geonet_proxmox` → `administrators_authorized_keys` MULTIMEDIA `.14`: `scripts/setup-ssh-key-multimedia.ps1` ArcGIS `.51`/`.52`: lihat [host.md](../../host.md) --- ## Windows private key ACL Setelah generate key, perketat ACL (hindari error "permissions too open"): ```powershell icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /inheritance:r icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /grant:r "${env:USERNAME}:(R)" ``` --- ## Troubleshooting | Gejala | Penyebab | Solusi | |--------|----------|--------| | Masih minta password | Pubkey belum di `authorized_keys` | Jalankan setup script / one-liner upload | | `grep: auth.log: No such file` | Server RHEL, bukan Debian | Pakai `/var/log/secure` | | `no matching MAC` | Server SSH lama | Tambah `-m hmac-sha1` | | `Permissions too open` | ACL Windows key | Jalankan `icacls` di atas | | `$env:USERPROFILE` kosong / key not found | Pakai **CMD** bukan PowerShell | Buka PowerShell; di CMD pakai `%USERPROFILE%` | | `Host key verification failed` | Host belum di `known_hosts` | Script pakai `accept-new`; atau `ssh-keygen -R 10.100.1.40` lalu connect ulang | | Pubkey gagal di Administrator Windows | Key di `~\.ssh\authorized_keys` | Pindah ke `C:\ProgramData\ssh\administrators_authorized_keys` + ACL | | `KEY_INSTALLED_OK` tapi `Permission denied (publickey)` | File UTF-16 (Add-Content WinPS) | Tulis ulang UTF-8 no BOM; jalankan ulang `setup-ssh-ad-ldap.ps1` | --- ## Riwayat sesi 2026-07-10 1. Laptop baru: tidak ada `~/.ssh/config` dan private key 2. Generate `id_rsa_geonet_laptop` (RSA 4096, comment `geonet-laptop`) 3. Buat `~/.ssh/config` dengan alias `reverse-proxy`, `main-db`, `ollama`, `mailcow` 4. Upload pub key ke `.24` → `KEY_INSTALLED_OK` → `KEY_AUTH_OK` ✅ 5. Generate `id_ed25519_mailcow` untuk Mailcow `.28` 6. Buat script setup: `setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1` 7. Temuan: `.24` hostname `proxy`, OS RHEL — log di `/var/log/secure` **Duplikat script (backward compat):** | SSOT (server-audit) | Legacy | |---------------------|--------| | `server-audit/scripts/setup-ssh-reverse-proxy.ps1` | `server-connection/scripts/setup-ssh-reverse-proxy.ps1` | | `server-audit/scripts/setup-ssh-main-db.ps1` | `server-connection/scripts/setup-ssh-main-db.ps1` | | `server-audit/scripts/setup-ssh-mailcow.ps1` | `Mailcow/scripts/setup-ssh-key-simple.ps1` |