8.8 KiB
SSH Key-Based Access — Runbook (SSOT)
Last updated: 2026-07-10
Owner:server-audit/
Quick ref: host.md | Inventori: server.md
Dokumen ini adalah Single Source of Truth untuk setup SSH passwordless dari laptop Windows (OpenSSH) ke infrastruktur GeoNet.
Prasyarat
| Item | Nilai |
|---|---|
| Shell | PowerShell (bukan CMD) |
| Client | Windows OpenSSH (ssh, scp) |
| Network | Terhubung ke LAN 10.100.1.x |
| Key storage | %USERPROFILE%\.ssh\ (tidak di-commit ke git) |
Key inventory (laptop)
| Key file | Algoritma | Dipakai untuk | Alias config |
|---|---|---|---|
id_rsa_geonet_laptop |
RSA 4096 | .24, .25, .26 (Linux root) |
reverse-proxy, main-db, ollama |
id_ed25519_mailcow |
ed25519 | .28 Mailcow |
mailcow |
id_rsa_mikrotik |
RSA | MikroTik .1 port 255 |
— |
id_ed25519_geonet_proxmox |
ed25519 | Windows Server .14, .51, .52 |
multimedia, dev51-base |
id_ed25519 |
ed25519 | QNAP .10 |
— |
Dibuat sesi 2026-07-10: id_rsa_geonet_laptop, id_ed25519_mailcow, ~/.ssh/config
~/.ssh/config (template)
Salin ke %USERPROFILE%\.ssh\config di laptop:
Host reverse-proxy
HostName 10.100.1.24
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host main-db
HostName 10.100.1.25
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host ollama
HostName 10.100.1.26
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host mailcow
HostName 10.100.1.28
User root
Port 22
IdentityFile ~/.ssh/id_ed25519_mailcow
IdentitiesOnly yes
Template file: scripts/ssh-config.example
Aturan MAC hmac-sha1
Server RHEL/CentOS (reverse-proxy .24, main-db .25) membutuhkan:
-m hmac-sha1
# setara: -o MACs=hmac-sha1
Server Ubuntu (Ollama .26, Mailcow .28) biasanya tanpa flag -m.
SCP ke server lama: gunakan -o MACs=hmac-sha1 (bukan -m).
Setup per host
1. Reverse proxy — 10.100.1.24 ✅
| Item | Nilai |
|---|---|
| OS | RHEL/CentOS (proxy) |
| Key | id_rsa_geonet_laptop |
| Alias | ssh reverse-proxy |
| Status | Key-only verified 2026-07-10 |
Script (sekali):
.\server-audit\scripts\setup-ssh-reverse-proxy.ps1
Manual one-liner:
type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.24 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Verifikasi:
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 root@10.100.1.24 -p 22 "echo KEY_AUTH_OK"
# atau: ssh reverse-proxy "echo KEY_AUTH_OK"
Debug auth (RHEL):
ssh -m hmac-sha1 root@10.100.1.24 -p 22 "grep sshd /var/log/secure | tail -20"
2. Main Database — 10.100.1.25 ✅
| Item | Nilai |
|---|---|
| OS | RHEL/CentOS |
| Key | id_rsa_geonet_laptop (sama dengan .24) |
| Alias | ssh main-db |
| Status | Key-only verified 2026-07-10 |
Script:
.\server-audit\scripts\setup-ssh-main-db.ps1
Manual:
type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.25 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
3. Mailcow — 10.100.1.28 ✅
| Item | Nilai |
|---|---|
| OS | Ubuntu (mailserver) |
| Key | id_ed25519_mailcow (dedicated) |
| Alias | ssh mailcow |
| Status | Key-only verified 2026-07-10 |
Script:
.\server-audit\scripts\setup-ssh-mailcow.ps1
Manual (tanpa -m):
type $env:USERPROFILE\.ssh\id_ed25519_mailcow.pub | ssh root@10.100.1.28 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Debug auth (Ubuntu):
ssh root@10.100.1.28 -p 22 "grep sshd /var/log/auth.log | tail -20"
4. Ollama — 10.100.1.26 ✅
Key: id_rsa_geonet_laptop | User: geonet (bukan root) | Alias: ssh ollama
Status: Key-only verified 2026-07-10
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 geonet@10.100.1.26 -p 22 "echo KEY_AUTH_OK"
# atau: ssh ollama "echo KEY_AUTH_OK"
root@10.100.1.26belum di-setup key — gunakangeonetuntuk operasional.
5. MikroTik — 10.100.1.1 port 255
Key: id_rsa_mikrotik (RSA wajib — RouterOS 7.5)
ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha1 -p 255 admin@10.100.1.1
Setup: server-connection/scripts/setup-ssh-mikrotik.ps1
6. AD-LDAP — 10.100.1.40 (Windows Server 2012 R2) ✅
| Item | Nilai |
|---|---|
| OS | Windows Server 2012 R2 (ad-server) |
| User | Administrator |
| Key (laptop ini) | id_rsa_geonet_laptop |
| Alias | ssh ad-ldap |
| Authorized keys file | C:\ProgramData\ssh\administrators_authorized_keys |
| Status | Key-only verified 2026-07-10 |
Penting Win2012 R2 / OpenSSH Windows:
- Akun Administrator tidak memakai
C:\Users\...\.ssh\authorized_keys - Wajib file:
C:\ProgramData\ssh\administrators_authorized_keys - ACL: hanya
SYSTEM+Administrators(inheritance off) sshd_configharus punya:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
- MAC:
-m hmac-sha1/MACs hmac-sha1 - Host key pertama kali:
StrictHostKeyChecking=accept-new(script sudah set)
Script (PowerShell):
.\server-audit\scripts\setup-ssh-ad-ldap.ps1
Verifikasi:
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 Administrator@10.100.1.40 -p 22 "echo KEY_AUTH_OK"
# atau: ssh ad-ldap "echo KEY_AUTH_OK"
Laptop lain / ArcGIS / MULTIMEDIA masih boleh pakai
id_ed25519_geonet_proxmox— key berbeda, boleh keduanya diadministrators_authorized_keys.
7. Windows lain (Webserver, ArcGIS, MULTIMEDIA)
Key legacy: id_ed25519_geonet_proxmox → administrators_authorized_keys
MULTIMEDIA .14: scripts/setup-ssh-key-multimedia.ps1
ArcGIS .51/.52: lihat host.md
Windows private key ACL
Setelah generate key, perketat ACL (hindari error "permissions too open"):
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /inheritance:r
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /grant:r "${env:USERNAME}:(R)"
Troubleshooting
| Gejala | Penyebab | Solusi |
|---|---|---|
| Masih minta password | Pubkey belum di authorized_keys |
Jalankan setup script / one-liner upload |
grep: auth.log: No such file |
Server RHEL, bukan Debian | Pakai /var/log/secure |
no matching MAC |
Server SSH lama | Tambah -m hmac-sha1 |
Permissions too open |
ACL Windows key | Jalankan icacls di atas |
$env:USERPROFILE kosong / key not found |
Pakai CMD bukan PowerShell | Buka PowerShell; di CMD pakai %USERPROFILE% |
Host key verification failed |
Host belum di known_hosts |
Script pakai accept-new; atau ssh-keygen -R 10.100.1.40 lalu connect ulang |
| Pubkey gagal di Administrator Windows | Key di ~\.ssh\authorized_keys |
Pindah ke C:\ProgramData\ssh\administrators_authorized_keys + ACL |
KEY_INSTALLED_OK tapi Permission denied (publickey) |
File UTF-16 (Add-Content WinPS) | Tulis ulang UTF-8 no BOM; jalankan ulang setup-ssh-ad-ldap.ps1 |
Riwayat sesi 2026-07-10
- Laptop baru: tidak ada
~/.ssh/configdan private key - Generate
id_rsa_geonet_laptop(RSA 4096, commentgeonet-laptop) - Buat
~/.ssh/configdengan aliasreverse-proxy,main-db,ollama,mailcow - Upload pub key ke
.24→KEY_INSTALLED_OK→KEY_AUTH_OK✅ - Generate
id_ed25519_mailcowuntuk Mailcow.28 - Buat script setup:
setup-ssh-reverse-proxy.ps1,setup-ssh-main-db.ps1,setup-ssh-mailcow.ps1 - Temuan:
.24hostnameproxy, OS RHEL — log di/var/log/secure
Duplikat script (backward compat):
| SSOT (server-audit) | Legacy |
|---|---|
server-audit/scripts/setup-ssh-reverse-proxy.ps1 |
server-connection/scripts/setup-ssh-reverse-proxy.ps1 |
server-audit/scripts/setup-ssh-main-db.ps1 |
server-connection/scripts/setup-ssh-main-db.ps1 |
server-audit/scripts/setup-ssh-mailcow.ps1 |
Mailcow/scripts/setup-ssh-key-simple.ps1 |