GeoNetAgent, LDAPWeb, server-audit, server-connection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

8.8 KiB

SSH Key-Based Access — Runbook (SSOT)

Last updated: 2026-07-10
Owner: server-audit/
Quick ref: host.md | Inventori: server.md

Dokumen ini adalah Single Source of Truth untuk setup SSH passwordless dari laptop Windows (OpenSSH) ke infrastruktur GeoNet.


Prasyarat

Item Nilai
Shell PowerShell (bukan CMD)
Client Windows OpenSSH (ssh, scp)
Network Terhubung ke LAN 10.100.1.x
Key storage %USERPROFILE%\.ssh\ (tidak di-commit ke git)

Key inventory (laptop)

Key file Algoritma Dipakai untuk Alias config
id_rsa_geonet_laptop RSA 4096 .24, .25, .26 (Linux root) reverse-proxy, main-db, ollama
id_ed25519_mailcow ed25519 .28 Mailcow mailcow
id_rsa_mikrotik RSA MikroTik .1 port 255
id_ed25519_geonet_proxmox ed25519 Windows Server .14, .51, .52 multimedia, dev51-base
id_ed25519 ed25519 QNAP .10

Dibuat sesi 2026-07-10: id_rsa_geonet_laptop, id_ed25519_mailcow, ~/.ssh/config


~/.ssh/config (template)

Salin ke %USERPROFILE%\.ssh\config di laptop:

Host reverse-proxy
    HostName 10.100.1.24
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa_geonet_laptop
    IdentitiesOnly yes
    MACs hmac-sha1

Host main-db
    HostName 10.100.1.25
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa_geonet_laptop
    IdentitiesOnly yes
    MACs hmac-sha1

Host ollama
    HostName 10.100.1.26
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa_geonet_laptop
    IdentitiesOnly yes
    MACs hmac-sha1

Host mailcow
    HostName 10.100.1.28
    User root
    Port 22
    IdentityFile ~/.ssh/id_ed25519_mailcow
    IdentitiesOnly yes

Template file: scripts/ssh-config.example


Aturan MAC hmac-sha1

Server RHEL/CentOS (reverse-proxy .24, main-db .25) membutuhkan:

-m hmac-sha1
# setara: -o MACs=hmac-sha1

Server Ubuntu (Ollama .26, Mailcow .28) biasanya tanpa flag -m.

SCP ke server lama: gunakan -o MACs=hmac-sha1 (bukan -m).


Setup per host

1. Reverse proxy — 10.100.1.24

Item Nilai
OS RHEL/CentOS (proxy)
Key id_rsa_geonet_laptop
Alias ssh reverse-proxy
Status Key-only verified 2026-07-10

Script (sekali):

.\server-audit\scripts\setup-ssh-reverse-proxy.ps1

Manual one-liner:

type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.24 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"

Verifikasi:

ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 root@10.100.1.24 -p 22 "echo KEY_AUTH_OK"
# atau: ssh reverse-proxy "echo KEY_AUTH_OK"

Debug auth (RHEL):

ssh -m hmac-sha1 root@10.100.1.24 -p 22 "grep sshd /var/log/secure | tail -20"

2. Main Database — 10.100.1.25

Item Nilai
OS RHEL/CentOS
Key id_rsa_geonet_laptop (sama dengan .24)
Alias ssh main-db
Status Key-only verified 2026-07-10

Script:

.\server-audit\scripts\setup-ssh-main-db.ps1

Manual:

type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.25 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"

3. Mailcow — 10.100.1.28

Item Nilai
OS Ubuntu (mailserver)
Key id_ed25519_mailcow (dedicated)
Alias ssh mailcow
Status Key-only verified 2026-07-10

Script:

.\server-audit\scripts\setup-ssh-mailcow.ps1

Manual (tanpa -m):

type $env:USERPROFILE\.ssh\id_ed25519_mailcow.pub | ssh root@10.100.1.28 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"

Debug auth (Ubuntu):

ssh root@10.100.1.28 -p 22 "grep sshd /var/log/auth.log | tail -20"

4. Ollama — 10.100.1.26

Key: id_rsa_geonet_laptop | User: geonet (bukan root) | Alias: ssh ollama
Status: Key-only verified 2026-07-10

ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 geonet@10.100.1.26 -p 22 "echo KEY_AUTH_OK"
# atau: ssh ollama "echo KEY_AUTH_OK"

root@10.100.1.26 belum di-setup key — gunakan geonet untuk operasional.


5. MikroTik — 10.100.1.1 port 255

Key: id_rsa_mikrotik (RSA wajib — RouterOS 7.5)

ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha1 -p 255 admin@10.100.1.1

Setup: server-connection/scripts/setup-ssh-mikrotik.ps1


6. AD-LDAP — 10.100.1.40 (Windows Server 2012 R2)

Item Nilai
OS Windows Server 2012 R2 (ad-server)
User Administrator
Key (laptop ini) id_rsa_geonet_laptop
Alias ssh ad-ldap
Authorized keys file C:\ProgramData\ssh\administrators_authorized_keys
Status Key-only verified 2026-07-10

Penting Win2012 R2 / OpenSSH Windows:

  • Akun Administrator tidak memakai C:\Users\...\.ssh\authorized_keys
  • Wajib file: C:\ProgramData\ssh\administrators_authorized_keys
  • ACL: hanya SYSTEM + Administrators (inheritance off)
  • sshd_config harus punya:
Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  • MAC: -m hmac-sha1 / MACs hmac-sha1
  • Host key pertama kali: StrictHostKeyChecking=accept-new (script sudah set)

Script (PowerShell):

.\server-audit\scripts\setup-ssh-ad-ldap.ps1

Verifikasi:

ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 Administrator@10.100.1.40 -p 22 "echo KEY_AUTH_OK"
# atau: ssh ad-ldap "echo KEY_AUTH_OK"

Laptop lain / ArcGIS / MULTIMEDIA masih boleh pakai id_ed25519_geonet_proxmox — key berbeda, boleh keduanya di administrators_authorized_keys.

7. Windows lain (Webserver, ArcGIS, MULTIMEDIA)

Key legacy: id_ed25519_geonet_proxmoxadministrators_authorized_keys
MULTIMEDIA .14: scripts/setup-ssh-key-multimedia.ps1
ArcGIS .51/.52: lihat host.md


Windows private key ACL

Setelah generate key, perketat ACL (hindari error "permissions too open"):

icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /inheritance:r
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /grant:r "${env:USERNAME}:(R)"

Troubleshooting

Gejala Penyebab Solusi
Masih minta password Pubkey belum di authorized_keys Jalankan setup script / one-liner upload
grep: auth.log: No such file Server RHEL, bukan Debian Pakai /var/log/secure
no matching MAC Server SSH lama Tambah -m hmac-sha1
Permissions too open ACL Windows key Jalankan icacls di atas
$env:USERPROFILE kosong / key not found Pakai CMD bukan PowerShell Buka PowerShell; di CMD pakai %USERPROFILE%
Host key verification failed Host belum di known_hosts Script pakai accept-new; atau ssh-keygen -R 10.100.1.40 lalu connect ulang
Pubkey gagal di Administrator Windows Key di ~\.ssh\authorized_keys Pindah ke C:\ProgramData\ssh\administrators_authorized_keys + ACL
KEY_INSTALLED_OK tapi Permission denied (publickey) File UTF-16 (Add-Content WinPS) Tulis ulang UTF-8 no BOM; jalankan ulang setup-ssh-ad-ldap.ps1

Riwayat sesi 2026-07-10

  1. Laptop baru: tidak ada ~/.ssh/config dan private key
  2. Generate id_rsa_geonet_laptop (RSA 4096, comment geonet-laptop)
  3. Buat ~/.ssh/config dengan alias reverse-proxy, main-db, ollama, mailcow
  4. Upload pub key ke .24KEY_INSTALLED_OKKEY_AUTH_OK
  5. Generate id_ed25519_mailcow untuk Mailcow .28
  6. Buat script setup: setup-ssh-reverse-proxy.ps1, setup-ssh-main-db.ps1, setup-ssh-mailcow.ps1
  7. Temuan: .24 hostname proxy, OS RHEL — log di /var/log/secure

Duplikat script (backward compat):

SSOT (server-audit) Legacy
server-audit/scripts/setup-ssh-reverse-proxy.ps1 server-connection/scripts/setup-ssh-reverse-proxy.ps1
server-audit/scripts/setup-ssh-main-db.ps1 server-connection/scripts/setup-ssh-main-db.ps1
server-audit/scripts/setup-ssh-mailcow.ps1 Mailcow/scripts/setup-ssh-key-simple.ps1