Configuring Authentication
Using an SSH key
To configure an SSH key for a local user, you can use a Fedora CoreOS Config:
variant: fcos
version: 1.1.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...SSH key locations
sshd uses a helper program to read
public keys from files in a user’s ~/.ssh/authorized_keys.d directory. Key
files are read in alphabetical order, ignoring dotfiles. The standard
~/.ssh/authorized_keys file is read afterward, in the usual way. To debug
the reading of ~/.ssh/authorized_keys.d, manually run the helper program
and inspect its output:
/usr/libexec/ssh-key-dirIgnition writes configured SSH keys to
~/.ssh/authorized_keys.d/ignition. On platforms where SSH keys can be
configured at the platform level, such as AWS, Afterburn writes those keys
to ~/.ssh/authorized_keys.d/afterburn.
Using password authentication
Fedora CoreOS ships with no default passwords. You can use a Fedora CoreOS Config to set a password for a local user:
variant: fcos
version: 1.1.0
passwd:
users:
- name: core
password_hash: "$y$j9T$A0Y3wwVOKP69S.1K/zYGN.$S596l11UGH3XjN..."To generate a secure password hash, use the mkpasswd command:
$ mkpasswd --method=yescrypt
Password:
$y$j9T$A0Y3wwVOKP69S.1K/zYGN.$S596l11UGH3XjN...The yescrypt hashing method is recommended for new passwords. For more
details on hashing methods, see man 5 crypt.
The configured password will be accepted for local authentication at the console. By default, Fedora CoreOS does not allow password authentication via SSH.
Enabling SSH password authentication
To enable password authentication via SSH, use the following Fedora CoreOS Config:
variant: fcos
version: 1.1.0
storage:
files:
- path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
mode: 0644
contents:
inline: |
# Fedora CoreOS disables SSH password login by default.
# Enable it.
# This file must sort before 40-disable-passwords.conf.
PasswordAuthentication yes