Enabling SSH Logins To The UDM

From Nearline Storage
Jump to navigation Jump to search

SSH In The Admin UI

The UDM has two different SSH configurations, one that allows login to the UDM itself and another that the UDM provisions onto the other UniFi network devices it adopts so that you can directly login to them.

The one that allows logins to the UDM itself only supports userid/password authentication out of the box. We want to add public key authentication to that so that we don't have to enter a password every time we log in. But first we must enable the SSH service through the admin UI:

  1. Click through "Settings" -> "Advanced" from the bottom of the main UI window
  2. Turn on "SSH" and set a password. SSH login for the "root" user is now possible using this password.

The other SSH configuration that the UDM uses to provision other UniFi devices on the network is set up, using the "New Settings" menus, under "Network" -> "Settings" -> "System Settings" -> "Controller Configuration" -> "Device SSH Authentication". A userid, password and SSL keys can be setup here. These will be provisioned to each UniFi networking device on the network that this controller adopts.

Setting A Persistent SSH Key For The root User

As one might expect, setting the login key requires that we add our SSH key to the /root/.ssh/authorized_keys file. The trouble is that this file gets wiped and restored every time the UDM reboots, causing it to lose any changes we make. We will use the on-boot-script utility from the udm-utilities package on GitHub to overcome this issue. It will restore our SSH key to the /root/.ssh/authorized_keys file each time the UDM reboots.

As root on the UDM do:

   # unifi-os shell
   # curl -L https://raw.githubusercontent.com/boostchicken/udm-utilities/master/on-boot-script/packages/udm-boot_1.0.2_all.deb -o udm-boot_1.0.2_all.deb
   # dpkg -i udm-boot_1.0.2_all.deb
   # exit

Copy the 15-add-root-ssh-key.sh file to /mnt/data/on-boot.d/ and put the public SSH key into it. Either run that script manually, or reboot the UDM to populate the /root/.ssh/authorized_keys file with the SSH key.

Logons from the client using the default SSH configuration may still prompt for a password. If they do, this may be due to a mismatch in the encryption algorithms that the SSH server and client are set up to use (ex. Fedora 33.) To fix this, add a stanza to the ~/.ssh/config file on the client, with udm-hostname set to the host name or IP address that is used with the ssh command:

   Host udm-hostname
       User root
       PubkeyAcceptedKeyTypes +ssh-rsa