2023/07/29 00:11:29 Failed to create file system for "raspi:": couldn't connect to ssh-agent: Error connecting to SSH_AUTH_SOCK: dial unix /run/user/1000/keyring/ssh: connect: no such file or directory
Like this: ssh-keygen -P "" -a 100 -t rsa -b 4096 -m pem -f id_rclone -C "ejan@rclonemount" I did not set a passphrase. Since this created just a private and public key, I followed some instructions on how to convert your public key to a pem encoded key (not sure if this is the right way) with: ssh-keygen -f id_rclone.pub -m 'PEM' -e > id_rclone.pub.pem
If you have a certificate you may use it to sign your public key, creating a separate SSH user certificate that should be used instead of the plain public key extracted from the private key. Then you must provide the path to the user certificate public key file in pubkey_file.
Note: This is not the traditional public key paired with your private key, typically saved as /home/$USER/.ssh/id_rsa.pub. Setting this path in pubkey_file will not work.
Based on your description how you generate it I think in your case just remove pubkey_file
rclone mount raspi-test: /home/ejan/Openbaar/Homeserver
should work with:
type = sftp
host = 192.168.2.242
user = ???
key_file = /etc/ssh/id_rclone
It will also work in systemd during startup. If you want to use ssh-agent you have to make sure that it is running before.
I suspect that when you do not use agent rclone tries to decrypt key_file using key_file_pass (which I have no idea why you use in your config - remove it too). Your private key is not encrypted so it fails.
Thank you very much, that indeed works fine. I guess the confusing part for me is whether or not to use an encrypted ssh key and because of being restricted to use a PEM encoded public keyfile. So correct me if I'm wrong, you should only use a pub_keyfile if you set a passphrase when you generate a ssh key? You then should create a pem encoded public keyfile?
Ok. I think I understand it now. pub_keyfile has nothing to do with encryption and passphrases...
You use encrypted private key (there is no need to encrypt public one) and --sftp-key-file-pass flag pointing to password file when your goal is to protect your key from unauthorized use. It is up to you how you solve password protection part. Usually this is what ssh-agents do. But with --sftp-key-file-pass you can have your own solution.
Now all your ssh infrastructure can be designed to only trust signed keys. If you have certificate you can use it to sign keys to be trusted (assumption is all machines know and trust this certificate). In such case you can use pub_keyfile pointing to signed public key (not encrypted) to explicitly advertise its trustworthiness. And thx to signing it can be verified by others.
You can use both/one/none from the above. When using all it requires some openssh standard reading as things quickly are becoming a bit complex.
Thanks again for taking a deep dive into this subject. I really appreciate your efforts. It seems like option 1 looks a lot like the way full disk luks encryption works. I'll have to look into this further since I do care about security.