Is it possible to use SSH keys to login to a serial console?

wuubb

New Member
May 7, 2022
5
3
3
Apologies if this sounds ridiculous but every phrasing/combination of words I google about this keeps giving me stuff about SSH and my question is mainly about serial consoles.

I've come to really like serial consoles, and I'm curious if there's any way to have an alternate form of login such as a key pair instead of username/password. I've been experimenting with Flatcar and Fedora CoreOS lately, and want to be able to store my Butane/Ignition configs in version control on Github. From what I understand, while it's fine to have the public ssh key in git (duh, it's the public key), storing password hashes (the other option for user login) is not a good idea.

The closest thing I could find that was (maybe?) remotely related was this post on Unix stackexchange that talks about creating a custom /bin/login for getty. That could be the approach I would need to take, but I'm not sure. I could use another git provider that allows free private repos (like Gitlab) and then add password hashes to the ignition configs, but I like the idea of being able to share how I do my homelab. What I do not want to do though is have any kind of auto login on the serial console.

Anyone have any thoughts on this?
 

MBastian

Active Member
Jul 17, 2016
185
51
28
Düsseldorf, Germany
What a curious question. While technically possible (while running Linux) it just makes no sense to me.
If I am understanding it right you want to be able to have a non-interactive login, possibly to an not yet installed bare metal server? What you could do is to create a secret with the console password in Gitlab and bang raw commands over your serial console until you have your system able to accept ssh logins.
 
Last edited:

wuubb

New Member
May 7, 2022
5
3
3
It's not really non-interactive login, more that I would like the ability to login via serial console say to troubleshoot, but wondering if there is a way to be able to do that other than via password. I was thinking about keypairs since they offer that ability to configure the login with the public key so I don't have to worry about that being in a public git repo, while only I keep the private key.

It really comes down to my desire to be able to version control (and act as a backup too in a way) my configs without worrying about security, while also having the ability to troubleshoot via a local console should the network go down for whatever reason. Definitely a have cake and eat it too kind of situation...
 

bob_dvb

Active Member
Sep 7, 2018
171
74
28
Not quite London
www.orbit.me.uk
I am not sure how it would work, but you could use something like the authentication used for PPP connections.

Possibly EAP-TLS? But while traditional CHAP and PAP can be separated from the IP stack, I am not sure if EAP-TLS can be?

Perhaps a PAM module which authenticates the TLS?
 

Sealside

Member
May 10, 2019
79
18
8
Stockholm/Sweden
You can connect the serial console to an rpi (or any computer you fancy) and then script login via ssh and a key (pre populated in .ssh/authorized_keys) and from there connect to serial console.

I have done this. I use expect scripts in bash/python/java to accomplish this. With this setup it means if you can connect and login to your rpi you will be able to access the serial interface.
 
Last edited: