Maybe, like me, you're tired of typing a password and prefer to disable password auth for ssh anyway. Maybe, like me, you want to point VS Code at your Edge Router and be able to read configs and things. Maybe, like me, you'll discover that VS Code's Remote-SSH extension doesn't support the ERX architecture and be mildy bummed, but still happy to have passwordless SSH (via ssh-agent) and know that no password will get some rando into your ERX.
Here's how.
Cribbed from the VyOS Login/User Management docs
Add this to your local .ssh config to make your life easier:
Host erx
HostName YOUR_EDGE_ROUTER_X_IP
User YOUR_ERX_ADMIN_USERNAME
Now let's add your ssh public key:
> cat ~/.ssh/id_*pub
ssh-ed25519 PURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR kitten
# Pick your fave key
> ssh erx
Enter password: # for the very last time!
foobie@ubnt:~$ configure
[edit]
foobie@ubnt# set system login user foobie authentication public-keys kitten type ssh-ed25519
[edit]
foobie@ubnt# set system login user foobie authentication public-keys kitten key PURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
[edit]
foobie@ubnt# commit
[edit]
foobie@ubnt# save
Saving configuration to '/config/config.boot'...
Done
[edit]
foobie@ubnt# cat .ssh/authorized_keys
# Automatically generated by Vyatta configuration
# Do not edit, all changes will be lost
ssh-ed25519 PURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR kitten
[edit]
foobie@ubnt# exit
exit
foobie@ubnt:~$ exit
logout
> ssh erx
foobie@ubnt:~$ # SUCCESS!
Cribbed from the VyOS ssh docs.
Note: you should be sure you have a backup of the config with password auth enabled before doing this, else it's a full factory reset if you lose all the keys that let you log in.
> ssh erx
# No password to type ... feels so good!
foobie@ubnt:~$ configure
[edit]
foobie@ubnt# show service ssh
port 22
protocol-version v2
[edit]
foobie@ubnt# set service ssh disable-password-authentication
[edit]
admin@ubnt# show service ssh
disable-password-authentication
port 22
protocol-version v2
[edit]
foobie@ubnt# commit
[edit]
foobie@ubnt# save
Saving configuration to '/config/config.boot'...
Done
[edit]
foobie@ubnt# exit
exit
foobie@ubnt:~$ exit
logout
I recommend you test that this is properly denying password logins by trying to log in as your admin user from an account with no known/authorized ssh key.
Unfortunately, for me (EdgeRouter 12 Firmware v2.0.9-hotfix.7) it does not let me create a new user without a password (explicitly with the warning user must have password set).
However, I am able to set an authentication certificate for ssh login and disable password authentication for ssh (so still time saved). GUI login is still enabled and via password authentication.