@CatSpecial202 said in Allow only ssh login for admin:
Is it possible to enable SSH login via public key for the admin user?
Not only possible. Its imho pretty mandatory.
Any every server device you use, rent, buy create, uses initially a SSH connection, and the admin (mostly root) + password is send to you.
Or you created these when installing the OS.
Os soon as you enter the first time, you create cert. Export the public part to yoruself, so you can use it with your SSH client, for example Putty.
The 'admin' user on pfSense should have this part :
f6007dfb-5168-45c3-94ac-6a40cb5ad49d-image.png
and then you select (again : pfSense) :
7afdc234-f7df-4035-8ef6-381c4dc4708e-image.png
and from now on, your SSH client will be needing the exported cert to be able to connect to pfSense :
69e4ee4d-b341-4809-a487-237a2f376f0a-image.png
and I have to type in the password == passphrase of the cert, not the admin password.
Do this with pfSense, and any other device you can connect to over SSH - if possible.
edit : don't even bother grating other users access to pfSense with non admin accounts.
pfSense is a router, not some multi media file server.
I always recommend severely creating an ssh admin pfSense so you can have access, when needed.
Some will then never really use it afterwards.
Other - like me - use it several times a day. As I use the same connection with for example WinSCP, so I can explore the file system, and look at things like using Windows explorer. Don't ask me why ^^
If needed, block the SSH port TCP 22 to some known LAN IPs.
Lock your own devices, the ones you can use to connect to pfSense, with a DHCP MAC lease, so from now on they will always have the same IP.
Throws these IPs in a Alias.*Use this Alias to create a LAN firewall rule.
From now on, only these IPs can use the pfSense SSH port.
Read security nerds will use a dedicates admin LAN, and connect to this LAN with their device to access pfSense SSH.
Now lock your pfSense into a safe. Lock the safe. Done. Now you're close to what they use at Langley.
