Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configure SSHD to use HostCertificate in pfsense?

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 784 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drew-kun
      last edited by drew-kun

      Hi everyone.

      Owning Netgate S1100 and love it! I am currently using HAProxy to route outside SSH connections to my home network hosts via TLS (port 443) using SNI TLS extension.

      Therefore, the SSH connection goes to external.domain.com:443, utilizing SNI field, that tells which internal host to route the SSH connection to. This way I can expose only one port 443 to the internet in order to connect to any of the internal backends (my home network hosts) via HTTPS or SSH without exposing each individual SSH ports for each host to the World.

      All works fine except the fact that whenever I connect to a different internal host (specifying different SNI), I receive TOFU message from OpenSSH:

      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256: <...>
....

      Therefore I have to clear up my ~/.ssh/known_hosts each time I want to ssh into a different host over TLS via my external.domain.com:443

      The usual solution to this is using SSH HostCertficate instead of SSH HostKey for Server (Host) Authentication. Description of the method could be found here or here or here

      I have successfully implemented Host Certificate Authentication for my Linux hosts and that eliminated the TOFU. Great... But what about the Pfsense host itself?

      After adding the following stanza to /etc/ssh/sshd_config

      HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub`

      The sshd daemon must be restarted, but after the restart pfsense removes the stanza from sshd_config (I guess with each pfsense restart the sshd_config is being overriden in accordance with defaults plus tweeks made via GUI.) As far as I can tell Pfsense GUI does not contain any fields for customizing SSHD config.

      How to make it possible on Pfsense?

      And if it is impossible for now (which is so sad), is it planned to be implemented in the future because it is an obvious defect of OpenSSH on Pfsense?

      Any help/idea is highly appreciated! Thanks.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Did you try adding it to /etc/sshd_extra?

        That should not be overwritten at boot and is added to the generated conf file.
        https://github.com/pfsense/pfsense/blob/RELENG_2_6_0/src/etc/sshd#L123

        Steve

        D 1 Reply Last reply Reply Quote 1
        • D
          drew-kun @stephenw10
          last edited by

          @stephenw10 Thank you so much for that! It works! Just did not know about the /etc/sshd_extra possibility!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Nice! I think I've used it one time previously. It's not a commonly known feature! 😉

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.