SSH with public key and new macbook pro

ahole4sure

Typically I present problems but hopefully this will generate discussion to further learn from AND help someone.

I was having a ton of SSH attacks on my log so I changed to a custom port AND changed authentication to public key only. However I was having trouble getting my macbook pro to connect - kept giving an error about
"...suressh@192.168.1.1: Permission denied (publickey)."

I tried generating new public keys on my macbook with the ssh-keygen command from the terminal of the macbook. A private key and a public key was created in the Public folder of me (my home) user. Didn't work at this point (with the public key copied to pfsense)
I then tried copying those keys into ~/.ssh folder itself --- still not working.

The only way I got it to work was to add the key to the key chain (on the macbook) by a command that has apparently been deprecated my mac (found this at https://www.youtube.com/watch?v=mmZWrySwjUo )

ssh-add -K ~/.ssh/pfsenseahole4sure
(where pfsenseahole4sure was the name of my private key that I had copied to the ssh folder)

I ALSO had to open the public key and at least for me I had to COPY the ENTIRE output of the public key to the pfsense user key section (System > User Manager >edit user > authroized keys section then add the entire key on a new line) - with the ENTIRE format) [adding what I thought was just the key didn't work either
Here is the format:
ssh-ed25519 AAAAC3Nza..............................lcDXKi johnc@Johns-MacBook-Pro-4.local
(obviously altered with dots so I don't post my key)

Comments from smart pfsense or smart macbook people welcomed -- but this is my working experience - MINUS about 5 hours of my life lol

patient0

@ahole4sure you always have to copy the complete public key, that's normal. And you add it to the user in pfSense via the GUI only.

https://docs.netgate.com/pfsense/en/latest/recipes/ssh-access.html

The only way I got it to work was to add the key to the key chain

I usually only use the ssh-agent when using SSH key which password protected.

When you connect ot the pfSense you have to pass the changed ssh port: ssh -p <pfSense SSH port> root@192.168.1.1.

You can add an entry into ~/.ssh/config for the pfSense/IP that way you don't have to supply the user or port:

Host pfSense 192.168.1.1
User root
Port <pFsense SSH port>

Btw: have you the SSH port open on WAN?

stephenw10

That's the expected format of the key to upload, that looks normal.

I have no idea why OSX wasn't sending it. I'll leave that to an Apple user.

ahole4sure

@patient0

NOTTT open on WAN!!

ahole4sure

@stephenw10
yeah I couldn't figure it out forever until I saw the post and the YT vid about adding things manually to the keychain

ahole4sure

@patient0

Also weirdly enough - my mac does even have a config file in the .ssh folder

johnpoz

@ahole4sure not sure about mac... But I just changed public key..

used ssh-keygen -t ed25519

Then put in the pub it generated for admin user.

Then pointed my securecrt client on windows to use that pub and bobs your uncle. I left off the user@machine name ssh keygen adds on the end.

edit:
Just to doublecheck I added in the username@host it puts on the end and still works fine - my understanding is that is just something to help you know what the key is, not parsed when used, etc.

patient0

@ahole4sure said in SSH with public key and new macbook pro:

Also weirdly enough - my mac does even have a config file in the .ssh folder

It doesn't exist by default, you can just create it (I'm on a Mac too but it's the same on Linux).

ahole4sure

@patient0

Of course without divulging anny private Information, could you possibly send a screenshot of what all is in your config file?

patient0

@ahole4sure said in SSH with public key and new macbook pro:

could you possibly send a screenshot of what all is in your config file?

:) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet.

Include ~/.orbstack/ssh/config

# my firewall, e.g. pfSense, non-standard port
# and specify which ssh private key to use
Host firewall-at-home 192.168.1.1
  User root
  Port 20022
  IdentityFile ~/.ssh/id_rsa
  HostName 192.168.1.1

# my Synology DS920+
Host ds920plus
  User admin

# default settings for hosts not matched
# in above rules
Host *
  User jane