key based auth ssh issue

mod · Jun 4, 2019, 12:09 AM

Hi;
I'm on a Ubuntu 18.04 based distro trying to use public key only ssh with pfsense.
i get the no auth methods message when set to public key only.
when password and public key are active i can login.
ssh-keygen -t ed25519 is the type of key i use.
copied to new user i created to login and disabled admin login/admin user.
new user has admin rights +ssh login.
pfblockerng+suricata running.
any help would be great. thank you.

johnpoz · Jun 4, 2019, 2:40 AM

I use public key auth every time I log in... Lets see your log.. What version of pfsense? What version of ssh?

Lets see your log with ssh -v

debug1: Server accepts key: /home/johnpoz/.ssh/id_ed25519 ED25519 SHA256:y1pJFKtYk+f2<snipped>
debug1: Authentication succeeded (publickey).
Authenticated to sg4860.local.lan ([192.168.9.253]:22).

mod · Jun 4, 2019, 4:05 PM

pfsense 2.4.4.4p is my version.
ok; you will have to tell me which log you need.

mod · Jun 4, 2019, 4:21 PM

@johnpoz said in key based auth ssh issue:

ssh -v

also i have to do /etc/rc.initial when i login ssh .
could it be that i need to reinstall again with latest as something is messed up?
i get nothing running that command but other flags for ssh.
but it could be because when it does not work i go back in and turn off the service.
I'll turn off ssh and try reinstall later .
8core 12 gig router :) an i messed it up some how lol.
i use version 2 in putty as ssh option

Gertjan · Jun 4, 2019, 6:15 PM

@mod said in key based auth ssh issue:

to reinstall again with latest as something is messed up?

Yeah, good idea.
This isn't a official version :

@mod said in key based auth ssh issue:

pfsense 2.4.4.4p is my version.

Why should you even bother with some unknown copy if you can have the real thing ?

And why do you want to lock out the admin ?
pfSense is a router, not some family event device.
Give the admin key or logging to those who you trust. The "roads are loaded with people how know how a router works" but those how actually manage to do something useful without making a mess : you find maybe one person in the village. So share it with him, and you'll be fine.

@mod said in key based auth ssh issue:

i use version 2 in putty as ssh option

Because you don't want number 1 ? :

Good for you : "SSH 1" doesn't even work with pfSEnse, it ancient. Some SSH clients stil offer it, in case you have to log into an ancient device ....

johnpoz · Jun 4, 2019, 7:55 PM

What version of putty... Maybe it doesn't support ED25519? You using the lastest snapshot of it? Putty has had support for long time, but don't know if your talking about ssh1, maybe yours is like version from 2000 or something?

Development snapshot 2019-06-04.29cb7e4, is lastest version I show...

So you created the key in putty keygen? And you pasted it into pfsense for this user you created?

I don't get why users disable the admin account... Sure if you want to, but make sure everything thing is working with your other account, before you disable the admin one ;)

2.4.4.4p is my version.

This what exactly... What I find difficult with such info when given is... If you can not provide even the most basic of questions with valid info.. How can we expect other info to be be correctly stated?

ssh-keygen -t ed25519 is the type of key i use.

That is NOT putty... But then you are using putty.. So how did you convert the keys.. To use with putty, etc. You have to use the putty keygen tool, etc.

If your going to gen key pair with putty, then copy and paste what it gives you into the pfsense user manager.

mod · Jun 4, 2019, 9:37 PM

ok; to answer both of your questions:
1: it is official I put a 4 when it is p3 my f'up
2: I use linux version of putty and we don't get keygen/ don't need to convert.
3 . password +public key login works
4. I use ssh 2 as ssh 1 is a security risk/not good
version of putty:
Release 0.70

Build platform: 64-bit Unix (GTK + X11)
Compiler: gcc 7.3.0
Compiled against GTK version 3.22.29
Source commit: 3cd10509a51edf5a21cdc80aabf7e6a934522d47

besides the fix for the web login . i only use current version of pfsense.

johnpoz · Jun 5, 2019, 1:56 AM

@mod said in key based auth ssh issue:

3 . password +public key login works

That is not really an option.. If you set password and public key your just using password to auth..

2: I use linux version of putty and we don't get keygen/ don't need to convert.

Pretty sure you do..
https://www.ssh.com/ssh/putty/linux/puttygen

4

Yeah no idea why your bringing that up at all - yeah no shit everyone uses 2 ;)
BTW, current stable version of putty is .71