• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Update SSH Public Key

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 4 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Stewart
    last edited by Feb 24, 2020, 2:42 PM

    I have multiple pfSense firewalls but they were all built off of clones of each other and then the config modified to match the needs of the site. Now that I'm setting up the auto-backup, they all show the same backup key because it is derived from the SSH public key. How do I update the SSH public key to remedy this?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Feb 24, 2020, 4:30 PM

      You can delete/remove /etc/ssh/ssh_host_*key* and then run /etc/sshd which will generate a new set.

      So for example:

      : ls /etc/ssh/ssh_host_*key*
      

      Confirm that shows you the key files you want to remove. If so:

      : rm /etc/ssh/ssh_host_*key*
      : /etc/sshd
      

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      S 1 Reply Last reply Feb 24, 2024, 2:17 PM Reply Quote 3
      • S stephenw10 referenced this topic on Feb 14, 2023, 4:31 PM
      • S stephenw10 referenced this topic on Feb 14, 2023, 4:31 PM
      • S
        sgw @jimp
        last edited by Feb 24, 2024, 2:17 PM

        I have exactly the same task to do.
        As the pfSenses are remote, I better ask once more: is that safe to do via ssh session?
        Or better via WebGUI and the command prompt?

        I even consider doing it via ansible, but maybe that is too ambitious.

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Feb 25, 2024, 8:07 PM

          I had to restart the sshd service via the gui to regenerate the keys. Running /etc/sshd is not permitted in current versions, even when run as root.

          However you can restart it at the command line in the php shell:

          Enter an option: 12
          
          Starting the Netgate pfSense Plus developer shell....
          
          Welcome to the Netgate pfSense Plus developer shell
          
          Type "help" to show common usage scenarios.
          
          Available playback commands:
               changepassword cryptconfig disablecarp disablecarpmaint disabledhcpd disablereferercheck enableallowallwan enablecarp enablecarpmaint enablesshd externalconfiglocator gatewaystatus generateguicert gitsync installpkg listpkg pfanchordrill pftabledrill removepkgconfig removeshaper resetwebgui restartallwan restartdhcpd restartipsec svc uninstallpkg upgradeconfig 
          
          Netgate pfSense Plus shell: playback svc restart sshd
          
          Playback of file svc started.
          
          Attempting to issue restart to sshd service...
          
          sshd has been restarted.
          

          So you could remove the old keys then exit back to the menu and restart sshd from the php shell. BUT I would want to have remote access to the GUI because one extra press on 'enter' would leave you unable to reconnect via SSH until the service is restarted.

          Steve

          S 1 Reply Last reply Feb 27, 2024, 7:23 AM Reply Quote 0
          • S
            sgw @stephenw10
            last edited by Feb 27, 2024, 7:23 AM

            @stephenw10 Thank you! I will test that with 2 new appliances later this week: I will have them in my office so that will be less risky.

            S 1 Reply Last reply Feb 27, 2024, 9:44 AM Reply Quote 0
            • S
              sgw @sgw
              last edited by Feb 27, 2024, 9:44 AM

              This leads me to thinking about how to efficiently handle such deployments with multiple "clones"

              So far I export the config.xml from a working box, and edit it a little bit:

              for example change the hostname and the LAN-IP/subnet

              and I write random stuff over the OpenVPN-client-password to avoid that the cloned box connects via the same tunnel as the first box. I replace the ovpn-config then via the GUI.

              I am quite efficient doing this when I have the steps in mind.

              Sometimes the appliances are delivered with an older release of pfSense-Plus, so I have to run upgrades first. Might be faster to reinstall from scratch via USB-stick and already provision it with a prepared xml-file.

              I have to prepare 10 boxes in the near future and like the thought of optimizing that ;-)

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Feb 27, 2024, 2:12 PM

                Well you can export the config without the SSH keys to prevent the issue you saw here.

                1 Reply Last reply Reply Quote 0
                • S
                  Stewart
                  last edited by Feb 27, 2024, 3:41 PM

                  Since I'm the OP I thought I'd chime in here. We changed what we do and don't clone anymore. Instead we keep a default config with 90% of the work done and have it import on a brand new install. That config does not contain the SSH keys or RRD data so we don't have to worry about it getting mixed up with other devices. Generally the only things we need to change at that point is the name and the WAN config and anything specific about that install. We leave the WAN to DHCP and plugged in upstream so that the packages reinstall on boot and then change when put in to place.

                  1 Reply Last reply Reply Quote 2
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received