Key generation for SSH?
-
Hello all,
So I'm trying to enable SSH, and when I "Enable secure shell", under "System/Advanced", it tells me that the SSH service was started, and keys were generated. The problem is that when I go to "user manager", and click on the options for my account, there are no keys listed there, even after a reboot of Pfsense.
Are these keys supposed to be a public/private key pair like I would generate myself? If not, what are they, and where are they?
I read a tutorial that says I have to generate my own pair through something like Puttygen and paste the key into Pfsense.
Any help is appreciated!
-
Yes, you can generate a key pair by yourself with puttygen or OpenSSL or use an existing one. Assing the public to your user in pfSense and use the private key to connect via SSH.
At System > Advanced > Admin Access > SSHd Key Only specify the authentication method.
-
Yes, the server side keys that pfSense generates are not the same as client keys you would use for key based authentication in SSH.
Steve
-
Thanks all for the replies.
I can connect via SSH now.
But what exactly are the ones that PFsense creates, and where can I see them?
-
They are the key pairs for the SSH server. You can see them in /etc/ssh.
Steve
-
Steve,
Thanks for the reply.
Why does the server need its own key pair?
-
Because that's how SSH works. The client side only needs a key to use key based auth but the server always needs a key pair:
ssh.com/ssh/protocol/#how-does-the-ssh-protocol-workSteve
-
In this order, take a look at the first 5 : https://www.youtube.com/results?search_query=computerphile+ssh
-
You should read up on public key encryption. You have to create the server and client keys at the same time and you need somewhere to save the client key, so why not on the server where it's created. Now, you can have several devices that can get a copy of that client key and connect.
-
Great info.
But I didn't see or hear anything about the server needing its own pair.
I created 1 key pair, and put the Public into Pfsense, and kept the Private with me.
I don't know what the pair is for that Pfsense generates and stores in etc/ssh.
I thought the key pair that I generated was enough.
-
The client only needs to generate a key pair if you want to authenticate using the key.
The server always needs a key pair. All SSH servers do. SSH depends on public/private key cryptography.
https://tools.ietf.org/html/rfc4251Steve