Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Key generation for SSH?

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 1.3k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann
      last edited by

      Yes, you can generate a key pair by yourself with puttygen or OpenSSL or use an existing one. Assing the public to your user in pfSense and use the private key to connect via SSH.

      At System > Advanced > Admin Access > SSHd Key Only specify the authentication method.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Online
        stephenw10 Netgate Administrator
        last edited by

        Yes, the server side keys that pfSense generates are not the same as client keys you would use for key based authentication in SSH.

        Steve

        1 Reply Last reply Reply Quote 0
        • D Offline
          duvel
          last edited by

          Thanks all for the replies.

          I can connect via SSH now.

          But what exactly are the ones that PFsense creates, and where can I see them?

          1 Reply Last reply Reply Quote 0
          • stephenw10S Online
            stephenw10 Netgate Administrator
            last edited by

            They are the key pairs for the SSH server. You can see them in /etc/ssh.

            Steve

            1 Reply Last reply Reply Quote 0
            • D Offline
              duvel
              last edited by

              Steve,

              Thanks for the reply.

              Why does the server need its own key pair?

              JKnottJ 1 Reply Last reply Reply Quote 0
              • stephenw10S Online
                stephenw10 Netgate Administrator
                last edited by

                Because that's how SSH works. The client side only needs a key to use key based auth but the server always needs a key pair:
                ssh.com/ssh/protocol/#how-does-the-ssh-protocol-work

                Steve

                1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan
                  last edited by

                  In this order, take a look at the first 5 : https://www.youtube.com/results?search_query=computerphile+ssh

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @duvel
                    last edited by

                    @duvel

                    You should read up on public key encryption. You have to create the server and client keys at the same time and you need somewhere to save the client key, so why not on the server where it's created. Now, you can have several devices that can get a copy of that client key and connect.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      duvel
                      last edited by

                      Great info.

                      But I didn't see or hear anything about the server needing its own pair.

                      I created 1 key pair, and put the Public into Pfsense, and kept the Private with me.

                      I don't know what the pair is for that Pfsense generates and stores in etc/ssh.

                      I thought the key pair that I generated was enough.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Online
                        stephenw10 Netgate Administrator
                        last edited by

                        The client only needs to generate a key pair if you want to authenticate using the key.

                        The server always needs a key pair. All SSH servers do. SSH depends on public/private key cryptography.
                        https://tools.ietf.org/html/rfc4251

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.