Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Key generation for SSH?

    General pfSense Questions
    5
    11
    868
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      duvel
      last edited by

      Hello all,

      So I'm trying to enable SSH, and when I "Enable secure shell", under "System/Advanced", it tells me that the SSH service was started, and keys were generated. The problem is that when I go to "user manager", and click on the options for my account, there are no keys listed there, even after a reboot of Pfsense.

      Are these keys supposed to be a public/private key pair like I would generate myself? If not, what are they, and where are they?

      I read a tutorial that says I have to generate my own pair through something like Puttygen and paste the key into Pfsense.

      Any help is appreciated!

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Yes, you can generate a key pair by yourself with puttygen or OpenSSL or use an existing one. Assing the public to your user in pfSense and use the private key to connect via SSH.

        At System > Advanced > Admin Access > SSHd Key Only specify the authentication method.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yes, the server side keys that pfSense generates are not the same as client keys you would use for key based authentication in SSH.

          Steve

          1 Reply Last reply Reply Quote 0
          • D
            duvel
            last edited by

            Thanks all for the replies.

            I can connect via SSH now.

            But what exactly are the ones that PFsense creates, and where can I see them?

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              They are the key pairs for the SSH server. You can see them in /etc/ssh.

              Steve

              1 Reply Last reply Reply Quote 0
              • D
                duvel
                last edited by

                Steve,

                Thanks for the reply.

                Why does the server need its own key pair?

                JKnottJ 1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Because that's how SSH works. The client side only needs a key to use key based auth but the server always needs a key pair:
                  ssh.com/ssh/protocol/#how-does-the-ssh-protocol-work

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan
                    last edited by

                    In this order, take a look at the first 5 : https://www.youtube.com/results?search_query=computerphile+ssh

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @duvel
                      last edited by

                      @duvel

                      You should read up on public key encryption. You have to create the server and client keys at the same time and you need somewhere to save the client key, so why not on the server where it's created. Now, you can have several devices that can get a copy of that client key and connect.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • D
                        duvel
                        last edited by

                        Great info.

                        But I didn't see or hear anything about the server needing its own pair.

                        I created 1 key pair, and put the Public into Pfsense, and kept the Private with me.

                        I don't know what the pair is for that Pfsense generates and stores in etc/ssh.

                        I thought the key pair that I generated was enough.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          The client only needs to generate a key pair if you want to authenticate using the key.

                          The server always needs a key pair. All SSH servers do. SSH depends on public/private key cryptography.
                          https://tools.ietf.org/html/rfc4251

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.