openvpn ssh via iPhone connect to pfSense fails

johnpoz

@JonH said in openvpn ssh via iPhone connect to pfSense fails:

HostKey /etc/ssh/ssh_host_rsa_key

Your client is looking for OLD school rsa key, not the new versions with sha2..

So if you check your key on pfsense..

Your client is only accepting really old school ones..

See where client said only ssh-rsa, and ssh-dss.. Where when I looked at what pfsense was offering it was

Their offer: rsa-sha2-512,rsa-sha2-256,ssh-ed25519

JonH

@johnpoz OK, very good. My pfSense host key starts w/ 4096 SHA256:
BTW, the ed25519 host key is 256 SHA256
The libterm host key starts w/ 2048 SHA256:

And I guess for security reasons there is no backward compatibility.

Guess I better fire up my linux laptop and check it's keys.

Thanks for spending your time to educate me. And thanks to @Gertjan too.

johnpoz

@JonH yeah when it comes time to depreciate some old encryption, its time to stop using it everywhere.

So they announced that was going away back in 8.2

https://www.openssh.com/txt/release-8.2

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.

And believe it was actually removed in 8.8

https://www.openssh.com/txt/release-8.8
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Your host key itself is prob fine, but the exchange algo is gone, etc. You could enable it, but with pfsense that is a bit difficult since its more than just adjusting the sshd conf file, if you did that it would just get rewritten etc..

You prob want to read over the old release notes for info on migration away from that algo.. Keeping in mind the current version of ssh in pfsense is 9.4, with the current version being 9.6.. ssh has gotten some more attention as of late with the whole https://terrapin-attack.com/

There was a thread about it that jimp did, and there is a current patch you can apply, etc..

https://forum.netgate.com/topic/184941/terrapin-ssh-attack?_=1703677008519

It prob wouldn't be a bad idea to go over all of your hosts running ssh, and making sure your clients being used are current, etc

I have some stuff that ticks me off because its out of date and no way to update, etc.. My unifi APs for example - they are running ssh via dropbear that is many versions behind..

Hallway-BZ.6.6.56# dropbear -V
Dropbear v2020.81
Hallway-BZ.6.6.56#

And my cisco switch is pretty freaking dated as well.. That being said, if its just local network access its prob not the end of the world, etc. But it does behoove you to stay current with best practices, current ciphers and algos, etc.

Maybe take the opportunity make sure your all updated with client/server etc. and using best practices..

Maybe take a look at this tool.. https://github.com/jtesta/ssh-audit

Here is a sample ran against my AP for example.. Which ticks me off because there is no way to update it, need unifi to update and have been asking about them doing that for years, and just get back crickets..

JonH

@johnpoz said in openvpn ssh via iPhone connect to pfSense fails:

I fired up the webssh that @Gertjan mentioned and was connected to pfsense in like 10 seconds. Just generated the key right in the app, using ED25519. Copied the pub key to pfsense for my test user and pasted it in..

@johnpoz i want to thank you so much for spending time explaining things to me. In spite of all that I still spent the better part of a week banging my head on the desk, keyboard, and anything else nearby in the hope of knocking some sense into myself.

My problem was the app, webssh. Ultimately I think the original install must have gone bad because I never could replicate the screenshots in the post I am replying to. After deleting webssl in frustration and reinstalling it I got the bingo! moment and it all fell into place. Testing w/ openvpn and my iPhone over a cell connection w/ openvpn on my wifi only iPad got me right into the console shell even tho it was a low data connection.

Thanks again and Happy New Year.

johnpoz

@JonH said in openvpn ssh via iPhone connect to pfSense fails:

because I never could replicate the screenshots in the post I am replying to

The ssh-audit screen, did you run ssh-audit?

JonH

@johnpoz said in openvpn ssh via iPhone connect to pfSense fails:

did you run ssh-audit?

I did not. I am embarrassedly deficit in my knowledge of github and there were no pre-built package for the Apple's iOS/iPados. The screenshots posted by @Gertjan and yourself were in posts mentioning the iOS all WebSSH and I failed to understand a later post about ssh-audit was the source of those particular screenshots.

No matter, WebSSH is working well for me now and I have learned a great deal more than I knew before.

I thank you and @Gertjan for the information that was posted.

johnpoz

@JonH I didn't run that off my phone, ran it off my pc to show what ciphers and algos and kex etc.. where being offered is all..

Glad you got it sorted.. Happy sshing ;)

Gertjan

@JonH said in openvpn ssh via iPhone connect to pfSense fails:

were no pre-built package for the Apple's iOS/iPados

Packages ?
There are only "apps" that you can install using the "App Store" app, like this one : WebSSH.

I think he was talking about the ssh-audit not the ssh app for the phone.

JonH

@Gertjan said in openvpn ssh via iPhone connect to pfSense fails:

@JonH said in openvpn ssh via iPhone connect to pfSense fails:

were no pre-built package for the Apple's iOS/iPados

Packages ?
There are only "apps" that you can install using the "App Store" app, like this one : WebSSH.

I think he was talking about the ssh-audit not the ssh app for the phone.

Yes, that is correct and my post was referring to my misunderstanding.
As for my poor choice of the word ‘package’, I was referring to pre-builts at GitHub.

All that said, I have WebSSH finally set up and working on my iPad. And now that I better understand what ssh-audit is all about I will fire up a Linux box and try the pre-built .py

johnpoz

@JonH they also have a windows release, just a exe you can run.. Thats what I used in my screenshot