How to configure SSH authorized key?

  • Hi All,

    I have access to web GUI and no serial access. Is there a tutorial somewhere on how to create SSH authorized keys to set in Advance? Right now it allows me to reach the box with a username but I don't know what the username/password are so trying to get the SSH key running as it's safer as well.


  • Which version of pfSense are you running?

    Certainly with 1.2 you just paste your public key into the box under System -> Advanced then tick the box to disable password login.  The username BTW is root, and the password is the password you set for the web interface's admin account.

  • Sorry I am a noob. How can I generate a public key? How is that different from a private key? I want to make sure it's all secure. Do I have to create a public key using PuttyGen? or similar software? What portion of the key should be inserted ? all of it?

    Thanks for the tip on root access.

  • You need to generate a key in OpenSSH format.  I'm not familiar with Putty, but it's documentation will cover that (having read it before).

    Generating a key generates 2 parts - a private part and a public part.  The private part stays on the machine running the SSH client, the public part is put onto the servers.  You must put the entire public key on the server.

  • I think puttygen is capable of generating a public key in the form needed by OpenSSH.  It may even give you the line to paste into the authorized keys when you generate or open a private key.

  • Rebel Alliance Developer Netgate

    When you generate a key in PuTTY, it should make both a private and a public key. Usually if the key is, say, mykey.ppk, the public part is

    Look in the PuTTY docs (one copy is here: ) and it's all covered in detail.

    You can load your key in PuTTYgen and then go to Conversions > Export OpenSSH Key. Take the output from that and paste it into the pfSense router where it asks for the ssh key.

  • I just looked at the puttygen program again.  The part you want to paste into the pfSense configuration is the text in the box labeled "Public key for pasting into OpenSSH authorized_keys file:"

    If you want to use the key with PuTTY (or anything that uses PuTTY's plink.exe), click "Save private key" and use that file with PuTTY.

  • Thanks for all the tips guys. I am still failing this. Can someone post private and public keys here so I can test maybe?!

    This is what I have done.

    1- Generated randomness by moving mouse over PuttyGen window.
    2- Saved the Private and Public key with a Pass-Phrase.
    3- IMPORTANT: Mode was set to SSH-2 - Hopefully this is not where I am doing things wrong.
    4- Loaded the private key back into PuttyGen and authenticated it by putting the passphrase.
    5- Click menu Conversion -> Export OpenSSH key and save the file which had no extension.
    6- Loaded all of the content of the OpenSSH key in Authorized keys page of pfsense.
    7- Set the SSH port to 2060 and  Enable Secure Shell with Disable Password login for Secure Shell (KEY only).
    8- Opened Putty and loaded private key which was generated in Step #2 into Connections > SSH > Auth and opened a session to the router
    9- Inputed root as the username and then this is what I got:

    login as: root
    Server refused our key
    Using keyboard-interactive authentication.

    If I input the password for admin then it logs in. This is not right as first of all the SSH login by password should be disabled.

    Any suggestions please?

    Thanks a lot again.

  • No, you don't want to use the export OpenSSH key option.  That saves the private key, which is only needed by the client.  You want the public key in your pfSense configuration.  Copy the text in the "Public key for pasting into OpenSSH authorized_keys file:" box and paste it into the authorized keys in pfSense.  You will want to remove the other that you put in there, since the private key isn't valid there.

  • Okay, so I am supposed to use the OpenSSH exported key on putty. However, the key generated by OpenSSH doesn't have the prefix .ppk so, I used it without the .ppk and used it with a .ppk extension which I give and it was no work again. Error message:

    Unable to use key file "C:\Users\owner\Desktop\openssh_privatekey" (OpenSSH SSH-2 private key)

    I am getting anxious now. Here is all the files I created. Can someone please test this.

    IMPORTANT: None of my files include the "Public key for pasting into OpenSSH authorized_keys file:" which you mentioned in your post. Do you use PuttyGen to generate key files?




    Private Key by PuttyGen (This was also used on PuttyClient on another attempt to see if it works and failed):

    PuTTY-User-Key-File-2: ssh-rsa
    Encryption: aes256-cbc
    Comment: rsa-key-20100730
    Public-Lines: 4
    Private-Lines: 8
    Private-MAC: 055545f59a6889192e7309575a55388ac7b4b981

    Public Key by PuttyGen (Was put into pfsense System > Advanced > Auth Keys):

    ---- BEGIN SSH2 PUBLIC KEY ----
    Comment: "rsa-key-20100730"
    ---- END SSH2 PUBLIC KEY ----

    OpenSSH key Exported from PuttyGen (not sure if this is a private key like Efonne noted or public key as it has no extension but inside says private key) - (This was used on Putty client to connect to pfsense and failed):

    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,15731C21C3F1B673
    -----END RSA PRIVATE KEY-----


  • Rebel Alliance Developer Netgate

    And now that you've completely compromised the security of that key, trash it and make a new one. :-)

  • Does that mean you tested it and it works for you :-) ???

    I hope I haven't contributed to too much of the green house effects by making the key public and useless :-) After all, it's only few billion electrons displaced.

  • Rebel Alliance Developer Netgate

    No, I didn't try it.

    There's a bit of a misunderstanding about what you need to do, perhaps.

    When you make the key, save it as blah.ppk. Don't worry about the OpenSSH export, only the "public key for pasing" box. Copy the contents of that box into pfSense's field for authorized keys.
    Make sure the key gets saved.

    Fire up pageant.
    Double click the pageant icon in the taskbar
    Click add key
    find your blah.ppk
    Load that up, enter the passphrase if you made one

    Then connect with putty.

  • They say a picture is like 1000 words. Doing what you said disregarding the OpenSSH key export, I am getting a different error. Please check below link for the snap shot of my desktop.

    No supported authentication method available


  • Rebel Alliance Developer Netgate

    Take off the begin, end, and comment lines. If that doesn't work, load the key back up in puttygen, and make sure you have copied the box on the main screen that says right on top of it that it's the openssh public key.

    Exporting the openssh key will export the whole key, not just the public part.

  • Perfect. Works amazingly now. Apparently the Public key saved is much different from what is in puttygen window (probably extraneous header and footer stuff).

    All right,so to summarize and help others, here is how this should be done:

    1- Open PuttyGen and Generate some randomness while PuttyGen creates a key for you.
    2- Enter a long a$$ password with lots of characters, caps, small, and numbers phrase and save private key.
    3- Do NOT SAVE public key. The whole point of this is to not have both keys on the same machine as security maybe compromised. Also, it's unnecessary to save public key.
    4- Once key is generated, in the window on top (on PuttyGen) you will see you public key. Copy and paste that into pfsense System > Advance > Auth key and disable root login and press Save (don't forget SAVE).
    5- Open Pageant (part of the Putty package) and add the private key. It will ask for your pass-phrase so enter it to add the key.
    6- Open a putty session to your server IP and type root and it MUST login.
    7- Enjoy the security and safeguard your key away from your pass-phrase.


  • Rebel Alliance Developer Netgate

    Sounds good except for…


    3- Do NOT SAVE public key. The whole point of this is to not have both keys on the same machine as security maybe compromised. Also, it's unnecessary to save public key.

    You want to save the public key. It doesn't harm security, it's the "public" part. You can even put that up somewhere for others to grab so they can add it to their servers and let you in with ssh keys.

    Besides, if you ever need to login to a second box with the same key, you'll need that again. :-)

  • Not trying to be rude but if you don't understand why the public key does not have to be protected or kept separate from the private key (WHICH IT SELF HAS TO BE KEPT SECRET) then please don't write instructions for others. Figure out first how things really work, please.

  • Good to know all that about Public key. Thanks again guys.

  • Besides, puttygen can generate the public key if you give it the private key.

    By the way, I was saying all along that you want to paste the key from that box into your pfSense configuration.  I've used this before, so I know the steps that are involved. ;)

  • Yes, you were right. But I was seeing it as the Public key as I was confused by other posts and specially the openSSH one.


  • The key in the box is the public key in the form that OpenSSH uses on the server end and the export OpenSSH key saves the private key needed for using OpenSSH as the client.