How to configure SSH authorized key?

torontob

Hi All,

I have access to web GUI and no serial access. Is there a tutorial somewhere on how to create SSH authorized keys to set in Advance? Right now it allows me to reach the box with a username but I don't know what the username/password are so trying to get the SSH key running as it's safer as well.

thanks

Cry Havok

Which version of pfSense are you running?

Certainly with 1.2 you just paste your public key into the box under System -> Advanced then tick the box to disable password login. The username BTW is root, and the password is the password you set for the web interface's admin account.

torontob

Sorry I am a noob. How can I generate a public key? How is that different from a private key? I want to make sure it's all secure. Do I have to create a public key using PuttyGen? or similar software? What portion of the key should be inserted ? all of it?

Thanks for the tip on root access.

Cry Havok

You need to generate a key in OpenSSH format. I'm not familiar with Putty, but it's documentation will cover that (having read it before).

Generating a key generates 2 parts - a private part and a public part. The private part stays on the machine running the SSH client, the public part is put onto the servers. You must put the entire public key on the server.

Efonnes

I think puttygen is capable of generating a public key in the form needed by OpenSSH. It may even give you the line to paste into the authorized keys when you generate or open a private key.

jimp

When you generate a key in PuTTY, it should make both a private and a public key. Usually if the key is, say, mykey.ppk, the public part is mykey.pub.

Look in the PuTTY docs (one copy is here: http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter8.html#pubkey-puttygen ) and it's all covered in detail.

You can load your key in PuTTYgen and then go to Conversions > Export OpenSSH Key. Take the output from that and paste it into the pfSense router where it asks for the ssh key.

Efonnes

I just looked at the puttygen program again. The part you want to paste into the pfSense configuration is the text in the box labeled "Public key for pasting into OpenSSH authorized_keys file:"

If you want to use the key with PuTTY (or anything that uses PuTTY's plink.exe), click "Save private key" and use that file with PuTTY.

torontob

Thanks for all the tips guys. I am still failing this. Can someone post private and public keys here so I can test maybe?!

This is what I have done.

1- Generated randomness by moving mouse over PuttyGen window.
2- Saved the Private and Public key with a Pass-Phrase.
3- IMPORTANT: Mode was set to SSH-2 - Hopefully this is not where I am doing things wrong.
4- Loaded the private key back into PuttyGen and authenticated it by putting the passphrase.
5- Click menu Conversion -> Export OpenSSH key and save the file which had no extension.
6- Loaded all of the content of the OpenSSH key in Authorized keys page of pfsense.
7- Set the SSH port to 2060 and Enable Secure Shell with Disable Password login for Secure Shell (KEY only).
8- Opened Putty and loaded private key which was generated in Step #2 into Connections > SSH > Auth and opened a session to the router 192.168.1.1
9- Inputed root as the username and then this is what I got:

login as: root
Server refused our key
Using keyboard-interactive authentication.
Password:

If I input the password for admin then it logs in. This is not right as first of all the SSH login by password should be disabled.

Any suggestions please?

Thanks a lot again.

Efonnes

No, you don't want to use the export OpenSSH key option. That saves the private key, which is only needed by the client. You want the public key in your pfSense configuration. Copy the text in the "Public key for pasting into OpenSSH authorized_keys file:" box and paste it into the authorized keys in pfSense. You will want to remove the other that you put in there, since the private key isn't valid there.

torontob

Okay, so I am supposed to use the OpenSSH exported key on putty. However, the key generated by OpenSSH doesn't have the prefix .ppk so, I used it without the .ppk and used it with a .ppk extension which I give and it was no work again. Error message:

Unable to use key file "C:\Users\owner\Desktop\openssh_privatekey" (OpenSSH SSH-2 private key)

I am getting anxious now. Here is all the files I created. Can someone please test this.

Efonne,
IMPORTANT: None of my files include the "Public key for pasting into OpenSSH authorized_keys file:" which you mentioned in your post. Do you use PuttyGen to generate key files?

ANYTHING YOU SEE BELOW ENCAPSULATED IN CODE AND SHOWS AS CODE WAS EXACTLY COPIED AND PASTED AND NO HEADERS WERE REMOVED WHILE USED ON PFSENSE OR THE PUTTY CLIENT.

PassPhrase:

dklsfjs87234ksdfkhERewrkjewh@#$3kjsdfjusdj

Private Key by PuttyGen (This was also used on PuttyClient on another attempt to see if it works and failed):

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: rsa-key-20100730
Public-Lines: 4
AAAAB3NzaC1yc2EAAAABJQAAAIEAwKVyCw7h2WIiOiTh+6Msu2s15WNxQoY7hPco
z0rZCgiAkaKYE8hMpXxJ2vc9kVSSqp6SK9NwoLTJi3/ciRbbAPcNCq+sfOPyLtkd
kBUSx1SZR5PdYpmA+shG25ezwO3nikcglWNiiSEcw9z5QSJ7rHYLiMVVEhJ9fi2/
1cL5QD8=
Private-Lines: 8
tDxVbyl3KIMuJ8Ap05W/ypJe+lWmL+nzAmAilLXq1B6FS/91jPweJbtlfkimALV/
lTiN+nSynC+IgJpx05BjP4p4GdaxqfFjB5aTm1DPR5CSV5b75UC0j9A0ijeBYZ8D
fN/89cGFJwbi53LSyjovd5VC09eAWqlnRKGuJ7p+dFtYbo6gQ/04BBo3vEMR3nrc
jswq+GvUhEZRZs8qHPOg0bCMGg2ZSv2k2fSzoYeSfEOHpG0yih4jscnsTWlZwjDj
5oTyMDzM0OPeG3tl/BoivQu9pHQegDt72aw/QLzjnVYuXT0Q2ttwAmluRbZjcdjq
svJtwtLX74bpTAZMCb9sMUC/VEyf2uaQI9EIZKlJZphq+pR7YgGMmvDfj2vSHan/
PT9mDe7iNt/lxILIVChcrWBO63blN5b25D5ILxdZLokQKGY5VYRajGJSuPLViL73
ur8/Kg7PPFy/jAmmcQLxLw==
Private-MAC: 055545f59a6889192e7309575a55388ac7b4b981

Public Key by PuttyGen (Was put into pfsense System > Advanced > Auth Keys):

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100730"
AAAAB3NzaC1yc2EAAAABJQAAAIEAwKVyCw7h2WIiOiTh+6Msu2s15WNxQoY7hPco
z0rZCgiAkaKYE8hMpXxJ2vc9kVSSqp6SK9NwoLTJi3/ciRbbAPcNCq+sfOPyLtkd
kBUSx1SZR5PdYpmA+shG25ezwO3nikcglWNiiSEcw9z5QSJ7rHYLiMVVEhJ9fi2/
1cL5QD8=
---- END SSH2 PUBLIC KEY ----

OpenSSH key Exported from PuttyGen (not sure if this is a private key like Efonne noted or public key as it has no extension but inside says private key) - (This was used on Putty client to connect to pfsense and failed):

Thanks

jimp

And now that you've completely compromised the security of that key, trash it and make a new one. :-)

torontob

Does that mean you tested it and it works for you :-) ???

I hope I haven't contributed to too much of the green house effects by making the key public and useless :-) After all, it's only few billion electrons displaced.

jimp

No, I didn't try it.

There's a bit of a misunderstanding about what you need to do, perhaps.

When you make the key, save it as blah.ppk. Don't worry about the OpenSSH export, only the "public key for pasing" box. Copy the contents of that box into pfSense's field for authorized keys.
Make sure the key gets saved.

Fire up pageant.
Double click the pageant icon in the taskbar
Click add key
find your blah.ppk
Load that up, enter the passphrase if you made one

Then connect with putty.

torontob

They say a picture is like 1000 words. Doing what you said disregarding the OpenSSH key export, I am getting a different error. Please check below link for the snap shot of my desktop.

https://docs.google.com/leaf?id=0B9R-hmALgNpVYzlmNzdkZmItY2IzNy00NzMyLThiZGEtNTI5MDI0NzU2OGNj&hl=en

Error:
No supported authentication method available

Thanks

jimp

Take off the begin, end, and comment lines. If that doesn't work, load the key back up in puttygen, and make sure you have copied the box on the main screen that says right on top of it that it's the openssh public key.

Exporting the openssh key will export the whole key, not just the public part.

torontob

Perfect. Works amazingly now. Apparently the Public key saved is much different from what is in puttygen window (probably extraneous header and footer stuff).

All right,so to summarize and help others, here is how this should be done:

1- Open PuttyGen and Generate some randomness while PuttyGen creates a key for you.
2- Enter a long a$$ password with lots of characters, caps, small, and numbers phrase and save private key.
3- Do NOT SAVE public key. The whole point of this is to not have both keys on the same machine as security maybe compromised. Also, it's unnecessary to save public key.
4- Once key is generated, in the window on top (on PuttyGen) you will see you public key. Copy and paste that into pfsense System > Advance > Auth key and disable root login and press Save (don't forget SAVE).
5- Open Pageant (part of the Putty package) and add the private key. It will ask for your pass-phrase so enter it to add the key.
6- Open a putty session to your server IP and type root and it MUST login.
7- Enjoy the security and safeguard your key away from your pass-phrase.

-Bruce

jimp

Sounds good except for…

@torontob:

3- Do NOT SAVE public key. The whole point of this is to not have both keys on the same machine as security maybe compromised. Also, it's unnecessary to save public key.

You want to save the public key. It doesn't harm security, it's the "public" part. You can even put that up somewhere for others to grab so they can add it to their servers and let you in with ssh keys.

Besides, if you ever need to login to a second box with the same key, you'll need that again. :-)

kpa

Not trying to be rude but if you don't understand why the public key does not have to be protected or kept separate from the private key (WHICH IT SELF HAS TO BE KEPT SECRET) then please don't write instructions for others. Figure out first how things really work, please.

torontob

Good to know all that about Public key. Thanks again guys.

Efonnes

Besides, puttygen can generate the public key if you give it the private key.

By the way, I was saying all along that you want to paste the key from that box into your pfSense configuration. I've used this before, so I know the steps that are involved. ;)