SSH tunnel to pfsense box
-
I am trying to figure out how to get the ssh service on my pfsense box to accept my connection from putty so I can tunnel traffic for my OpenVPN connection which is also hosted on the pfsense box.
The problem I am running into is SSH will not allow me to authenticate with my keypair I generated.
When I connect to putty I immediately get the message "Server Unexpectedly Closed Network Connection".
All I have done is open a port on the firewall to allow ssh traffic to the pfsense box and created a new user in the user managment section with the public portion of my ssh key.
Is there something I am missing?
-
All I have done is open a port on the firewall to allow ssh traffic to the pfsense box and created a new user in the user managment section with the public portion of my ssh key.
I do it all the time (User Manager -> Authorized key -> paste public key), although I'm using the admin account …
What shell does your new user have (check /etc/passwd)? If it's nologin, then it's only natural to just close the session ...You can also try checking what sshd logs into syslog:
clog /var/log/system.log |fgrep sshd|tail -
Uh… that makes sense but at the same time I don't understand. Wouldn't a new user get a basic shell for login?
-
Wouldn't a new user get a basic shell for login?
Not necessarily automatically. You might have found a bug, you might have left out a necessary step, …
Some user accounts are created just so particular programs can run in a particular environment (user-id, group memberships etc) and without root privileges, hence those accounts need not (should not?) allow login.
-
yep, you were correct!
Straight from /etc/passwd (logged in with username and password);
[b]ian:*:2002:65534:Ian Campbell:/home/ian:/sbin/nologin[/b]So what is that all about? Did I find a bug?
-
So what is that all about? Did I find a bug?
Not necessarily. The local user database is also used to provide authenticate for web GUI and captive portal, neither of which involves "login" to pfSense.
Since pfSense already includes OpenVPN (and because I sometimes have a limited imagination) why are you running OpenVPN over a ssh tunnel? Why not just run OpenVPN client on your (windows?) PC?
-
I use ssh to punch through a restrictive firewall to allow openvpn to terminate at my pfsense endpoint. Its a firewall at my school. They said it was okay "if" I can get through without breaking the rules.
Its the only place where I need to tunnel openvpn through ssh, everywhere else it works fine on its own.
-
So just run openvpn on a port that is open on that firewall
I run a instance of openvpn on 443 tcp just for that reason. The default 1194 udp is not always open. Shoot at work you have to use a proxy to get out, there is no direct access. Bouncing off the proxy works just fine using 443 and tcp.
I think you tunnel idea is not attacking the problem from the easiest angle. I ssh into pfsense all the time using public key, but I do use root. Now I do have a different account that I use for openvpn access - so your question is how to get it to ssh in and use public key?
Did you give the user shell access via user manager - there is a specific right
User - System - Shell account access Indicates whether the user is able to login for example via SSH.
In usermanager under effective permissions. Under the account there is a place to paste their key if you want to allow public key access. I have given the user shell access, but I normally just use root to ssh in (not open from the public side) Would only use it once I have vpn'd into the network. But if that is what you want to do, just setup the user with the correct permissions and paste in the key.
it works - you don't get the console like you do with the admin/root user
Using username "johnpoz".
Authenticating with public key "NewKey 12/19/12"
Copyright
1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.[2.1-BETA1][johnpoz@pfsense.local.lan]/home/johnpoz(1):
-
Could this be Layer7 filtering (aka "deep packet inspection") at work? Some admins are paranoid and smart; they'll check every packet on every port just to make sure that nothing "funny" can happen in the digital domain. In corporate networks, this might make some sort of sense. Via some sort of tunnel, you could secretly steal data. Oh well, you could do so as well with the help of a screwdriver and walk out with a stolen hard disk…but at least the network admin can rest assured that it wasn't his fault.
- Klaus
-
I cant find the option you are talking about for giving a user shell access.
I looked in the user manager under the user account and there is nothing. Do i need create a new group?
-
Never mind I found the option.. now to see if it works
-
users are nologin by default, once you grant shell access they can use SSH for tunneling or other purposes.
-
And great that you can give your users ssh access, but not really required to solve your firewall issue. Just run an instance of openvpn on port that is open - like 443 ;)
You never know where you might be and what they might block, not every location is going to allow ssh out either.
-
Very good point!
Hmm I will give it a try and see what happens. Sounds a lot more simple anyway.
