SSH on Android phone, John Blyberg, CC BY 2.0, via flickr
networking opnsense

Enable SSH Server

About

It can be helpful to have SSH access to the server running OPNsense for a number of reasons, like in the case of web GUI lockout, editing service configs, or for administration purposes. This article is a prerequisite to Enable sudo for non root users, which itself is a prerequisite to Disable logging into OPNsense as the root user.

Prerequisites

  • Have installed OPNsense server
  • Your local device should be able to access OPNsense web dashboard
  • You have OPNsense login account that is a member of the built-in admins group. This can be root or another user acting as a system administrator. See Create a New Administrator Account if you don’t have a non-root user and you want to disable the root user later.

Instructions

  1. Login via web GUI.
  2. Navigate to System > Settings > Administration.
  3. Under Secure Shell section, check Enable Secure Shell.
  4. Leave permit root login unchecked for security reasons
  5. Set the Listen interfaces to LAN (or a VLAN) such that the OpenSSH server is only listening for connections from local traffic and not exposed to the wider internet.
  6. From a terminal or command prompt, list the files in the ~/.ssh directory with
$ ls -1 ~/.ssh

Output:

config 
id_rsa 
id_rsa.pub
known_hosts 
known_hosts.old
  1. Your public key is named id_rsa.pub. If there is none in your machine, then generate it on Linux / Unix based systems using the following commands.
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jmutai/.ssh/id_rsa):
Created directory '/home/jmutai/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jmutai/.ssh/id_rsa
Your public key has been saved in /home/jmutai/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:bgcrnow9O7wKbgeOdJ6kO2CnwPvpW5kGY84rMDv+DPY jmutai@josphat-devops2
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|                 |
|                 |
|.  +    S        |
|=+=+o o. o       |
|*BX+.*. + .      |
|=B*+*=++ .       |
|.=OE+.B=         |
+----[SHA256]-----+
  1. You will need to copy the contents in the file for use in OPNsense.
cat ~/.ssh/id_rsa.pub

MacOS: Highlight entire key starting with ssh-rsa to the = character at the end of the string. Then right click (2 finger tap on touchpad) to copy.

  1. Next go to OPNsense web console, then find System –> Users section. Select the user to edit using the pencil icon.

Enable SSH Server OPNsense 03

Paste the copied key for the selected user. In our example the user is root.

Enable SSH Server OPNsense 04

If using a non-root user, set the login shell to /bin/sh otherwise the connection will close with a message ‘This account is not currently available’ as soon as you login.

![[login-shell.png]]

When done save the changes.

  1. Test the ssh connection
ssh -i id_rsa [email protected]

-i Selects a file from which the identity (private key) for public key authentication is read. So in this case id_rsa is the private key file we generated with the public key, so when we ssh the OPNSense ssh server checks its public key against the private key we are sending to authenticate. 11. If it’s your first time connecting, you may get the message

This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type ‘yes’ and hit enter to add this identity to your list of known hosts in known_hosts. The next time you connect, you can just use

ssh [email protected]

to connect since the identity has been saved in known_hosts.

Next Steps

Enable sudo for non root users

References

How To Enable and Start SSH Server on OPNsense | ComputingForGeeks