Can't get public-key authentication to work

[SmallGuy]

Hi tmacka88,
You have to learn how ssh key authentication works.
The private key has to be used on client side ONLY, NEVER on server side, keep it safely...
This is the public key which has to be paste on Freenas ssh public key user area you want to authenticate with.

 

[solarisguy]

The private key has to be used on client side ONLY, NEVER on server side, keep it safely...

The private key has to be used on server side ONLY, NEVER on client side, keep it safely...

It is confusing, only when a FreeNAS server is used as a SSH client (to gain connectivity to another server).

 

[SmallGuy]

Ok,
The private key has to be store on client side.
If FreeNAS act as a client (from ssh point of view, forget it is a server a NAS or whatever), a private key is needed on FreeNAS side.
But this not what tmacka88 want to do, he want a key base authenticate ssh access, making the root password authentication disabling possible. In this case the private key isn't necessary and consequently shouldn't be present on FreeNAS.

 

[tmacka88]

But this not what tmacka88 want to do, he want a key base authenticate ssh access, making the root password authentication disabling possible. In this case the private key isn't necessary and consequently shouldn't be present on FreeNAS.

Yes, your correct this is what I am after. Ok, I understand now. Forget putting the private key in the SSH setting thats for ssh out from FreeNAS. I need to put in the public key in my ssh login user.

However, every time I do this I get a error, it won't let me input my key.

If it helps my shell is: csh

Any ideas

 

[SmallGuy]

Probably a format trouble or typo when you paste the key. Or perhaps a conflict with the keys you have manualy created on the user .ssh directory you want to authenticate with. Or permissions problem...
I'm sorry but you have to do it yourself, as so many details have to be check. Keep in mind ssh isn't so difficult to set-up properly and that evil is on details.
Few advices: Try to create a user from scratch and use it for training. As general rule, stop the service before modification.
Don't give up!

 

[tmacka88]

I will try adding another user and see if that works.

also where is the .ssh folder located within the system folder?

 

[tmacka88]

I still get the same error when adding a new user and inputting the pub key

 

[SmallGuy]

Ok, let's go,
generate your key pair with puttygen and default parameter (SSH2-RSA): http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
save your keys pair localy.
Go to the FreeNAS GUI user interface you want to authenticate with, in the ssh public key area paste the content of the public key generate with puttygen, removing the first 2 lines :

Code:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2014xxxx"

and the last one:

Code:

---- END SSH2 PUBLIC KEY ----

The format should be:

Code:

ssh-rsa AAABBBBCCCDDD......

You can also copy directly the content from puttygen (public key for pasting area), where those lines aren't present.
Save your user set-up in the FreeNAS GUI.
As there potentially a bug with permissions (the initial topic of this thread), in the shell go to the home directory of the user you want to authenticate with and look at the .ssh folder permissions they should be rwx. If not, chmod 700 .ssh
Now go inside .ssh folder, you should find a authorized_key file with rw permissions. If not, chmod 600 authorized_keys.
Go to service ->ssh->start the service
For connecting, you have to configure your client to use a key base authentication, using Putty which I recommend, it consist in browsing to the Private key.
Enjoy.

 

[tmacka88]

I am having trouble finding the home directory of the user therefore can't find the .ssh folder.

 

[tmacka88]

where is this located. the only ssh folder I can find is /etc/ssh but it doesn't have the authorized_key file

 

[SmallGuy]

The path to the home directory is defined in the user GUI. You have to define it, as /nonexistent is defined by default when you create a new user. If you use the root user, the home directory is /root.
You can create a dataset on your volume and define it as the path to the home directory in the user GUI.
You can also define the root of your volume (/mnt/YourVolumeName), where the home directory will be created saving the user settings.
http://doc.freenas.org/index.php/SSH
http://www.freebsd.org/cgi/man.cgi?query=sshd&sektion=8
https://www.freebsd.org/doc/handbook/openssh.html
http://www.freebsd.org/cgi/man.cgi?query=ssh&sektion=1&apropos=0&manpath=FreeBSD+10.0-RELEASE

 

[tmacka88]

Hi again,

ok, so I have some success but still not there. I updated FreeNAS to the latest 9.2.1.1 and then added the Public Key into my user setting. I then disabled "Password authentication" in Services>SSH.

I should also state that my ssh keys were created on my mac and are located in my .ssh folder.

When I try to SSH I get this:

Code:

MacBook-Pro:~ MacBook-Pro$ ssh username@192.168.2.141
Permission denied (publickey).

I dont understand why im getting this error?

Thanks

 

[tmacka88]

I just put my public key into my root user and now I can SSH into FreeNAS but only using root and not my own user. Is there any reason why this is?

 

[Ericloewe]

I just put my public key into my root user and now I can SSH into FreeNAS but only using root and not my own user. Is there any reason why this is?

Every user needs its own key pair, with the public keys added to each user in FreeNAS.

 

[tmacka88]

Every user needs its own key pair, with the public keys added to each user in FreeNAS.

I have tried a different key set with another user nothing seams to work except for root.

 

[Whattteva]

Check permission of your ~yourusername/.ssh directory (on your Mac).
It needs to be drwx------ and the private key file (id_rsa usually) in the directory need to be -rw-------

Also, if the username on your Mac differs from the one on FreeNAS, then you have to add the username to your ssh command like so:

Code:

ssh username@your_hostname

 

[SmallGuy]

You can also add -v argument to the command. This is useful for debugging.
Multiple v increase the verbosity.

Code:

ssh -vvv username@your_hostname

 

[tmacka88]

Hey guys,

Got it all working, so wanted to thank you all. My problem was a mixture of things. After I upgraded my FreeNAS to the latest 9.2.1.6 I was able to save the public keys in the user settings (which I couldn't before. Assume my system had a bug or something).

Secondly I renamed named my rsa keys to:
freenas_rsa.pub
freenas_rsa

So it still didn't work when I used:

Code:

ssh user@localhost

I actually had to reference to my rsa key in my local folder e.g.

Code:

ssh user@localhost -i /Users/iMac-Home/.ssh/freenas_rsa

^^^^this finally work for me.

Now, my next step I would like to get to...

Is there a way for my computer to remember my rsa for that user and local host combination? I am assuming it has something to do with the known_hosts file in the .ssh folder (ps. Im on a Mac if you didn't already notice).

Cheers

 

[Whattteva]

I actually had to reference to my rsa key in my local folder e.g.

Code:

ssh user@localhost -i /Users/iMac-Home/.ssh/freenas_rsa

^^^^this finally work for me.

Now, my next step I would like to get to...

Is there a way for my computer to remember my rsa for that user and local host combination? I am assuming it has something to do with the known_hosts file in the .ssh folder (ps. Im on a Mac if you didn't already notice).

Cheers

You could do it without referencing it in the command in a few ways:

• Rename it to id_rsa. This is the default name that the system looks for.
• You could create an alias and add it to your ~/.bashrc file like so:
  Code:

  alias ssh_localhost='ssh user@localhost -i /Users/iMac-Home/.ssh/freenas_rsa'

  
  
• You could reference it using .ssh/config OR /etc/ssh/ssh_config file like so:

Code:

Host localhost
User user
IdentityFile /Users/iMac-Home/.ssh/freenas_rsa

If you decide to go with a config file, I recommend going with .ssh/config file since it's specific to your user only.
As you can see, both methods essentially allow you to simply write the command with relatively no hassle.
The alias route will let you to simply type "ssh_localhost" or any alias word you picked, while the config route will let you to type "ssh localhost"

 

[tmacka88]

• You could reference it using .ssh/config OR /etc/ssh/ssh_config file like so:

Code:

Host localhost
User user
IdentityFile /Users/iMac-Home/.ssh/freenas_rsa

If you decide to go with a config file, I recommend going with .ssh/config file since it's specific to your user only.
As you can see, both methods essentially allow you to simply write the command with relatively no hassle.
The alias route will let you to simply type "ssh_localhost" or any alias word you picked, while the config route will let you to type "ssh localhost"

Hey yes that worked great, thanks.

Here are a few links explaining how to do this if anyone needs to:
http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/
http://serversforhackers.com/editions/2014/07/01/ssh-tricks/