Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

ovizii

Senior Member
Joined
Jun 30, 2014
Messages
435
@Glorious1 would you mind elaborating a bit which part of the key-generation takes place where (as in on the client machine or on the server)?
I assume I generate my keypair on the client and copy the public key onto the server? Yet that doesn't work, and my public key contains "ssh-rsa" at the beginning and user@machine at the end, do I copy that whole thing or just the key string in between?
 

Glorious1

Neophyte Sage
Joined
Nov 23, 2014
Messages
1,065
Key generation is done on the client (I suppose it might be possible to use a key pair generated on the server, but I haven't tried that). You're right, the public key is the one that begins and ends with the text you mentioned. You copy the entire file, including that text. Then, in the FreeNAS GUI, open 'Account > Users', and double-click on your username (the one you will SSH with) to open the dialog. Then paste the text into the field 'SSH Public Key', then save.

If it still doesn't work, go through the troubleshooting section at the end and make sure all the ownerships and permissions are correct.
 

andrewjs18

Member
Joined
Oct 19, 2014
Messages
132
thanks for the tutorial!

does anything in the freenas gui (in the browser, of course) need to be enabled to ssh to the box by default? I assume if ssh is enabled by default, it'll use the same username & password that is used to access the server in the browser?

once I ssh to the box, can I do all of my configs directly on the CLI? for example, lock down ssh through sshd_config, add new users, add my ssh key, etc... Will those changes carry over to the GUI or do I need to make the changes in the GUI first?

I may add a tutorial to this thread or start a new thread entirely about using a personal domain name with DDNS to access your server rather than using one that is provided by one of those services like duckdns. using your own domain name and ddns is as simple as setting up a crontab to keep your public IP address synced up with the domain name.
 

Glorious1

Neophyte Sage
Joined
Nov 23, 2014
Messages
1,065
It's generally recommended that you do as much configuration as possible in the GUI, not on the command line. Things can get messed up otherwise.

SSH is not enabled by default. You can read in the documentation about how to do that. When you access the server through the GUI, you are doing it as root, with the root password. You can SSH as any user, and use that user's password, and landing in that user's home directory. It is possible to SSH in as root, but it requires an additional setting in the SSH settings and is recommended against for security reasons. You can always act as root using sudo or su from your user's account.

I'll be interested to see your tutorial on using personal domain names.
 

andrewjs18

Member
Joined
Oct 19, 2014
Messages
132
that's unfortunate to hear since setting stuff up and locking it down with the CLI is so much quicker for me.
 

Luminousdolphin

Junior Member
Joined
Apr 11, 2015
Messages
14
@anodos did you resolve your permission denied issue? I'm running into the same problem, curious how I can resolve. Stuck at SSH Tunnel section of the how-to.
 
Last edited:

Luminousdolphin

Junior Member
Joined
Apr 11, 2015
Messages
14
@Glorious1

Great guide. After re-reading it and looking into some other how-to's on here I have a few questions and wondering if maybe your experience in the matter is similar to mine and you can provide some insight.

I have a macbook pro which I use for work at multiple locations. I'm new to FreeNAS, I have the mini and I have the basic ZFS setup, and have added a share.

I do not have my permissions down yet. I'll I suppose only need two users (Myself, and a media user I believe for transmission etc.). I read your excellent thread, and besides my SSH tunneling issue (i'm assuming its permissions related?) everything went off without a hitch. Thanks!

I have workstations at a few different locations which I dock my laptop to. They all have attached storage through thunderbolt attached to a thunderbolt display.

I'd like to start backing up work at these different locations to the same off-site backup.

I'd also like to use the freenas machine to serve my tv locally and downloads via transmission at home as an added bonus. (I mention as I'm unsure if this changes any permissions settings that might need to be done)

I don't use time machine as I feel its resource intensive and tends to just back up junk rather than useful data which I store on the removable drives (in case laptop is stolen, etc.).

I have a few questions:

If I map the network drive, will I have to re-map it based upon my location (i.e. a local share, vs a share over DDNS?) I'd like to have the share simply pop-up in finder as a network device so I can drag and drop, rather than use FTP however I'm open to whichever may best best given my setup.

I don't want my hand held, but I'd appreciate some direction so I know which is the best road to start traveling down. I'd also appreciate any stickies which help to this end.

Also, where can I find a best-practice permissions example for a single user? I'm slightly confused by the interrelation between a User/Group/Dataset and Share and how I can essentially set "root-type" privileges for myself without logging in as root through ssh.

I want it to be secure. I don't think speed is necessarily top priority as it'll be bottlenecked by the internet connection over the longer distances. Is AFP / SSH the way to go? Is there something else I should consider?
 

Luminousdolphin

Junior Member
Joined
Apr 11, 2015
Messages
14
Ps @Glorious1 have you looked into sshfs or osx fuse as an option? After researching this issue further it seems this could also be useful? Can you speak on the potential differences between the two?
 

Glorious1

Neophyte Sage
Joined
Nov 23, 2014
Messages
1,065
@anodos did you resolve your permission denied issue? I'm running into the same problem, curious how I can resolve. Stuck at SSH Tunnel section of the how-to.
In glancing through the thread, it looks like anodos was trying to help someone else with permissions issues rather than having issues.

In your longer post, luminous, you touch on a number of questions and issues in a complex and variable environment. Since you can't do a ssh tunnel yet, I would suggest working on that first. First, please go through the trouble-shooting section at the end carefully and make sure you've checked everything there. If it's all OK but still doesn't work, please describe clearly exactly how you have your setup: volume, shared dataset, how ssh is set up, etc.

The best practice for a single user is pretty simple. You set up a volume on the FreeNAS server. Don't share the volume directly and don't touch the permissions/ownership. Set up one or more datasets in the volume. There you can set up ownership and shares as you like. Your home directory will be one of these and it will contain your .ssh directory, and must have permissions as stated in the original post.

You want to act as root without logging in as root. I would suggest you just execute su after logging in as you, give the root password, and you will be acting as root the rest of your session.

I'm not familiar with those other options you mention and haven't seen a need for them.
 

heffjos

Neophyte
Joined
Nov 7, 2014
Messages
5
Nice guide. With it, I managed to create an ssh tunnel to my FreeNas machine using putty on windows machines.
 

ovizii

Senior Member
Joined
Jun 30, 2014
Messages
435
@Glorious1 :

got some more trouble on another nas and can't follow the trouble shooting steps as my home folder is also shared as CIFS so apparently some extended attributes apply which I am unsure how to get rid off:

Code:
freenas# ls -al authorized_keys
-rwxrwx---+ 1 ovi  ovi  399 May 20 12:40 authorized_keys
freenas# getfacl authorized_keys
# file: authorized_keys
# owner: ovi
# group: ovi
            owner@:rwxpDdaARWcCos:------:allow
            group@:rwxpDdaARWcCos:------:allow
freenas# chmod 644 authorized_keys
chmod: authorized_keys: Operation not permitted


Can you help me out setting that via setfacl? I'm struggling on my own.
 

Glorious1

Neophyte Sage
Joined
Nov 23, 2014
Messages
1,065
Sorry, I don't understand why you're zeroed in on authorized_keys or why you think that's the problem. Maybe someone who uses CIFS can help you. On a mac you can delete extended attributes with xattr -c <file>; maybe there is something similar in FreeBSD.
 

Andy Holmes

Junior Member
Joined
May 5, 2015
Messages
16
Has anybody used google authenticate in order to use two-factor SSH authentication on to the freenas servers? This would give cli access and relies on both having a non-root account/password on the freenas and also the google authenticate mobile phone app.
 

ovizii

Senior Member
Joined
Jun 30, 2014
Messages
435
Sorry, I don't understand why you're zeroed in on authorized_keys or why you think that's the problem. Maybe someone who uses CIFS can help you. On a mac you can delete extended attributes with xattr -c <file>; maybe there is something similar in FreeBSD.
I've zeroed in on the authorized_keys because that's what the log file told me, sorry can't post entry here, lost it. It is the problem, sshd said something along hte lines of wrong perms on authorized keys.
I think the commands are getfacl and setfacl, reading up on them right now.
 

FNSeeker

Member
Joined
Jan 3, 2014
Messages
36
I know this thread is a couple of months old but the OP's significant contribution is worth a look at again. It forces me to stop and think when I came across it today.

In my opinion, this approach however lowers the security a knot or two since the traffic is allowed to pass through the router and then authenticated at the FreeNAS box. This means other resources on your network/s, behind the router, are exposed to potential breach.

I'd argue that having OpenVPN server running on the router (i.e. the front gate to your whole network/s) is more secure. In this way, access to any authorized resources behind the router has to first pass the secured authentication on the router. Open VPN client is running on the remote host.

Which router offers you that feature (at an affordable price), try MikroTik. For US market, try this site: http://www.ispsupplies.com/brands/MikroTik-Reseller/

(I am not associated with this company in any way except I bought a book on MikroTik from them).
My two cents.
 

ovizii

Senior Member
Joined
Jun 30, 2014
Messages
435
In my opinion, this approach however lowers the security a knot or two since the traffic is allowed to pass through the router and then authenticated at the FreeNAS box.
Why would it lower security? You are only allowing entry via 1 specific port to exactly one server (the freenas) inside the network. Everything is tunnelled through that one port. Authentication is not via password but secure keys.

This means other resources on your network/s, behind the router, are exposed to potential breach.
Why would they? Why would they be reachable? You are only allowing entry via 1 specific port to exactly one server (the freeNAS) inside the network. Once you have tunnelled in you can reach other resources on the lan, which is intentional.

I'm not saying its safer than VPN on a router but I reckon its more often that security flaws are found on household routers than on freeNAS servers, right? And one could argue that even if there's a security hole on freeNAS after all it's behind the router :smile:

jut my 2cents.
 

FNSeeker

Member
Joined
Jan 3, 2014
Messages
36
I want to use an analogy. And I don't mean disrespect.

Imagine a router acting like the guard at the front gate of a distribution system with a number of buildings (devices) inside. Each building is connected to the front gate (via port).

When a delivery truck (connection) arrives, the front gate guard using his forwarding instruction directs that truck to the correct building.

This can be dangerous as the delivery truck with only a delivery logo is allowed to pass the front gate but its credentials was not challenged by the guard.

The guard does not know for sure if the delivery truck is snooping around inside the compound. Security is essentially a revolving feature.

As for MikroTik, don't let the cheap price tags on its home products fool you about its capability. It also has enterprise gears to suit. The CCR1036-8G-2S+ is as an example and by no means its flagship model. It has a bigger market outside the US.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,862
Your analogy isn't quite right.

Its more like the delivery truck has a tunnel or restricted path to a certain building. He can only go from the main gate to that building, and it's up to the security of that building to prevent the driver from getting out of his truck and going to nearby buildings, gathering cool stuff, bringing it back to his truck and going out the front gate with the truck filled with cool stuff.
 

ovizii

Senior Member
Joined
Jun 30, 2014
Messages
435
and as far as I understand the ssh authentication with keys is by no means comparable to "a delivery truck with only a delivery logo" - its more like a GPS tracked truck with license plates and driver's license, etc. without actually having to stop at the gate (to provide the password every time he passes)

oh and another question regarding your OpenVPN suggestion: if you install OpenVPN onto one one of the routers you suggested, can you then restrict the movements of the "truck" or does it then have access to the whole compound (LAN) meaning once in its all open?
 
Top