ssh -p <port> <cleintusername>@<nas ip> -v
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <nas ip> [<nas ip>] port <port>.
debug1: Connection established.
debug1: identity file /home/<cleintusername>/.ssh/id_rsa type 1
debug1: identity file /home/<cleintusername>/.ssh/id_rsa-cert type -1
debug1: identity file /home/<cleintusername>/.ssh/id_dsa type -1
debug1: identity file /home/<cleintusername>/.ssh/id_dsa-cert type -1
debug1: identity file /home/<cleintusername>/.ssh/id_ecdsa type -1
debug1: identity file /home/<cleintusername>/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/<cleintusername>/.ssh/id_ed25519 type -1
debug1: identity file /home/<cleintusername>/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
debug1: match: OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA <key>
debug1: Host '[<nas ip>]:<port>' is known and matches the ECDSA host key.
debug1: Found key in /home/<cleintusername>/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<cleintusername>/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/<cleintusername>/.ssh/id_dsa
debug1: Trying private key: /home/<cleintusername>/.ssh/id_ecdsa
debug1: Trying private key: /home/<cleintusername>/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
The preface to the how-to suggests that you establish a local SSH into FreeNAS before you start doing any of the modifications, as it is a bit simpler then. And it is hard to diagnose remotely. But one thing that jumps out is, you said you pasted the key into the root-user's SSH key field. But then you are trying to ssh as "clientusername". Note that the guide suggests you log in as your normal user on FreeNAS, not root. The user where you pasted the key and the user named in your ssh command have to be the same.@Glorious1
Thank you so much for the post, the documentation provides some info on each subject but it's by no means a how-to guide for beginners like me :)
I've been following your guide and digging through forums/posts for almost a week now trying to get ssh to work but to no avail. So far I've generated a key using ssh-keygen (client pc is dual booting win10 and linux mint, I'm setting this all up from mint), setup the port forwarding, cron job, and ddns, however I'm stuck at the very beginning of trying to even locally ssh into my NAS.
I've set my port forwarding to use an arbitrary high port both internally/externally on my router and set this as the port in the GUI. I've also copied the contents of the public key in the root user's SSH key field via the GUI. Finally I've went through all of the troubleshooting section and verified the permissions/ownership for everything, but I still get "Permissions denied (publickey)" when trying to ssh with: "ssh -p <port> <clientusername>@<static ip of freenas>". Running the command with -v I get the following (with certain info <hidden>):
Most people who had this issue seemed to get it resolved by going through the troubleshooting section, but I've already done that and, as far as I can tell, all is good. I don't expect you to know exactly whats going on from any of this, but do you have any recs for what I can do/check next? Thank you so much!
The preface to the how-to suggests that you establish a local SSH into FreeNAS before you start doing any of the modifications, as it is a bit simpler then. And it is hard to diagnose remotely. But one thing that jumps out is, you said you pasted the key into the root-user's SSH key field. But then you are trying to ssh as "clientusername". Note that the guide suggests you log in as your normal user on FreeNAS, not root. The user where you pasted the key and the user named in your ssh command have to be the same.
Then the "static ip of freenas" - that's the local IP, right, not the public-facing IP of your router? For instance, mine is 192.168.0.xxx.
This doesn't make any sense. The path to the user's home directory is designated as ~, so how could it be at ~/mount/volume/? My home directory has no 'mount' directory in it. Seems like you must have set up things a bit oddly.Finally got it working locally; the source of the issue was the user account was located in /~/mount/volume/ and the permissions for the /volume/ (controlled in the storage section of the GUI) had write enabled for the group.
AllowTCPForwarding yes
local:~ user$ ssh -v -D 15443 -p 52739 user@xxx.duckdns.org -g OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/user/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 102: Applying options for * debug1: Connecting to xxx.duckdns.org [x.x.x.x] port 52739. debug1: Connection established. debug1: identity file /Users/user/.ssh/id_rsa type 1 debug1: identity file /Users/user/.ssh/id_rsa-cert type -1 debug1: identity file /Users/user/.ssh/id_dsa type -1 debug1: identity file /Users/user/.ssh/id_dsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 debug1: match: OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 pat OpenSSH* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA a1:7b:05:11:08:51:65:13:96:17:84:f3:0a:28:a7:28 debug1: Host ’[xxx.duckdns.org]:52739' is known and matches the RSA host key. debug1: Found key in /Users/user/.ssh/known_hosts:17 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/user/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). Authenticated to xxx.duckdns.org ([x.x.x.x]:52739). debug1: Local connections to *:15443 forwarded to remote address socks:0 debug1: Local forwarding listening on :: port 15443. debug1: channel 0: new [port listener] debug1: Local forwarding listening on 0.0.0.0 port 15443. debug1: channel 1: new [port listener] debug1: channel 2: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = sv_SE.UTF-8 Last login: Fri Dec 18 23:12:33 2015 from x.x.x.x FreeBSD 9.3-RELEASE-p13 (FREENAS.amd64) #0 r281084+3bda974: Tue May 12 21:03:11 PDT 2015 FreeNAS (c) 2009-2015, The FreeNAS Development Team All rights reserved. FreeNAS is released under the modified BSD license. For more information, documentation, help or support, go here: http://freenas.org Welcome to FreeNAS [user@server ~]$ debug1: Connection to port 15443 forwarding to socks port 0 requested. debug1: channel 3: new [dynamic-tcpip] channel 3: open failed: administratively prohibited: open failed debug1: channel 3: free: direct-tcpip: listening port 15443 for 192.168.1.10 port 80, connect from ::1 port 49333, nchannels 4 debug1: Connection to port 15443 forwarding to socks port 0 requested. debug1: channel 3: new [dynamic-tcpip] channel 3: open failed: administratively prohibited: open failed debug1: channel 3: free: direct-tcpip: listening port 15443 for 192.168.1.10 port 80, connect from ::1 port 49334, nchannels 4
hey glorious1!Try it from outside your local network. I think for some reason going through the dynamic domain doesn't work from inside the local network it points to. Maybe someone else can explain that. No harm in going somewhere else and trying it.
I'm confused by your last paragraph. If you really have a static (=permanent) internet IP address, you don't need a dynamic DNS service like duckdns.org. Typically your internet IP address is subject to change by your internet service provider.
Good suggestion. I actually thought of that but forgot to mention it. That should help determine if it is a problem with the dynamic domain vs. your local setup.Also try just using the external ip and not the DNS name.
I don't know about DMZ, but I suspect it is bypassing a problem. It shouldn't be necessary.@Glorious1
thanks for the tip. It is interesting though that once I changed the DMZ setting, I got further along in the authentication process with SSH then before. Before changing that setting, I wouldn't even get to the passphrase prompt.
I think you said you can successfully SSH in locally? After you do, you should be in your home folder if you've set it up right. Type "ls -la" and one thing you see should be your .ssh folder. If it isn't there, you didn't set things up right. If it is, just go "cd .ssh" to get into your .ssh folder, then "ls -la" to see the files and permissions. Everything should be owned by you. The .ssh folder should have permissions 700 (drwx------), and the authorized keys file 644 (-rw-r--r--). Also check the permissions/owners in the .ssh folder in your home folder on the Mac. There id_rsa should be 600 (-rw-------).What can I do to check permission of the SSH files on the server? I have only ever made changes through the GUI of the freenas box. Do you know the commands to check the permission on say, the id_rsa files?
This is the ssh program on the mac requiring you to give the passphrase before it will open your private key on the mac. It shouldn't always do that except after you restart or a long time or something. I'm not sure why it is inside your window sometimes and outside others. In any case, you definitely don't want password authentication on your FreeNAS box - that defeats the whole system you're trying to set up.when i SSH directly both the internal static IP address of the freenas box through the terminal on mac os X, it brings up a prompt window outside of the terminal window prompting for the ssh passphrase.