Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

How to setup SSH with Public Key for windows clients using PuTTY on FreeNAS 9.3

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

carmorales

Newbie
Joined
Jun 10, 2015
Messages
2
Hi All,

I've been using this forum as a guest for quite a while and it has help me solve most of my issues, so I decided it was my time to contribute by adding a how to guide that I feel is missing for the new users/not very experienced ones.

I'm a very visual person so please don't take it the wrong way if you feel this guide is too dumbed down I just find it easier for me to explain.

I really hope this helps anyone having issues while trying to set it up.

Now down to business. If you are trying to use SSH for the first time it can be very confusing when trying to set it up to use Public/Private Keys, so this post is intended to give a step-by-step guide with pictures.

We will use PuTTY and PuTTYgen, versions 0.64.0.0 by the time this was written.
  1. Download PuTTY and PuTTYgen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

  2. Open PuTTYgen and choose the desired type of key and bits. SSH-2 RSA and 2048 should be good enough now.



  3. Click on Generate. You'll need to move the mouse within the window.



  4. Once that’s done the keys will be generated.



  5. And you'll see the Public Key on the window.



    Now your public and private keys are done. Believe it or not that was the hard part! :)
    Leave the window open as we will need it later.

  6. Open your FreeNAS WebGUI and go to Services > SSH > wrench to configure.



  7. Pick a TCP Port if you want to change the default, I leave 22 as my server is inside the firewall.
    Untick Login as Root with password, as we want to only use the keys to connect.
    Untick Allow password Authentication, so no account can connect without a key.
    Tick Allow TCP Port Forwarding, if you plan to do more than connect to the terminal.
    Up to you if you want to tick Compress Connections.
    No need to go in Advanced Mode



  8. Now go ahead and turn on the service.



  9. Head to Account > Users > edit root > find the SSH Public Key box. Note that you can add a Public Key for any user for it to gain the ability to connect through SSH.



    Paste the key you see displayed on PuTTYgen on the Public key for pasting into OpenSSH authorized_keys file: box.
    In this case the key is ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAzFNpp/wMkCslc8ns.......
    It is really important to make sure the text that you paste is just one line


  10. Go ahead and click OK to save the changes. As mentioned before you can do this for any user and also you can add as many keys as you need to one user too, just one per line.

  11. Go back to PuTTYgen and now pick a passphrase and confirm it. This will be like your password also this prevents unwanted connections because if you don’t have one anyone with the Private Key will be able to connect to the server, so if someone gets a hold of your key there is still that extra level of security.

    Tip: If you plan to have multiple keys you could use the Key comment box to add some kind of description that will help you identify them later and remove/change the right one.

  12. Save your Private Key by clicking on the Save private key button, keep in mind that if you’re going to use OpenSSH you’ll need to save it in another format (Conversions > Export OpenSSH key).

  13. Open PuTTY and under Session > Host Name type your server’s name or IP and port (selected on step 7).



  14. Under Connection > Data add the username details, for this example we'll use root



  15. Then go to SSH > Auth and add the Private Key saved on step 12.



  16. Go back to Session and if you want pick a name and hit Save so you don’t have to repeat these steps every time you want to connect. Then click Open.

  17. The first time you connect you'll be asked to cache the server's fingerprint with the following box, make sure you have the same info for your server's fingerprint as what you get when you run ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub on your server WebGUI Shell
    If all looks fine Yes.



  18. Finally type the password/passphrase, you picked on step 11, and if all went well you’ll be connected.

    • If you want to be able to connect from anywhere you can then forward a port from your router (I recommend to pick something else than 22) to your server’s IP.
      Keep in mind that you’ll need to use your external IP and the port you picked to connect from outside, so if you don’t have a static IP from your ISP then you should think about enabling Dynamic DNS.
Take care!
 
Last edited:

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Moved to the guides. But step 17 should be updated to include steps to verify the rsa key you are being asked to cache actually validates with the key the server has. That is the only way to ensure you are not being made a victim of a man-in-the-middle attack. ;)
 

andrewjs18

Member
Joined
Oct 19, 2014
Messages
132
thanks for the guide. I'm sure others will find it useful.

one thing I'd like to suggest is to change the Key comment after the key has been generated. it's much easier to remember what key is what if you add a useful comment rather than a random comment that is generated by puttygen.
 

carmorales

Newbie
Joined
Jun 10, 2015
Messages
2
Moved to the guides. But step 17 should be updated to include steps to verify the rsa key you are being asked to cache actually validates with the key the server has. That is the only way to ensure you are not being made a victim of a man-in-the-middle attack. ;)
You are completely right, I overlooked that part, I have now added it.

thanks for the guide. I'm sure others will find it useful.

one thing I'd like to suggest is to change the Key comment after the key has been generated. it's much easier to remember what key is what if you add a useful comment rather than a random comment that is generated by puttygen.
I forgot to mention this part too, so I added a little tip before saving the key.

Thanks to both!
 

Bmck26

Member
Joined
Dec 9, 2013
Messages
44
Has anyone setup this up with Bitvise SSH Client? I've been trying but I haven't had any luck.
 

Muzungu

Newbie
Joined
Dec 29, 2014
Messages
1
Thanks so much for this guide! :D I have been trying to sieve through all the available information - but this is very clear!
~cheers
 

fx24

Member
Joined
Sep 27, 2013
Messages
38
Great timing. I recently upgraded from 9.2 to 9.3 and decided it was time to upgrade security after I started receiving security messages informing me of failed logins overnight.

This guide made it a breeze after I was struggling with piecing together information from numerous searches. Thank you very much!
 
Last edited:

grfirst

Junior Member
Joined
Aug 1, 2015
Messages
13
Thanks so much for this image guide. Are there anymore of these in your arsenal? Is there a video tutorial section for other freenas things to do somewhere in the forum here I could check out perhaps?
 

Omega3

Newbie
Joined
Nov 11, 2015
Messages
3
Great guide, thanks very much. This is the first hurdle I've been falling at with FreeNas, really encouraging to be able to get past it.
 

Mashly

Member
Joined
Nov 14, 2015
Messages
33
Nice guide thanks for the info. I had done this before using two Linux box's before but never with Putty.

I got no prompt asking me to check if the key was valid. Is this because I had connected before just not using a key?
 

AaronZac

Junior Member
Joined
Jan 2, 2016
Messages
12
This looks great, I'm new to FreeNAS and I've followed everything meticulously but I keep getting "server refused our key" in the PuTTY terminal.

"PuTTY Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)"

Why could this be happening if I'm correctly following all the steps above? Could it be to do with my users settings in FreeNAS? Or some other parameter?

Any advice would be most appreciated.

Aaron
 

Fuganater

Senior Member
Joined
Sep 28, 2015
Messages
475
This looks great, I'm new to FreeNAS and I've followed everything meticulously but I keep getting "server refused our key" in the PuTTY terminal.

"PuTTY Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)"

Why could this be happening if I'm correctly following all the steps above? Could it be to do with my users settings in FreeNAS? Or some other parameter?

Any advice would be most appreciated.

Aaron
What version are you using?
 

AaronZac

Junior Member
Joined
Jan 2, 2016
Messages
12
Hi, thanks for getting back guys. I'm using 9.3 and connecting without a key is fine when using a password. I was just able to connect successfully just now by creating a new user and new dataset. Before I was trying to link a user to the top tier, the system data set pool (i.e /mnt/HERE), and it wasn't working.

I think FreeNAS may be a little out of my depth. Although I'm now connected through FTP using SSH key and my new user and dataset, I still cant explain to myself how I got it working. For instance when I try to access through a different user with the same credentials I don't always get through, and I get the same warning above.

Thanks for the link Mashly, how do I go about checking my permissions exactly?
 

Mashly

Member
Joined
Nov 14, 2015
Messages
33
Thanks for the link Mashly, how do I go about checking my permissions exactly?
This link might help you with this question.

https://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions

Although I'm now connected through FTP using SSH key and my new user and dataset
This doesn't sound quite right to me as FTP is a File Transfer Protocol and SSH is a Secure Shell, two quite different things.

I think FreeNAS may be a little out of my depth
Let us know your experience (and goals) and maybe we can point you in the direction of good learning material.
 

AaronZac

Junior Member
Joined
Jan 2, 2016
Messages
12
This doesn't sound quite right to me as FTP is a File Transfer Protocol and SSH is a Secure Shell, two quite different things.
Sorry ignore 'SSH Key' should only read 'key'.

And thanks for the link and your reply. I'm just trying to find out the best way to put my business folders on my server so myself and one other business partner can access them remotely and securely. After looking into how to do this I figured the easiest solution for me was to try keyed FTP access (SFTP). I have set this up and it appears to be working. I just dont know where to put my files i.e. do they need to be within a dataset??? and the best way to set-up users to access these. So any advice with this would be amazing.
 

Mashly

Member
Joined
Nov 14, 2015
Messages
33
Why are you not using something like Google Drive or Dropbox if you just want to share a few files?
 

AaronZac

Junior Member
Joined
Jan 2, 2016
Messages
12
Why are you not using something like Google Drive or Dropbox if you just want to share a few files?
Because I want to share all 3TBs. I have lots of files in many different folder locations so it would be far easier and useful to have access to the lot.
 

Raiz

Member
Joined
Nov 26, 2015
Messages
77
Because I want to share all 3TBs. I have lots of files in many different folder locations so it would be far easier and useful to have access to the lot.
Is owncloud not secure enough for you? You would have your login and password.
 
Status
Not open for further replies.
Top