Remote SSH and semi-automatic configuration

M

mpfusion

Contributor
Joined
Jan 6, 2014
Messages
198
I just upgraded from FreeNAS-11.2-U6 to 11.3-U2 and I'm redoing the replication. I have a few questions:

1)

First I created an SSH key pair in System → SSH Keypairs. On the old system, this public key needed to be added to

Code:
remoteSystem@example.com:/root/.ssh/authorized_keys


Is this still the case in 11.3-U2 or is there a GUI field to add the key to allow SSH remote login? I use ssh key rather than password authentication.

2)

In System → SSH Connections → Add the Setup Method is “Semi-automatic (FreeNAS only)” by default. But I have no clue how that's supposed to work. The manual at https://www.ixsystems.com/documentation/freenas/11.3-U2/system.html#ssh-connections doesn't really help either:

Hostname or IP address of the remote FreeNAS® system. Only available with Semi-automatic configurations. A valid URL scheme is required. Example: https://10.231.3.76
Click to expand...

Why URL and https? It's SSH, there is no http involved. Is it maybe the URL of the web GUI of the remove system? The web GUI is not publicly accessible and I do not intent to open the web GUI to the Internet.

Maybe someone can shed some light onto this mysterious semi-automatic configuration and its URL.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
mpfusion said:
The manual at https://www.ixsystems.com/documentation/freenas/11.3-U2/system.html#ssh-connections doesn't really help either:
Click to expand...
It doesn't? This doesn't explain what's going on?
1586475430711.png

(see https://www.ixsystems.com/documentation/freenas/11.3-U2/system.html#semi-automatic-setup, which is linked from the link you gave)
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
mpfusion said:
Which URL?
Click to expand...
It tells you: http://freenas.remote, where freenas.remote is the Host 2 hostname or IP address. What part of that is unclear?
mpfusion said:
And it doens't explain why http?
Click to expand...
No, the manual isn't a "why to", it's a "how to." The "why" is presumably because you call the API via http, not ssh. I'd expect it would work over HTTPS as well, but I can't say that I've used it.
 
M

mpfusion

Contributor
Joined
Jan 6, 2014
Messages
198
danb35 said:
It tells you: http://freenas.remote, where freenas.remote is the Host 2 hostname or IP address. What part of that is unclear?
Click to expand...
The unclear part is the http part. This is about an SSH connection and there is not http server listening on that host, which is why I'm getting an error message if I try to use http (which is expected).

danb35 said:
No, the manual isn't a "why to", it's a "how to." The "why" is presumably because you call the API via http, not ssh. I'd expect it would work over HTTPS as well, but I can't say that I've used it.
Click to expand...

The web gui and API use http (or https for that matter), true. But neither is exposed to the internet, only SSH is exposed. I don't know how one could reach a remote server without exposing the gui/API to the internet. And the manual does not suggest opening any additional ports.

If I exactly follow the manual I get an error message, which is expected because there is no http server listening.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
mpfusion said:
there is not http server listening on that host
Click to expand...
If that host is a FreeNAS box, how is there not a HTTP server listening?
mpfusion said:
And the manual does not suggest opening any additional ports.
Click to expand...
The manual doesn't suggest opening any ports at all--I don't think it contemplates the case (which is apparently your use case) where there's a firewall between host 1 and host 2. If that's your situation, I don't believe there's going to be a good way to make the semi-automatic setup work for you. Zerotier would have made this easy, but they took that out in 11.3.
 
M

mpfusion

Contributor
Joined
Jan 6, 2014
Messages
198
danb35 said:
If that host is a FreeNAS box, how is there not a HTTP server listening?
Click to expand...
The freenas http server that runs the GUI and the API is not to be exposed to the internet (as mentioned in the OP). It's not recommended to expose it to the internet. It's not desiged to be exposed to the internet. That's why there's no http server listening on any port accessible from the internet.

danb35 said:
The manual doesn't suggest opening any ports at all--I don't think it contemplates the case (which is apparently your use case) where there's a firewall between host 1 and host 2.
Click to expand...
There's the internet between host 1 and host 2 (as mentioned in the OP), an untrusted network. Freenas used SSH (and SSH only) to traverse this untrusted network and send the replication stream in older fn versions. There was no need to open any other ports than the SSH port.

Neither the GUI nor the manual mention that the semi-automatic mode only works for trusted networks which have access to the gui/api, so I assume this is not the case. And having routers/firewalls between different freenas boxes is a very common use case.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
mpfusion said:
There's the internet between host 1 and host 2 (as mentioned in the OP)
Click to expand...
No, this wasn't mentioned in your OP. Maybe you meant to, but you didn't. What you said was:
mpfusion said:
The web GUI is not publicly accessible and I do not intent to open the web GUI to the Internet.
Click to expand...
...but you never said why you believed that fact to be relevant. Perhaps you meant for the reader to infer that for it to be publicly accessible and open to the Internet would be the only way that host 1 would have access to it, but that's hardly the same thing.
mpfusion said:
Neither the GUI nor the manual mention that the semi-automatic mode only works for trusted networks which have access to the gui/api, so I assume this is not the case.
Click to expand...
But you assume incorrectly, and if you take a minute to think about it, this is obvious. The "semi-automatic mode" semi-automates configuring a SSH connection. That means the SSH connection isn't configured yet, which means that it can't be done over SSH--it must be done through some other channel. I guess this doesn't prove that the "other channel" needs to be http(s), but when the manual literally tells you in two different places to use a http:// URL that should be a bit of a clue.

Maybe the docs could be clarified on this--file a bug against them if you think so.
 
M

mpfusion

Contributor
Joined
Jan 6, 2014
Messages
198
danb35 said:
But you assume incorrectly, and if you take a minute to think about it, this is obvious. The "semi-automatic mode" semi-automates configuring a SSH connection. That means the SSH connection isn't configured yet, which means that it can't be done over SSH--it must be done through some other channel. I guess this doesn't prove that the "other channel" needs to be http(s), but when the manual literally tells you in two different places to use a http:// URL that should be a bit of a clue.
Click to expand...

That's why I was asking in the first place how this is supposed to work. So the answer is: It uses the API, making it unsuitable for remote hosts and was probably designed for other freenas hosts in the same or another trusted network where the API is accessible.

In this case I'll use the manual SSH setup rather than the semi-automatic. Thanks for your responses.
 
You must log in or register to reply here.

Similar threads

C
SSH Configuration Woes
Replies
11
Views
3K
RiBeneke
R
PhiloEpisteme
Unable to scan for ssh key for replication task.
Replies
2
Views
2K
wongdongfu
W
travalon
  • Locked
New to SSH keys
Replies
6
Views
12K
travalon
travalon
D
  • Locked
SOLVED Rsync over SSH
Replies
3
Views
6K
dnilgreb
D
P
  • Locked
rsync client over ssh. How to save key?
Replies
5
Views
2K
cyberjock
C
Top