SSH Key Authentication Setup

[Tartan88]

Hello,

I am trying to setup SSH authentication utilizing public/private key pairs. I have been following a number of guides, listed below:
https://blog.binarymist.net/2010/04/06/a-few-steps-to-secure-a-freenas-server/
http://chrisadas.com/2015/12/30/set-up-ssh-key-pairs-for-freenas-jails/

I have created a public/private key on my FreeNAS .ssh/ directory and copied the key into a file name "authorized_keys" in the same .ssh/ directory. I have then imported that key into PuttyGen and saved it on my Windows system.

When I try to connect using these keys, I get a "Disconnected: No supported authentication methods available (server sent: publickey) Server refused our key" error.

I have a feeling this has something to do with permissions, but I am not sure. Also, in doing some digging, it appears the CHMOD command is no longer allowed? The SMB share I have setup on my FreeNAS in order to allow my Windows systems to map the network drive does have the "Apply Default Permissions" box checked. Does that make a difference?

The current permissions for the .ssh folder and files is as follows:

authorized_keys* -rwxrwxr-x+
id_rsa* -rwxrwxr-x+
.ssh/ drwxrwxr-x+

Any help/guidance you might be able to provide would be greatly appreciated. Thank you!

 

[dlavigne]

Why not just copy the key into the user's account using the GUI? That will do the right thing for you.

 

[danb35]

I have created a public/private key on my FreeNAS .ssh/ directory and copied the key into a file name "authorized_keys" in the same .ssh/ directory. I have then imported that key into PuttyGen and saved it on my Windows system.

This isn't really how you do it. You create the keypair on the client machine (using PuttyGen, in your case), and then put only the public key in the authorized_keys file (which you can do through the web GUI). The private key should never leave the machine on which it's generated. But all of that said, I don't think it's your problem.

it appears the CHMOD command is no longer allowed?

The chmod command is allowed, but it doesn't work on datasets with Windows permissions, and this is your problem. Your user's home directory needs to be on a dataset with Unix permissions, so you can set the permissions for the .ssh/ directory and the authorized_keys file properly.

 

[Tartan88]

Thank you for the quick response. First, I have tried copying the key into the GUI for the user.

Secondly, if the directory needs UNIX permissions, how do I maintain my Windows share while also setting permissions correctly? Thanks.

 

[danb35]

Put the user's home directory in a different dataset.

 

[Tartan88]

@danb35, can you explain this a little more? I only have 1 user, and that user's home directory is associated with the directory I am sharing across the network (and want to access remotely via shared keys). Apologies, I am learning a lot as I go. Thank you!

 

[danb35]

I only have 1 user, and that user's home directory is associated with the directory I am sharing across the network

Yes, and this is your problem. Create a different dataset, set Unix permissions for that dataset, and put the user's home directory in that dataset. Once you ssh in to the server, you can still navigate to wherever else you want to go, as long as you have permissions there.

 

[danb35]

That will do the right thing for you.

Will the GUI set proper permissions in a dataset that's configured to use Windows permissions? Is that even possible? If it is possible, and if the GUI does it, that's great (and it makes all my advice in this thread incorrect)--but the fact that it isn't working for @Tartan88 suggests that it may not be the case.

 

[Tartan88]

@danb35, when creating this new dataset, do I need to change where all of my data resides? Or, just change the home directory of the user (only user) I have to the new UNIX dataset I just created? How will this affect my ability to "Map a Network Drive" on my Window's systems as I currently have it setup?

If it is easier, I can PM you with my email address? Thank you.

 

[danb35]

do I need to change where all of my data resides?

No.

Or, just change the home directory of the user (only user) I have to the new UNIX dataset I just created?

Yes.

How will this affect my ability to "Map a Network Drive" on my Window's systems as I currently have it setup?

In no way.

I can PM you with my email address?

I prefer to keep the "help" discussions public so that others can benefit from them (and correct me when I'm wrong).

 

[Tartan88]

Awesome, thanks. I am going to try this out and will get back to you. Just not too familiar with creating datasets and what exactly that "means," but will let you know the results. Appreciate all of the help!

 

[Ericloewe]

I prefer to keep the "help" discussions public so that others can benefit from them (and correct me when I'm wrong).

+1

 

[Tartan88]

@danb35, attached is an image of my current volumes/datasets. Is all I need to do is click the "Create a new dataset" button, give it a name, and that is it? I was looking at the documentation on FreeNAS, and there isn't a ton of guidance. I am just a little confused about what the new dataset, in theory, is providing. Thank you!

 

[danb35]

Click on the second entry for "pool", then click the create dataset button. Give it a name, make sure the permissions are set to Unix, and you're good. What it is providing is a part of your pool that is not using Windows permissions, which is (most likely) what's preventing you from setting the proper permissions on the authorized_keys file, and thus from logging using SSH keys.

 

[Tartan88]

@danb35, I have created the new dataset ("unix"), changed my home directory for my user to the pool/mnt/unix directory, and then created a public/private key with Puttygen. I copied the public key into the SSH Public Key box of the gui, which created an "authorized_keys" file in the .ssh/ directory on my pool/mnt/unix dataset. The permissions for that directory and the file are -rwxr-xr-x. When I try the command chmod 600 authorized_keys it says "Operation not permitted." When I try sudo chmod 600 authorized_keys and enter the root password, it says the password is incorrect (but I just ensured that the password IS correct). Any thoughts? Is the 600 chmod correct? Appreciate your patience with me.

 

[Tartan88]

To follow up, I just logged in as root (instead of trying sudo), chown <user> authorized_keys and then chmod 600 authorized_keys. Still getting same error as before (Disconnected...).

 

[Robert Trevellyan]

You need to chmod the .ssh directory too (to rwx------ or 700).

 

[Tartan88]

@Robert Trevellyan , so, to be clear, .ssh directory shoul be 700 and authorized_keys should be 600? chown on both?

 

[Robert Trevellyan]

.ssh directory shoul be 700 and authorized_keys should be 600

Yes.

chown on both

chmod, not chown.

 

[Tartan88]

@Robert Trevellyan, I ran chown <user> authorized_keys and chown <user> .ssh as well (at least based on what the guide was telling me to do?) Thanks.