4 minute read.Last Modified 2021-03-12 11:12 EST
The SSH service allows connections to TrueNAS with the Secure SHell Transport Layer Protocol. When TrueNAS is used as an SSH server, the users in the network must use SSH client software to transfer files with SSH.
Allowing external connections to TrueNAS is a security vulnerability! Do not enable SSH unless external connections are required.
Activate or configure the SSH service on the Services page.
Clicking the toggle starts or stops the service, depending on the current state. Set Start Automatically for the service to start when TrueNAS boots.
To configure SSH, disable the service and click .
Configure the options as needed to match your network environment.
|TCP Port||Open a port for SSH connection requests.|
|Log in as Root with Password||Root logins are discouraged. Allows root logins. A password must be set for the root user account.|
|Allow Password Authentication||Enabling allows using a password to authenticate the SSH login. Warning: when directory services are enabled, allowing password authentication can grant access to all users imported by the directory service.|
Disabling changes authentication to require keys for all users. This requires additional setup on both the SSH client and server.
|Allow Kerberos Authentication||Ensure valid entries exist in Directory Services > Kerberos Realms and Directory Services > Kerberos Keytabs and the system can communicate with the Kerberos Domain Controller before enabling this option.|
|Allow TCP Port Forwarding||Set to allow users to bypass firewall restrictions using the SSH port forwarding feature.|
|Bind Interfaces||Select interfaces for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.|
|Compress Connections||Select the syslog(3) level of the SFTP server.|
|SFTP Log Level||Select the syslog(3) facility of the SFTP server.|
|SFTP Log Facility||Allow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). None allows unencrypted SSH connections and AES128-CBC allows the 128-bit Advanced Encryption Standard.|
|Weak Ciphers||WARNING: these ciphers are considered security vulnerabilities and should only be allowed in a secure network environment.|
|Auxiliary Parameters||Add any more sshd_config(5) options not covered in this screen. Enter one option per line. These options are case-sensitive. Misspellings can prevent the SSH service from starting.|
There are some additional options recommendations for the SSH service:
NoneEnabled noto the Auxiliary Parameters to disable the insecure none cipher.
- Increase the ClientAliveInterval if SSH connections tend to drop.
- ClientMaxStartup defaults to 10. Increase this value when more concurrent SSH connections are required.
Don’t forget to re-enable the SSH service on the Services page when all configuration changes are complete. To create and store specific SSH connections and keypairs, go to the System menu section.
This only works for users that use command line versions of scp and sftp. When SSH is configured, authenticated users with a user account can use ssh to log into the TrueNAS system over the network. User accounts are created by going to Accounts > Users and clicking ADD.
By default, the user sees their home directory after logging in with SSH. However, the user can still find system locations outside their home directory, so take security precautions before granting users SSH access to the system. One method to increase security is to change a user’s shell to only allow file transfers. This allows users to use scp and sftp to transfer files between their local computer and their home directory on the TrueNAS system while restricting them from logging into the system using ssh.
To configure this scenario, go to Accounts > Users and edit the desired user account. Change the Shell to scponly. Repeat for each user that needs restricted SSH access.
Test the configuration from another system by running the sftp, ssh, and scp commands as that user account. sftp and scp will work but ssh will fail.