(408) 943-4100               V   Commercial Support Toggle between Light and Dark mode

SSH

  5 minute read.

Last Modified 2021-07-30 09:07 EDT

Secure Socket Shell (SSH) is a network protocol that provides a secure method to access and transfer files between two hosts while using an unsecure network. SSH can use user account credentials to establish secure connections, but often uses key pairs shared between host systems for authentication.

Creating an SSH Keypair

TrueNAS generates and stores RSA-encrypted SSH public and private keypairs in System > SSH Keypairs. These are generally used when configuring SSH Connections or SFTP Cloud Credentials. Encrypted keypairs or keypairs with passphrases are not supported.

Keypairs are automatically generated as needed when creating new SSH Connections or Replication tasks. To manually generate a new keypair, go to System > SSH Keypairs, click ADD, and give the keypair a unique Name.

System SSH Keypairs Add

Clicking the button to generate a keypair adds values to the public and private key fields. Copy these strings or download them into text files for later use.

SSH Connections

TrueNAS offers a semi-automatic setup mode that simplifies setting up an SSH connection with another FreeNAS or TrueNAS system without having to log in to that system to transfer SSH keys. This requires an SSH keypair on the local system and administrator account credentials for the remote TrueNAS. The remote system must also be configured to allow root access with SSH. The keypair can be generated as part of the semiautomatic configuration or manually created in System > SSH Keypairs.

Go to System > SSH Connections and click ADD.

SystemSSHConnectionsAddSemiAuto

Name and Method

NameDescription
NameName of this SSH connection. SSH connection names must be unique.
Setup MethodManual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system.

Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

NameDescription
TrueNAS URLHostname or IP address of the remote system. A valid URL scheme is required. Example: https://10.231.3.76
UsernameUsername for logging in to the remote system.
PasswordUser account password for logging into the remote system.
Private KeyChoose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.

More Options

NameDescription
CipherStandard is most secure, but has the greatest impact on connection speed.

Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed.

Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect TimeoutTime (in seconds) before the system stops attempting to establish a connection with the remote system.

Be sure to use a valid URL scheme for the remote TrueNAS URL. Leave the username as root and enter the account password for the remote TrueNAS system. The private key can be imported from a previously created SSH keypair or created with a new SSH keypair.

Saving the new configuration automatically opens a connection to the remote TrueNAS and exchanges SSH keys.

Choosing to manually set up the SSH connection requires copying a public encryption key from the local to remote system. This allows a secure connection without a password prompt.

Adding a Public SSH Key to the TrueNAS Root Account

Log in to the TrueNAS system that generated the SSH keypair and go to System > SSH Keypairs. Open the keypair to use for the SSH connection and copy the text of the public SSH key or download the public key as a text file.

Log in to the TrueNAS system that needs to register the public key and go to Accounts > Users. Edit the root account. Paste the SSH public key text into the SSH Public Key field. Accounts Users Root SSH Key

Start by generating a new SSH keypair in System > SSH Keypairs. Copy or download the value for the public key. The public key needs to be added to the remote NAS. When the remote NAS is not a TrueNAS system, please see the documentation for that system for instructions on adding a public SSH key.

Manually Configuring the SSH Connection on the Local TrueNAS

Log back in to the local TrueNAS system and go to System > SSH Connections and add a new connection. Change the setup method over to Manual.

SystemSSHConnectionsAddManual

Name and Method

NameDescription
NameName of this SSH connection. SSH connection names must be unique.
Setup MethodManual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system.

Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

NameDescription
HostHostname or IP address of the remote system. A valid URL scheme is required. Example: https://10.231.3.76
PortPort number on the remote system to use for the SSH connection.
UsernameUsername for logging in to the remote system.
Private KeyChoose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.
Remote Host KeyRemote system SSH key for this system to authenticate the connection. When all other fields are properly configured, click DISCOVER REMOTE HOST KEY to query the remote system and automatically populate this field.

Discover Remote Host Key connects to the remote host and attempts to copy the key string to the related TrueNAS field.

More Options

NameDescription
CipherStandard is most secure, but has the greatest impact on connection speed.

Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed.

Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect TimeoutTime (in seconds) before the system stops attempting to establish a connection with the remote system.

Make sure to select the private key from the SSH keypair that was used to transfer the public key on the remote NAS.