TrueNAS CORETrueNAS CORE Nightly Development Documentation
This content follows experimental early release software. Use the Product and Version selectors above to view content specific to a stable software release.

SSH Screen

Secure Socket Shell (SSH) is a network communication protocol. It provides encryption to secure data. Use the SSH services screen to configure SSH File Transfer Protocol (SFTP). SFTP is available by enabling SSH remote access to the TrueNAS system.

Allowing external connections to TrueNAS is a security vulnerability! Enable SSH only when there is a need for external connections. See Security Recommendations for more security considerations when using SSH.


General Options

TCP PortOpen a port for SSH connection requests. Enter the port number.
Log in as Root with PasswordSelect to allow root logins. It is not recommended to allow root logins! A password must be set for the root user account.
Allow Password AuthenticationSelect to allow password authentication. Enabling allows SSH login authentication using a password. Warning: Determine if directory services are enabled. If so, this setting grants access to all users imported by directory service. When disabled, authentication requires keys for all users. Involves extra SSH client and server setup.
Allow Kerberos AuthenticationSelect to allow Kerberos authentication. Before enabling this option, valid entries must exist in:
Directory Services > Kerberos Realms
Directory Services > Kerberos Keytabs
The system must be able to communicate with the Kerberos domain controller.
Allow TCP Port ForwardingSelect to allow users to bypass firewall restrictions using SSH port forwarding. For best security, leave disabled and deny shell access to users.

ADVANCED OPTIONS displays additional configuration fields to set up SSH for specific uses cases.


Advanced Options

Bind InterfacesSelect interfaces on your system from the dropdown list for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.
Compress ConnectionsSelect to attempt to reduce latency over slow networks.
SFTP Log LevelSelect the syslog(3) facility of the SFTP server option from the dropdown list. Options are Quiet, Fatal, Error, Info, Verbose, Debug, Debug2 or Debug3.
SFTP Log FacilitySelect the syslog(3) facility of the SFTP server option from the dropdown list. Options are Daemon, User, Auth and Local 0 through Local7.
Weak CiphersSelect a cipher from the dropdown list. Options are None or AES128-CBC. To allow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). Use None to allow unencrypted SSH connections. Use AES128-CBC to allow the 128-bit Advanced Encryption Standard.
WARNING: these ciphers are security vulnerabilities. Only allow them in a secure network environment.
Auxiliary ParametersAdd any more sshd_config(5) options not covered in this screen. Enter one option per line. Options added are case-sensitive. Misspellings can prevent the SSH service from starting.