Secure remote access to FreeBSD devices using SSH keys

Last edited on 2023-12-01 • Tagged under #ssh #freebsd #bsd #encrypt #network #server

Disable password logins and switch to SSH key-based authentication to secure access to remote machines.

SERVER is running FreeBSD and is configured for SSH logins from a (Debian) Linux CLIENT.

1. On both SERVER and CLIENT: Create ~/.ssh

Create an SSH directory in $HOME:

$ mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys

2. On the CLIENT: Aliases

Create ~/.ssh/config to hold aliases with the login options for a server.

Example (for user foo):

Host home-server
HostName 192.168.1.23
Port 22                                                                      
User foo

Test:

$ ssh home-server
foo@192.168.1.23's password:

3. On the CLIENT: Generate keys

$ ssh-keygen -t ed25519 -C "$(whoami)@$(hostname -s)-$(date +%F)"

4. On the CLIENT: Upload key to server

Upload the public key to the server and append to ~/.ssh/authorized_keys:

$ ssh-copy-id -i ~/.ssh/id_ed25519.pub home-server

Notify SSH that you have keys by running ssh-add:

$ ssh-add
Enter passphrase for /home/foo/.ssh/id_ed25519:
Identity added: /home/foo/.ssh/id_ed25519 (/home/foo/.ssh/id_ed25519)

All SSH sessions launched from this console will access this user key stored in memory.

Test the connection before disabling password logins:

$ ssh home-server

No request for a passphrase indicates SSH key authentication is properly configured.

5. On the SERVER: Disable password logins

Make the following modifications in /etc/ssh/sshd_config:

PermitRootLogin no
PubkeyAuthentication yes                                                    
PasswordAuthentication no

Restart SSH:

# service sshd restart

6. On the CLIENT: Key management

Keychain is an OpenSSH key manager. From the package description:

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/$HOSTNAME-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.

Install:

$ sudo apt install keychain

For the bash shell, configure ~/.bashrc:

# Use `keychain` for ssh-agent management
if [[ -x /usr/bin/keychain ]]; then
	keychain ~/.ssh/id_ed25519
	. "${HOME}/.keychain/${HOSTNAME}-sh"
fi

Flush all cached keys from memory:

$ keychain --clear

If using tmux terminal multiplexer, enable persistent SSH key management across sessions by editing ~/.tmux.conf:

set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"

You can like, share, or comment on this post on Mastodon 💬

Thanks for reading! Read other posts?

» Next: Install FreeBSD 14.1 (Short and Sweet Version)

« Previous: How to create a LAN subnet using OpenWrt