OPNsense Forum

I'm having issues getting ssh to work.  Is there a minimal desktop in the stock install?

If so what is the command to start it?  If I need to install one manually which is best? Just needing nano editor, file explorer and ability to print to pdf or my networked printer.

I found how to install nano from cli.

I do not want the desktop environment to boot all the time just when I need it.

OPNSense ?
There is no desktop at all, minimal or otherwise. This is a firewall not a general purpose OS.
Or maybe I don't understand the question.

As mentioned by cookie, this is a FW, security appliance. All necessary tools and subsystems for managing such device are in place. Same goes for SSH.

Out of the BOX, OPNsense should have default rules, permitting access from LAN to everywhere, this same goes as well for SSH. However if you want to connect to the device via SSH you need to enable it via GUI.

Please read >
https://docs.opnsense.org/manual/settingsmenu.html#secure-shell

Regards,
S.

Correct, I configured the secure SSH and for what ever reason it keeps on failing.  I left root ssh disabled, created a new user with admin rights.  (not working either)  I also create selfsigned cert and saved it to opnsense and my computer I am trying to ssh in with.  Telling me to check log.   It is take me days to get anywhere like this.  I would like to install and only have it to load on demand for a single user.

I suck at remembering the linux commands and file directory system.  I would like to add a miniumal desktop so I have a GUI to get in and look at what I need easily.  If I can't ssh into the router I have to move and connect a monitor so I can work directly off the machine.  IF there was a lite desktop to speed up my ability to open and read the logs make edits when possible it would be a huge help.

Another issue I am having is converting my cert to a putty format (ppk), following the directions I keep getting an error that the file is not formatted correctly.  Recreated a new cert copy and pasted to new machine to import still says incorrect format error.  I am just so tired of feeling blind and not getting anywhere.

• 2024-10-26T19:05:01-04:00   Warning   audit   user SomeDumbIdiot could not authenticate for login. [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]

   

• 2024-10-26T17:56:29-04:00   Error   sshd-session   error: Received disconnect from 192.168.90.8 port 58936:14: No supported authentication methods available [preauth]
  

What is missing in the web UI for all of that? Log files are readily accessible. There is rarely a need to use SSH.

Ok, clearer now. The only UI you'll be able to use is it's own. No desktops can be installed but the UI will allow you to do what you want, use a UI to manage it over the network. Point your browser on your PC, laptop, etc. to the ip of it on the LAN. Check https://docs.opnsense.org/manual/install.html from "The GUI is accessible at .."

That is your UI for management.
As for the ssh access, that is something you should really want to fix. You could use "ssh -vvv" and post the results (in code brackets) to see what it might be complaining about.
I can't help with putty I don't use it, a MS windows thing. I don't know if it ships its own ssl libraries but
2024-10-26T17:56:29-04:00   Error   sshd-session   error: Received disconnect from 192.168.90.8 port 58936:14: No supported authentication methods available [preauth]
suggests it could be an old OS or an old application with removed/disabled ciphers.
However the port looks wrong.

Best thing all considered is to fix first the access to UI and that will allow to fix ssh. Likely wrong settings set.

IDK I can login as root and manage (WebUI) I get an error and in the UI says click goto page. But it does not open the log file so I can read it.  The UI will tell me which log to check but it doesn't give me a file location.

IDK The directions to convert pem file to ppk is pretty straight forward.  I checked for updates to see if something in the coding changed.  I even tried openssh to convert pem to ppk.

OS is current and up to date as well as OPNsense running 24.7.7.  I changed the port from the default.  I am attempted to lock it down so only it will accept my, LAN ssh request with my username/password and certificate.

I have a Debian Server that I am prepping for a file and small game server.  I haven't tried to SSH in with it.

Please don't take this wrong but I don't understand what you are saying, and no idea what is ppk.

> IDK I can login as root and manage (WebUI) I get an error and in the UI says click goto page. But it does not open the log file so I can read it.  The UI will tell me which log to check but it doesn't give me a file location.

So you can login to the UI?
Then what error is it and what are the steps to reproduce it? In other words once logged in, what are you trying to do which causes an error? Then what log file? There are no log files to open in the UI.

>OS is current and up to date as well as OPNsense running 24.7.7.  I changed the port from the default.  I am attempted to lock it down so only it will accept my, LAN ssh request with my username/password and certificate.
OS up to date, OPNSense one? Good. " I changed the port from the default." Which port, for what service?

Can we go step by step. What is the first problem?

QuotePlease don't take this wrong but I don't understand what you are saying, and no idea what is ppk.

https://www.puttygen.com/convert-pem-to-ppk (https://www.puttygen.com/convert-pem-to-ppk)

QuoteThen what error is it and what are the steps to reproduce it? In other words once logged in, what are you trying to do which causes an error? Then what log file? There are no log files to open in the UI.

No supported authentication methods available [preauth]

The Secure SSH function not working at all.  I am mainly a windows user but I have tinkered with linux for fun in my free time.  I have always use Putty to ssh into my linux systems. This is the first time I tried to lock it down since it being a firewall/router and all. 

Looks like it was disabled or my settings didn't save. 
:(

I can log into the UI with my other user I create several months ago.  But can't with SSH. 

I bought the Practical OPNsense 4th edition hoping that it would help me with the configuring.   Have also visited the Docs and wanted to get a pdf copy os I view it offline and print out things I would like to remember and keep close.

I found where someone else was having issues with putty.

https://forum.opnsense.org/index.php?topic=40743.0 (https://forum.opnsense.org/index.php?topic=40743.0)

SSH is available in powershell, no need to use putty.

Quote from: Yewtink on October 30, 2024, 09:51:57 PM
I also create selfsigned cert and saved it to opnsense and my computer I am trying to ssh in with.

I'm fairly sure that OPNsense does not support certificate-based authentication for SSH. Where/how did you "save it to opnsense"?

Recent windows versions have a very useful terminal application. There hasn't been a need to use putty in some years now.

Also

QuoteI can log into the UI with my other user I create several months ago.  But can't with SSH. 

Maybe you show us what and how and we can have a better idea.
As dseven suggests, are you trying to ssh using username/password or are you trying to use a certificate?
@dseven - I could be wrong, haven't tested it but I think it can. They can be genereated from the "Users" section.
For ssh only of course.

I could be wrong too, but I really don't think so. AFAIK it would require openssh to be configured to trust a CA, and client certs would have to have been issued (signed) by that CA. I don't think a self-signed cert would work. There has been talk about implementing it in opnsense (https://github.com/opnsense/core/issues/6007), but I don't think it has actually happened, so you get people trying to hack around it like https://forum.opnsense.org/index.php?topic=43142.0

Quote from: dseven on October 31, 2024, 12:43:30 PM
I could be wrong too, but I really don't think so. AFAIK it would require openssh to be configured to trust a CA, and client certs would have to have been issued (signed) by that CA. I don't think a self-signed cert would work. There has been talk about implementing it in opnsense (https://github.com/opnsense/core/issues/6007), but I don't think it has actually happened, so you get people trying to hack around it like https://forum.opnsense.org/index.php?topic=43142.0

No.

You can copy a key to the opnsense. SSH does not use the TLS certificate hierarchy.

Quote from: bimbar on October 31, 2024, 01:33:43 PM
SSH does not use the TLS certificate hierarchy.

Not sure what you're saying here - SSH does not use SSL or TLS, but it *can* (generally, outside the context of OPNsense) do certificate-based authentication (both server and client) in a similar manner.

think we've started to convolute this. So let me see we can clarify.
SSH authentication for OPNSense
- Default is username and password.
System: Access: Users
User connects via ssh to OPN, OPN prompts for username and password.
- Can it use instead certificates?
Here is yes. As bimbar says you can simply copy your keys to OPNSense and becomes an authorised key.
Wheter the age old "ssh-copy-id" works fine, I don't know. I imagine yes. Otherwise usual "manual" scp or similar. And what I was aluding to was that the UI has in recent versions a field "Click to generate" and another to paste an existing one. So it seems UI can create or use existing.
Public CAs have no part to play here! So we're all saying it so think we're good. This mostly for the OP.

p.s. what I do not know is if the pasted key in that field has to be a specific type RSA, ecds, ed25519, etc. or whatever preference from ssh-keygen is used.

@cookiemonster SSH keys are not certificates. Two different things. And you should not use ssh-copy-id, because the key does not end in the configuration. Use the UI, System > Access > Users and upload a key, not a certificate.

Quote from: dseven on October 31, 2024, 01:42:44 PM

Quote from: bimbar on October 31, 2024, 01:33:43 PM
SSH does not use the TLS certificate hierarchy.

Not sure what you're saying here - SSH does not use SSL or TLS, but it *can* (generally, outside the context of OPNsense) do certificate-based authentication (both server and client) in a similar manner.

As it turns out, it can, but I have never seen it used, and it's not really relevant in the opnsense context.

Quote from: Patrick M. Hausen on October 31, 2024, 03:43:08 PM
@cookiemonster SSH keys are not certificates. Two different things. And you should not use ssh-copy-id, because the key does not end in the configuration. Use the UI, System > Access > Users and upload a key, not a certificate.

yeah true technically and I should have been clearer, thanks for reminding me to not mix the terms.

Following the steps under System > Access > Users seems straightforward, but after spending about an hour re-reading the documentation, I found a couple of mistakes on my part. First, the initial setup didn't mention avoiding the use of a domain.local, which can cause confusion with certain systems. Second, I forgot to change the login shell directory.

I'm currently facing an issue with the User Certificates. OPNsense can create the certificates without any problems, and I can save them to my computer. However, when I try to import them into PuTTY, I run into challenges. I'm using an older Windows desktop at home and prefer the PuTTY GUI interface since I'm not comfortable with the CLI—I don't have an IT background.

The main error I'm encountering is: "Unable to use certificate file 'Z:\OPN\MyInternalCert_crt.pem' (OpenSSH SSH-2 private key (old PEM format))."

I've researched the difference between old and new PEM formats. I found an example in another post and tried editing the PEM file to match that format, but I'm still getting an error.

My main question is: how can I secure SSH so that only I can log in using the username/password, CA, or key, ensuring it works across any OS I use?

Additionally, I noticed the package openssh-portable 9.9.p1,1 in OPNsense. Is it possible to convert the OpenSSH CA to SSH-2 PEM format so that it will work with PuTTY?

Thank you for your help!

Sorry not me. I don't nor will use putty, so I'm out.

p.s. your requirements would be easily met if you did not use it.

Quotep.s. your requirements would be easily met if you did not use it.

Is there another Windows GUI SSH option?  Putty works really good for every other machine I have tried to ssh into.

Is there a post somewhere that list the SSH key requirements?  Putty has a ton of tweeks where I can set the algorithm, cipher, GSSAPI and so much more. 

System > Settings > Administration

Enable SSH Password Login

Open a Powershell window

Type: ssh <username>@192.168.1.1


But you have not yet explained why you think you need SSH access in the first place. All logfiles are accessible in the web UI.

QuoteBut you have not yet explained why you think you need SSH access in the first place. All logfiles are accessible in the web UI.

While all log files are accessible through the web UI, the specific details in those logs are not shown.  I am not aware of a ability to enter the console from the web UI so I can manually open the logs in question.

For example, the log entry "Debug configd.py OPNsense/Sslh generated //etc/rc.conf.d/sslh" doesn't provide me with useful information. If I could access the config file and review it with examples, I could usually identify the issue. The web UI is designed by people who are more knowledgeable than I am, and it caters to those with more networking experience. I typically learn by reverse engineering what I need to make things work.  I google the file in question and find someone that will tear the file apart and will explain what each line means and how to edit.  Or I open the file in Notepad++ and find a typo or incorrect formating that I can correct.

When I refer to the documentation for assistance, it often provides CLI instructions. However, I can't use the CLI if I don't have SSH access to the device.

Here is a example most cells are pretty simple, I looked in the docs for explination of each cell.

DNS domain names: assuming if I am connecting off site I would need to add the additional domain. user@google.com

IP addresses:  Just guessing the same but it isn't clear  Just assuming if it get a ssh request from 8.8.8.8

Ok, so what are you trying to achieve in that certificate menu? This is not for SSH access. Not at all.

Either use password authentication like I already showed you above.

Or:

1. Create a private/public key pair with puttygen.
2. Convert the public key to OpenSSH format with puttygen.
3. Place that public key in the user account under System > Access > Users ... particular user.

Then tell putty to use the private key for authentication.

SSH in OPNsense does not use certificates! Keys are not certificates!

meantime..

Quote from: Yewtink on October 31, 2024, 05:58:19 PM

Quotep.s. your requirements would be easily met if you did not use it.

Is there another Windows GUI SSH option?  Putty works really good for every other machine I have tried to ssh into.

Is there a post somewhere that list the SSH key requirements?  Putty has a ton of tweeks where I can set the algorithm, cipher, GSSAPI and so much more.

Windows terminal although only available for Windows 10 and 11. Best used with Windows Subsystem for Linux aka WSL. With that, you get a very capable terminal and replaces putty. You get that and quite a bit more as with WSL you get the openssl libraries for example.
@Patrick - ssh keys might not be certificates but a lot of documentation out there refers to them as such. I had to double check why I had it ingrained in my mind as muscle memory. See https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication#sec-Introduction_to_SSH_Certificates as an example.
Are we discussing something different perhaps ?

This is an entirely different new method that is to my knowledge not supported by OPNsense in the current state.

It integrates OpenSSH with a certificate based PKI so you do not need to copy your public key to every single account you want to log in to.

But please for this case let's stick to keys.

Traditional SSH keys are not certificates. Never were.

I am referring to this method:
https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-openssh-on-macos-or-linux

Really how on earth did certificates enter this thread at all?

yes it did because the two methods: keys and certificates got conflated. Partly by me to be frank.
The fields in the System | Users are what made me wonder if OPN now supports both. That's all.

Not for SSH. Certificates are for OpenVPN.

Quote from: Yewtink on October 31, 2024, 06:47:41 PM
I typically learn by reverse engineering what I need to make things work.  I google the file in question and find someone that will tear the file apart and will explain what each line means and how to edit.  Or I open the file in Notepad++ and find a typo or incorrect formating that I can correct.

In general you cannot edit or "correct" configuration files in OPNsense. All configuration files are generated anew from the central configuration every time the system boots. The only way to change configuration is through the UI or the API over HTTP.

Ok I am to tired to mess with it tonight.  May I suggest better "tips" in the add user.  One of the fields clearly ask for a User CA and when configuring Putty it also has a place to enter a CA.  Neither are documented well enough for idiots like me that require little more detail.   

I did try to ssh into OPNsense on my Windows 11 pro.  Thought it was going to work until it rejected the password.

As for the reverse engineering there is much more documentation for using CLI and manual file edits.  That it helps me understand what is needed so it makes the Web UI easier to understand.  Guess your position is, it is right there in the Web UI if you know what happens in the background.   I do not know or understand so I have to hunt for the proper terms for what I need to do and have to pray that the direction aren't outdated at the time I am reading it.  If I can view a file I can try and read a code, if I get stuck or need more information I can enter the code and get a detailed responce back.  Getting stuck in the Web UI and googling takes forever with minimal results.

You are aware of the extensive documentation?

https://docs.opnsense.org/manual/how-tos/user-local.html

E.g.

QuoteAuthorized keys
Optional, paste ssh key for ssh console access

And:

QuoteI did try to ssh into OPNsense on my Windows 11 pro.  Thought it was going to work until it rejected the password.

You did enable password authentication in System > Settings > Administration?

Config for ssh:

• System->Settings->Administration->Secure Shell->Enable
  
  
  
  • Enable
  • Optional: Permit root login
  • Optional: Permit password login

Both optional are sufficient for Windows ssh root@<your firewallIP> to work

Additional users can be created in System->Access->Users.

• Set Username, e.g. test
• Choose a password or generate a randomized one
• Select a login shell OTHER THAN nologin
• Make a member of admins
• copy the output of "type .\.ssh\keyfile.pub" in authorized keys *
• Save
• Select a login shell OTHER THAN nologin, again, otherwise you'll get "This account is currently not available"
• Save. It should just work in one step but it does not for new users IME

* Generated by "ssh-keygen -f .\.ssh\keyfile"

Access via ssh -i .\.ssh\keyfile <username created above>@<your firewallIP>
Use -v if you want/need to see details (e.g. supported algorithms and authn methods).

QuoteYou did enable password authentication in System > Settings > Administration?

Yes the options was enable, but later noticed that the login shell had reverted back to "nologin." I fixed that and immediately saved and exited the Web UI.

QuoteYou are aware of the extensive documentation?

https://docs.opnsense.org/manual/how-tos/user-local.html

That page I hadn't seen, would be nice if the Web UI would have taken me there.  I usually click on the full help in the top right.  So this is what I was looking at:

• User Certificates     Optional, check if a user certificate should be created

I was trying to generate a user CA that both OPNsense and Putty would use.

Sorry I am difficult.  I also double checked my Windows 10 Pro pc and I had all ready added the Windows Subsystem for Linux.

Thanks guys the windows ssh is working.