I have set up SSH to opnsense. I allowed the root user to have ssh access, and put my client public key in to the authorized_keys for the root user. That works fine, I can ssh in as root.
But I would rather not use the root user for ssh. So I set up a second user, and put the public key in that users authorized_keys. On my client device, I then edited ~/.ssh/config to have two entries for the opnsense server, both identical except one is root user, and the other is my new user.
I can log on fine with the root one, but not with the other user. It says
Permission denied (publickey).
I did some research, and it was indicated that I have to change the permissions and ownership of the files in ~/.ssh. Is this the case? I was reluctant to do that. Is there any documentation on getting any other user other than root to have working ssh on opnsense, with a focus on the best-practice for security?
Thank you for your time.
Are you saying you are using exactly the same key pair for both the root and non-root users?
That is a security hole called common mode failure.
Set up your second user as you would for root, but without the rights, generating their own key pair and placing them as usual, for that user.
I will not allow the root user to use SSH. I only did that on the very first SSH connection to test that it worked. Then I:
1) removed that SSH public key from the root user
2) Disallowed the root user from SSH in the SSH configuration
3) Added my SSH public key to the user that I created for the purposes of SSH into the opnsense router
The trouble is, for some reason, I can SSH in as the root user using the public key for my SSH access, but it does not work for the other user. I don't know if maybe my logging on as the root user had created some kind of caching that lived on after I removed the key from the root user and placed it on the other user?
On my client device, I have a "~/.ssh/config" file which specifies the HostName, Port, User, IdentityFile, and IdentitiesOnly is set to yes.
The private key is on an Onlykey. When I set up the config file to use the root account, it pops up a message asking for me to touch the onlykey to prove presence, as expected. But simply changing the username to the second account I want to use in opnsense for ssh, it does not ask me to touch the onlykey, the onnlykey does not flash blue LED, and it immediately says permission denied. This makes me think something is a bit messed up on the client side, not on opnsense? But i have no idea why. The ssh key works for sure, because it works when I set up the root account in opnsense for that public key. It is just the other account that refuses to make that work.
Thanks
Forgive me for not troubling to analyse precisely what might be causing your issue and instead offering some general advice:
If you want to do a new thing which is not incompatible with the old thing, set up the new, test it, and only then remove the old.
Your problems most likely arise from trying to transition bits of A to B rather than setting up B and only then removing A. I am not concerned with what exactly went wrong there.
I would start over, avoiding "shortcuts".