Messages

I will not allow the root user to use SSH. I only did that on the very first SSH connection to test that it worked. Then I:
1) removed that SSH public key from the root user
2) Disallowed the root user from SSH in the SSH configuration
3) Added my SSH public key to the user that I created for the purposes of SSH into the opnsense router

The trouble is, for some reason, I can SSH in as the root user using the public key for my SSH access, but it does not work for the other user. I don't know if maybe my logging on as the root user had created some kind of caching that lived on after I removed the key from the root user and placed it on the other user?

On my client device, I have a "~/.ssh/config" file which specifies the HostName, Port, User, IdentityFile, and IdentitiesOnly is set to yes.

The private key is on an Onlykey. When I set up the config file to use the root account, it pops up a message asking for me to touch the onlykey to prove presence, as expected. But simply changing the username to the second account I want to use in opnsense for ssh, it does not ask me to touch the onlykey, the onnlykey does not flash blue LED, and it immediately says permission denied. This makes me think something is a bit messed up on the client side, not on opnsense? But i have no idea why. The ssh key works for sure, because it works when I set up the root account in opnsense for that public key. It is just the other account that refuses to make that work.

Thanks

I have set up SSH to opnsense. I allowed the root user to have ssh access, and put my client public key in to the authorized_keys for the root user. That works fine, I can ssh in as root.

But I would rather not use the root user for ssh. So I set up a second user, and put the public key in that users authorized_keys. On my client device, I then edited ~/.ssh/config to have two entries for the opnsense server, both identical except one is root user, and the other is my new user.

I can log on fine with the root one, but not with the other user. It says

Permission denied (publickey).

I did some research, and it was indicated that I have to change the permissions and ownership of the files in ~/.ssh. Is this the case? I was reluctant to do that. Is there any documentation on getting any other user other than root to have working ssh on opnsense, with a focus on the best-practice for security?

Thank you for your time.

Replace the router with the Protectcli instead of trying to use them in series.

I intend to use the router as a WiFi AP as it is a triple mesh setup that covers the required area. I was thinking that the setup would be to use the Protectli as the router and firewall, and put the current router into a WiFi AP mode. I assume that is what you are talking about?

Hello

I currently have an out of the box WiFi router connected to HFC modem. I would like to put Op sense before the router. It is not possible to install op sense on the router, so I am looking to get a Protectli hardware device, and put it before the router. Maybe Protectli V1410. I am learning this as I go.

Can anyone recommend some links or tutorials that will walk through some options for configuration and setup? I currently have a pihole server set up on the network, and I do have a double NATed segment on the network just to keep a work device isolated from the rest of the network. Just trying to figure out the best configuration, and trying to avoid any security misconfigurations.

Thanks for any advice