Minimal desktop install?

[Patrick M. Hausen]

Not for SSH. Certificates are for OpenVPN.

[Patrick M. Hausen]

I typically learn by reverse engineering what I need to make things work.  I google the file in question and find someone that will tear the file apart and will explain what each line means and how to edit.  Or I open the file in Notepad++ and find a typo or incorrect formating that I can correct.

In general you cannot edit or "correct" configuration files in OPNsense. All configuration files are generated anew from the central configuration every time the system boots. The only way to change configuration is through the UI or the API over HTTP.

[Yewtink]

Ok I am to tired to mess with it tonight.  May I suggest better "tips" in the add user.  One of the fields clearly ask for a User CA and when configuring Putty it also has a place to enter a CA.  Neither are documented well enough for idiots like me that require little more detail.   

I did try to ssh into OPNsense on my Windows 11 pro.  Thought it was going to work until it rejected the password.

As for the reverse engineering there is much more documentation for using CLI and manual file edits.  That it helps me understand what is needed so it makes the Web UI easier to understand.  Guess your position is, it is right there in the Web UI if you know what happens in the background.   I do not know or understand so I have to hunt for the proper terms for what I need to do and have to pray that the direction aren't outdated at the time I am reading it.  If I can view a file I can try and read a code, if I get stuck or need more information I can enter the code and get a detailed responce back.  Getting stuck in the Web UI and googling takes forever with minimal results.

[Patrick M. Hausen]

You are aware of the extensive documentation?

https://docs.opnsense.org/manual/how-tos/user-local.html

E.g.

Authorized keys
Optional, paste ssh key for ssh console access

And:

I did try to ssh into OPNsense on my Windows 11 pro.  Thought it was going to work until it rejected the password.

You did enable password authentication in System > Settings > Administration?

[EricPerl]

Config for ssh:

• System->Settings->Administration->Secure Shell->Enable
  
  
  
  • Enable
  • Optional: Permit root login
  • Optional: Permit password login

Both optional are sufficient for Windows

Code Select Expand

ssh root@<your firewallIP> to work

Additional users can be created in System->Access->Users.

• Set Username, e.g. test
• Choose a password or generate a randomized one
• Select a login shell OTHER THAN nologin
• Make a member of admins
• copy the output of "type .\.ssh\keyfile.pub" in authorized keys *
• Save
• Select a login shell OTHER THAN nologin, again, otherwise you'll get "This account is currently not available"
• Save. It should just work in one step but it does not for new users IME

* Generated by "ssh-keygen -f .\.ssh\keyfile"

Access via

Code Select Expand

ssh -i .\.ssh\keyfile <username created above>@<your firewallIP>
Use -v if you want/need to see details (e.g. supported algorithms and authn methods).

[Yewtink]

You did enable password authentication in System > Settings > Administration?

Yes the options was enable, but later noticed that the login shell had reverted back to "nologin." I fixed that and immediately saved and exited the Web UI.

You are aware of the extensive documentation?

https://docs.opnsense.org/manual/how-tos/user-local.html

That page I hadn't seen, would be nice if the Web UI would have taken me there.  I usually click on the full help in the top right.  So this is what I was looking at:

• User Certificates     Optional, check if a user certificate should be created

I was trying to generate a user CA that both OPNsense and Putty would use.

Sorry I am difficult.  I also double checked my Windows 10 Pro pc and I had all ready added the Windows Subsystem for Linux.

Thanks guys the windows ssh is working.