Minimal desktop install?

[bimbar]

I could be wrong too, but I really don't think so. AFAIK it would require openssh to be configured to trust a CA, and client certs would have to have been issued (signed) by that CA. I don't think a self-signed cert would work. There has been talk about implementing it in opnsense (https://github.com/opnsense/core/issues/6007), but I don't think it has actually happened, so you get people trying to hack around it like https://forum.opnsense.org/index.php?topic=43142.0

No.

You can copy a key to the opnsense. SSH does not use the TLS certificate hierarchy.

[dseven]

SSH does not use the TLS certificate hierarchy.

Not sure what you're saying here - SSH does not use SSL or TLS, but it *can* (generally, outside the context of OPNsense) do certificate-based authentication (both server and client) in a similar manner.

[cookiemonster]

think we've started to convolute this. So let me see we can clarify.
SSH authentication for OPNSense
- Default is username and password.
System: Access: Users
User connects via ssh to OPN, OPN prompts for username and password.
- Can it use instead certificates?
Here is yes. As bimbar says you can simply copy your keys to OPNSense and becomes an authorised key.
Wheter the age old "ssh-copy-id" works fine, I don't know. I imagine yes. Otherwise usual "manual" scp or similar. And what I was aluding to was that the UI has in recent versions a field "Click to generate" and another to paste an existing one. So it seems UI can create or use existing.
Public CAs have no part to play here! So we're all saying it so think we're good. This mostly for the OP.

p.s. what I do not know is if the pasted key in that field has to be a specific type RSA, ecds, ed25519, etc. or whatever preference from ssh-keygen is used.

[Patrick M. Hausen]

@cookiemonster SSH keys are not certificates. Two different things. And you should not use ssh-copy-id, because the key does not end in the configuration. Use the UI, System > Access > Users and upload a key, not a certificate.

[bimbar]

SSH does not use the TLS certificate hierarchy.

Not sure what you're saying here - SSH does not use SSL or TLS, but it *can* (generally, outside the context of OPNsense) do certificate-based authentication (both server and client) in a similar manner.

As it turns out, it can, but I have never seen it used, and it's not really relevant in the opnsense context.

[cookiemonster]

@cookiemonster SSH keys are not certificates. Two different things. And you should not use ssh-copy-id, because the key does not end in the configuration. Use the UI, System > Access > Users and upload a key, not a certificate.

yeah true technically and I should have been clearer, thanks for reminding me to not mix the terms.

[Yewtink]

Following the steps under System > Access > Users seems straightforward, but after spending about an hour re-reading the documentation, I found a couple of mistakes on my part. First, the initial setup didn’t mention avoiding the use of a domain.local, which can cause confusion with certain systems. Second, I forgot to change the login shell directory.

I’m currently facing an issue with the User Certificates. OPNsense can create the certificates without any problems, and I can save them to my computer. However, when I try to import them into PuTTY, I run into challenges. I'm using an older Windows desktop at home and prefer the PuTTY GUI interface since I'm not comfortable with the CLI—I don’t have an IT background.

The main error I’m encountering is: "Unable to use certificate file 'Z:\OPN\MyInternalCert_crt.pem' (OpenSSH SSH-2 private key (old PEM format))."

I’ve researched the difference between old and new PEM formats. I found an example in another post and tried editing the PEM file to match that format, but I’m still getting an error.

My main question is: how can I secure SSH so that only I can log in using the username/password, CA, or key, ensuring it works across any OS I use?

Additionally, I noticed the package openssh-portable 9.9.p1,1 in OPNsense. Is it possible to convert the OpenSSH CA to SSH-2 PEM format so that it will work with PuTTY?

Thank you for your help!

[cookiemonster]

Sorry not me. I don't nor will use putty, so I'm out.

p.s. your requirements would be easily met if you did not use it.

[Yewtink]

p.s. your requirements would be easily met if you did not use it.

Is there another Windows GUI SSH option?  Putty works really good for every other machine I have tried to ssh into.

Is there a post somewhere that list the SSH key requirements?  Putty has a ton of tweeks where I can set the algorithm, cipher, GSSAPI and so much more. 

[Patrick M. Hausen]

System > Settings > Administration

Enable SSH Password Login

Open a Powershell window

Type: ssh <username>@192.168.1.1


But you have not yet explained why you think you need SSH access in the first place. All logfiles are accessible in the web UI.

[Yewtink]

But you have not yet explained why you think you need SSH access in the first place. All logfiles are accessible in the web UI.

While all log files are accessible through the web UI, the specific details in those logs are not shown.  I am not aware of a ability to enter the console from the web UI so I can manually open the logs in question.

For example, the log entry "Debug configd.py OPNsense/Sslh generated //etc/rc.conf.d/sslh" doesn’t provide me with useful information. If I could access the config file and review it with examples, I could usually identify the issue. The web UI is designed by people who are more knowledgeable than I am, and it caters to those with more networking experience. I typically learn by reverse engineering what I need to make things work.  I google the file in question and find someone that will tear the file apart and will explain what each line means and how to edit.  Or I open the file in Notepad++ and find a typo or incorrect formating that I can correct.

When I refer to the documentation for assistance, it often provides CLI instructions. However, I can't use the CLI if I don't have SSH access to the device.

Here is a example most cells are pretty simple, I looked in the docs for explination of each cell.

DNS domain names: assuming if I am connecting off site I would need to add the additional domain. user@google.com

IP addresses:  Just guessing the same but it isn't clear  Just assuming if it get a ssh request from 8.8.8.8

[Patrick M. Hausen]

Ok, so what are you trying to achieve in that certificate menu? This is not for SSH access. Not at all.

Either use password authentication like I already showed you above.

Or:

1. Create a private/public key pair with puttygen.
2. Convert the public key to OpenSSH format with puttygen.
3. Place that public key in the user account under System > Access > Users ... particular user.

Then tell putty to use the private key for authentication.

SSH in OPNsense does not use certificates! Keys are not certificates!

[cookiemonster]

meantime..

p.s. your requirements would be easily met if you did not use it.

Is there another Windows GUI SSH option?  Putty works really good for every other machine I have tried to ssh into.

Is there a post somewhere that list the SSH key requirements?  Putty has a ton of tweeks where I can set the algorithm, cipher, GSSAPI and so much more.

Windows terminal although only available for Windows 10 and 11. Best used with Windows Subsystem for Linux aka WSL. With that, you get a very capable terminal and replaces putty. You get that and quite a bit more as with WSL you get the openssl libraries for example.
@Patrick - ssh keys might not be certificates but a lot of documentation out there refers to them as such. I had to double check why I had it ingrained in my mind as muscle memory. See https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication#sec-Introduction_to_SSH_Certificates as an example.
Are we discussing something different perhaps ?

[Patrick M. Hausen]

This is an entirely different new method that is to my knowledge not supported by OPNsense in the current state.

It integrates OpenSSH with a certificate based PKI so you do not need to copy your public key to every single account you want to log in to.

But please for this case let's stick to keys.

Traditional SSH keys are not certificates. Never were.

I am referring to this method:
https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-openssh-on-macos-or-linux

Really how on earth did certificates enter this thread at all?

[cookiemonster]

yes it did because the two methods: keys and certificates got conflated. Partly by me to be frank.
The fields in the System | Users are what made me wonder if OPN now supports both. That's all.