Enable SSH at Console

Started by kmschneider1, February 22, 2026, 04:28:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2026, 04:28:24 PM
I am looking to find out how to enable ssh at the Console NOT using the WebGUI. I have searched extensively but the information always points to the WebGUI or is issues with existing SSH setups. For reference as to why I need the console. I made a dumb noob move while trying out caddy and did not backup first. My WebGUI is currently inaccessible. Everything else works perfectly so I am trying to fix it via the console since I think I know what is causing the issue. However, my opnsense box is in my basement and I apparently did not enable ssh before all this happened. 

I do know that a reinstall will resolve this but since everything else (VPN,Port Forwarding, DHCP Leases) works, I am trying to fix it without needing to redo everything.
February 22, 2026, 04:46:53 PM #1
On the console use:

Code Select
configctl service start opensshor
Code Select
configctl openssh start
Not sure if the 'service start' survives a reboot.
The documentation uses SSH as an example: https://docs.opnsense.org/development/backend/configd.html#naming-convention

And: in the folder /conf/backup are backups of your previous config, in case you need them.
Deciso DEC740
February 22, 2026, 04:53:04 PM #2
Here's Grok's take. Can't verify if it works but it should get you started in the right direction.

February 22, 2026, 08:08:56 PM #3
Have you tried restoring a backup? As far as I know, they are created by default after every change, and you can also do this from the console.
February 25, 2026, 03:38:57 AM #4
Quote from: Kinerg on February 22, 2026, 04:53:04 PMHere's Grok's take. Can't verify if it works but it should get you started in the right direction.


This is exactly what I needed and helped me enable SSH. For anyone referencing, Grok explains how to access and update the config file and I need to do this to enable SSH. Additionally it also helped me find the error that caused all of this to begin with so that was incredibly helpful! I am frustrated that my hours of searching on this never once returned this information.
February 25, 2026, 10:51:32 PM #5
Grok's link expires after a while; Going to paste it here so it's preserved for future reference...

Quote**To enable SSH on OPNsense when you've lost WebUI access, use the built-in console menu (available via physical VGA/keyboard, serial, or VM console).** This works because SSH configuration lives in `/conf/config.xml` (the central config file), and the console gives you shell access to edit it directly. No internet or WebUI is required.

### Step-by-Step Instructions

1. **Access the console** 
  - Connect a monitor + keyboard (VGA) or serial cable. 
  - In a VM (e.g., Proxmox/ESXi), open the VM console. 
  - Power on or reboot if needed. Log in as **root** with your root password (default is usually `opnsense` on fresh installs, or whatever you set).

2. **Enter the OPNsense menu** 
  You'll see a numbered list (something like): 
  ```
  1) Assign Interfaces
  2) Set interface(s) IP address
  ...
  8) Shell
  5) Reboot system
  ...
  ```
  **Choose `8) Shell`** (this drops you to a FreeBSD root shell).

3. **(Optional but recommended) Verify current state** 
  ```
  ssh localhost
  ``` 
  or 
  ```
  ps aux | grep sshd
  ``` 
  If nothing is listening on port 22, SSH is disabled.

4. **Edit the config to enable SSH** 
  ```
  vi /conf/config.xml
  ``` 
  (vi is built-in; press `i` to insert/edit, Esc to exit insert mode, then `:wq` to save & quit. If you prefer nano: `pkg install nano` first.)

  - Press `/` then type `system` and Enter to jump to the `<system>` section. 
  - Inside the `<system>` ... `</system>` block, **add or edit** the `<ssh>` subsection so it looks like this (place it near the end of the `<system>` block, before `</system>`):

    ```xml
    <ssh>
      <enabled>1</enabled>
      <port>22</port>
      <permitrootlogin>1</permitrootlogin>  <!-- allows root login (recommended for recovery) -->
      <passwordauth>1</passwordauth>        <!-- allows password login -->
      <!-- Optional: restrict to LAN only -->
      <!-- <interfaces>lan</interfaces> -->
    </ssh>
    ```

    - If a `<ssh>` block already exists, just change `<enabled>0</enabled>` (or missing) to `1` and add the other lines as needed. 
    - Values like `1` (or sometimes `enabled`) both work; `1` is standard.

5. **Apply the changes** (no reboot needed in most cases) 
  ```
  /usr/local/etc/rc.sshd restart
  ``` 
  or 
  ```
  configctl sshd restart
  ``` 
  (If neither works: `pkill sshd; /usr/local/sbin/sshd`)

  You can also just reboot from the menu (exit shell with `exit`, then choose `5) Reboot system`).

6. **Test SSH** 
  From another machine on the same LAN: 
  ```
  ssh root@YOUR-OPNSENSE-LAN-IP
  ``` 
  (e.g., `ssh root@192.168.1.1`). It should connect and drop you straight into the OPNsense menu.

### Extra Tips & Common Fixes
- **If you also lost WebUI access** (same root cause): 
  In the same `/conf/config.xml` edit, look for the `<webgui>` section and make sure it has `<enabled>1</enabled>` and no overly restrictive `<listenaddr>` or `<interfaces>`. 
  Or simpler: from the console menu, choose **2) Set interface(s) IP address** → it often offers to "restore web GUI defaults" (switches back to HTTPS on all interfaces).

- **Firewall rules**: 
  Once SSH is enabled in config, the built-in **anti-lockout rule** (on LAN) automatically allows port 22 to the firewall itself. You don't need to add a manual rule for LAN access.

- **Security notes** 
  - Only enable root login temporarily if needed. 
  - For production, create an admin user in the admins/wheel group, add your SSH key under **System > Access > Users**, then disable password/root login later (when WebUI is back). 
  - Restrict listen interfaces to LAN only in the `<ssh>` block if desired.

- **Backup first** (good practice): 
  Before editing: 
  ```
  cp /conf/config.xml /conf/config.xml.bak
  ```

This method is the standard recovery path documented across OPNsense forums, GitHub issues, and troubleshooting guides. Once SSH is up, you can fix the original WebUI issue from the shell or re-enable the GUI properly.

If you run into any error (e.g., XML syntax), paste the exact error here and I can help debug the config snippet. Good luck!
Today at 01:14:22 AM #6 Last Edit: Today at 01:16:50 AM by nero355
You have sparked my curiosity :

Since OPNsense is basically "FreeBSD + a lot of code on top of it" I would expect this to be enough to get OpenSSH Server running : https://docs.freebsd.org/en/books/handbook/security/#_enabling_the_ssh_server

Did you try that by any chance ?!



Your eventual solution (Written bij some Machine Learning Chatbots it seems ?!) also mentions this :
Code Select
/usr/local/etc/rc.sshd restartThat's a pure FreeBSD command used "before the service era" so if that worked too then the good old FreeBSD Handbook was all you needed ;)

(And IIRC since it's from /usr/local/etc/ it has to be the OpenSSH Server you install separately and not the one included in the OS itself!)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions