Help.. trying to configure SSHD on FreeBSD 14.2 Release

[marcwolf]

Hi Folks.
Please bear with me here. I am a total Linux newbie (last touched it in 1995) although I have tons of Windows Server experience.

I am setting up a simple FreeBSD box to be a headless unit using only SSH to communicate to. This will be our firewall.

I have been trying to enable SSH on the system and am getting endless PAM authentifications errors whatever I am doing. I am usin Putty to talk to the server.
Yes - the SSHD service is running.. however the ssh_config is getting beyond me as this has a LOT of new entries I am not familiar with.. whatever PAM is - she is royally pissed at me!!!

Desperately looking at the simplest ssh_config that I can use..

Sincerely..
Marc

 

[ralphbsz]

In a nutshell, /etc/ssh_config is for outgoing connections, when you are on the FreeBSD box and say "ssh <other_host>". For incoming connections into your new machine, the configuration of the ssh daemon (the program that receives ssh traffic) is in /etc/sshd_config.

I just looked at my machine, and sshd_config is nearly completely default, except for explicitly disallowing root logging in via ssh with "PermitRootLogin no" (which is I think the default), and allowing password checking within ssh with "
PasswordAuthentication yes; PermitEmptyPasswords yes", because I have accounts with an empty string as the (valid) password.

What are the PAM errors you are getting? Did you change the PAM configuration? I've never had a problem with incoming ssh, both using passwords for authentication (which sshd calls "KeyboardInteractive") and with using per-client key files.

 

[CrazyMihey]

I newer Used PAM and I newer edited Default «/etc/ssh/sshd_config». All (almost All) Changes can Be Provided via Main Configuration File «/etc/rc.conf.local» (or «/etc/rc.conf», if You want). Note, If You make a Mistake in This File with Quotation Marks, for Examlpe, System Will Not Start!
The Best Way is to Put Your <Root Public Key> into «~root/.ssh/authorized_keys» File during the Last Stage of FreeBSD Installation Process, when BSDInstall suggestes You to Make Final Changes in the System:

mkdir -p -v -m "500" ~root/.ssh && printf "<Public Key>\n" >> ~root/.ssh/authorized_keys && chmod "400" ~root/.ssh/authorized_keys

Than Edit Config File with «ee "/etc/rc.conf.local"» and add some Parameters for SSHD:

sshd_flags="${sshd_flags%[[:space:]]}${sshd_flags:+" "}-o Port=\"22222\" -o PerMitRootLogIn=\"ProhiBit-PassWord\" -o PassWordAuthentication=\"No\" -o ChallengeResponseAuthentication=\"No\" -o GSSAPIAuthentication=\"No\" -o UsePAM=\"No\" -o ClientAliveInterval=\"360\" -o ClientAliveCountMax=\"6\""

to EnAble Root with the Public Key Only, Not Using PassWord and Move SSHD to UnStandart Port (PuTTY & Far Manager Must be Configured to use This Port Number as well).
But, as I understand, You did Not Do This during Install, so:
0. GeneRate a Key Pair (on Another Machine, from which You will Access to this Box), like «ssh-keygen -t "RSA" -b "16384" -C "RSA Key 16384 Bits for Root on the FireWall Box" -N "" -f ~/.ssh/Box-Root-RSA-16384 -v» or by PuTTYgen with this Parameters. Long GeneRation, but It Is for the «Root» on a Machine, Looking Out to the InterNet, so Sit and Wait! Also make Sure, SSH/PuTTY Version is «Up to Date» — Developers do not «Sleep».
1. If You Can Access (SomeHow? It is Really HeadLess?) Your FileSystem, Make «Temporary» (before Correct SetUp ↑, Just to Connect Once to the Machine) «/etc/rc.conf.local» with this Line: «sshd_flags=" -o PerMitRootLogIn=Yes"» and ReStArt SSHD: «service "sshd" restart» or ReBoot Your «Box».
2. Connect to Your Box (SSH, PuTTY, …), Using Name «root» and PassWord, entered (twice?) during SetUp Process.
3. Make Settings, described Before to SetUp Key-Based Authorization SSH-2 and DisAble «PerMitRootLogIn=Yes», as a Very Bad «Temporary» Idea!
4. Make «~/.ssh/config» Files for Accounts with SSH-Access to This Server — It's extremely Convenient!

match   Host "Box,Box.DoMaIn.Org"       # Aliases, can be Any, You Like…
        HostName    "Box.DoMaIn.Org"    # Real DNS-Name of the Server or IP-Address.
        # Generally, RePlacing 22 Port with a «Non—Standard» Value Is Not a very Reliable Protection… But if You are Tired of Collecting 300K+ Errors per Hour from «/var/log/auth.log» and «/var/log/messages», then This Measure Helps…
        Port    "22222"                 # Non-Standard Port, Specified in the Parameter String for SSHD («sshd_flags="${sshd_flags%[[:space:]]}${sshd_flags:+" "}-o Port=\"22222\" -o PerMitRootLogIn=\"ProhiBit-PassWord\"…"» at «/etc/rc.conf.local» in the Case of FreeBSD).
        User    "SuperPuperRoot"
        IdentityFile    "~/.ssh/Box-Root-ED25519"      # A «Fast-Acting» Secret Key for Connections from «Trusted» and Verified Addresses. The List Of Addresses Is Limited By The String «From="AAAA:BBBB:CCCC:DDDD::?,123.456.789.012,TrustedGate.Org"    ssh-ed25519    …PublicKey…    …Comment…» in the File «~root/.ssh/authorized_keys» on the Server.
        IdentityFile    "~/.ssh/Box-Root-RSA-16384"    # A «ReliAble» Secret Key for Connections from «All Other» Hosts. There is no «From=…» Construction in the «~root/.ssh/authorized_keys» File before It, or the Rules in It Are «More General».
        ConnectTimeout    "360"

 

[CrazyMihey]

What are the PAM errors you are getting? Did you change the PAM configuration? I've never had a problem with incoming ssh, both using passwords for authentication (which sshd calls "KeyboardInteractive") and with using per-client key files.

He Has PAM-Errors because «PerMitRootLogIn=No» is DeFault. So SSHD does Not Allow Root to LogIn with (Even Long and Correct) PassWord.

 

[Bucky]

Desperately looking at the simplest ssh_config that I can use..

This may not be the best way but it is my way done dozens of times over the years.

First time run after installing FreeBSD, need monitor and keyboard hooked up directly. Change these and do this:

|host# ee /etc/ssh/sshd_config
    Port #
    PermitRootLogin yes                # this might be temporary
    PasswordAuthentication yes    # this should be temporary
    UseDNS no
    # -EOF-

|host# service sshd restart
|host# ifconfig                # note IP address
|host# sockstat -4l   # prove sshd is running & port #

Using PuTTY or Bitvise or whatever from a Windows machine (in my case), log into the sshd server on the new FreeBSD install. Prove you can log in. Set up the system for only using PKI keys as others have described above. Then set 'PasswordAuthentication no' and 'service sshd restart'.

Log out and log back in via the PKI keys method. Once that is proven to work, disconnect monitor & keyboard from the FreeBSD box. Presto, headless.

 

[SirDice]

Log out and log back in via the PKI keys method.

Use a second session to test. If it doesn't work you're still logged in with the first session as root to make the necessary changes. If you logout and made a mistake you could lock yourself out and won't be able to get back in.

And the default sshd_config should work out of the box. Don't enable root logins, it's a bad habit. Add your first user to the wheel group so you can use su(8) to become root (before you install and configure sudo(8)/doas(1))

 

[Bucky]

Use a second session to test. If it doesn't work you're still logged in with the first session as root to make the necessary changes. If you logout and made a mistake you could lock yourself out and won't be able to get back in.

And the default sshd_config should work out of the box. Don't enable root logins, it's a bad habit. Add your first user to the wheel group so you can use su(8) to become root (before you install and configure sudo(8)/doas(1))

Thank you, SirDice! The second session login never occurred to me. Tsk.

 

[SirDice]

The second session login never occurred to me.

Experience (having locked myself out more than once)