digiMoot:

TrueNAS: Connect Through SSH

FreeNAS Connect SSHConnecting to your TrueNAS server securely through SSH (secure shell) is absolutely essential if you plan to connect to from outside your local network, and a pretty darn good idea for connecting to it from within your network as well and that is what we will discuss in this FreeNAS: Connect Through SSH article. You want to make sure your password in encrypted, so it can’t be picked up by somebody skimming network traffic. Also you do not want to connect to the TrueNAS WwebUI from outside your network as your password will be sent in plain text (unless there is some way to force an SSL connection… something for me to explore later). Network traffic, unless secured, is often sent in plain text, including your password.

This article will show you how to create a public/private RSA (Rivest–Shamir–Adleman) key pair, how to put how to put the public key on your TrueNAS server and how to connect using this key pair. This something I struggled with for a bit and took me some time to get working properly. However in the end, its not that difficult it was just not something I had done before. So let’s get started with this TrueNAS: Connect Through SSH article.

This is part of my ongoing series of TrueNAS and FreeNAS setup, configuration and install articles.

Generate a Public / Private Key Pair

You will generate the public / private key pair on a client machine (i.e. a machine you will use to connect to your TrueNAS server). I am using a linux machine to do this, but you can also do this on a windows or mac machine as well. From the command line on your linux machine, enter the following:

ssh-keygen

It will ask you to enter the file name for your key (leave this as default by pressing enter) and your passphase (I recommend that you use one and make it a strong passphrase). Once done, the output will look something like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Up6KjbnEV4Hgfo75YM393QdQsK3Z0aTNBz0DoirrW+c ylo@klar
The key's randomart image is:
+---[RSA 2048]----+
|    .   &  ..oo..|
|   . . .  . .o.X.|
|   S. . o.  ..+ R|
|   .   o.o  .+ ..|
|    ..o.S   X..  |
|   . %o=  L GF.  |
|    @.B...  Q  . |
|  No.=. o. . .  .|
|  ^ .oo  E. . .. |
+----[SHA256]-----+

Public Key on TrueNAS System

As noted in the output of the step above, two files were saved. These are the public key (the key you put on your TrueNAS server – id_rsa.pub) and your private key (the key which you keep on your client machine(s) and do not share with anybody – id_rsa).

Now, the easiest way is to paste your PUBLIC passphrase in the id_rsa.pub file into the user account on your TrueNAS server. Logon to your WebUI and then go to Accounts -> Users and edit account that you wish to login with. I recommend that you don’t use your root account but instead use a standard account and allow it to use sudo by selecting the “permit sudo” option in the bottom right of the account settings panel in the area labelled ‘Authentication’. Just above this is the area you will need to paste your public key in the area labelled “SSH Public Key”. In this section you will paste the entire contents PUBLIC key file (make sure its the (id_rsa.pub file) you created. Save the changes to the user you’ve edited.

Now you need to ensure that the SSH service only allows connections via SSH. In the TrueNAS WebUI go to Services on the TrueNAS left menu bar. Scroll down and make sure the SSH service is on, then select the pencil icon beside it. Unselect “Log in as root with password” and “Allow password authentication”. Click Save.

As noted, the above method of using the interface is the easiest, but it it doesn’t work, you can always manually copy the key in your users home directory. You will of course need to be sure the user is assigned a home directory and then you can copy the id_rsa.pub which includes your PUBLIC passphrase (not your private passphrase) to the file ~/.ssh/authorized_keys on the TrueNAS system. If you use this method, you will need to ensure that the file and folder ownership and permission are set corrected. I banged my head against the wall for days trying to figure out why I kept getting a Permission denied (publickey). error message every time I tried to connect to my TrueNas server via SSH. Finally I checked the log on the server at /var/log/auth.log and noticed I was getting this messageAuthentication Refused: bad ownership or modes for directory.

So that led me to figure out that SSH doesn’t like it if your home or ~/.ssh directories have group write permissions. Your home directory should be writable only by you, ~/.ssh should be 700, and authorized_keys should be 600. Use the following commands to set it up the right way (where your_user is the name of the user):

chmod g-w /home/your_user
chmod 700 /home/your_user/.ssh
chmod 600 /home/your_user/.ssh/authorized_keys

It is possible that you can also get around this by adding StrictModes off to your ssh_config file, but I’d advise against it as the best way is to ensure your permissions are correct.

That’s it, you’ve completed the TrueNAS: Connect Through SSH article and now you should be able to use the ssh command from your client linux machine (which has the private key). You can also copy the private key to other machines or devices to also use them to connect to your TrueNAS system

Happy SSHin’!

~digiMoot

Liked it? Take a second to support digiMoot on Patreon!

1 thought on “TrueNAS: Connect Through SSH

  1. hi! and thanks for this clever post 🙂
    I did what you suggested and indeed I don’t have the error in the auth.log file but I still cannot connect with my user.
    Instead, I’m still getting the “Permission denied (publickey)” on client side and in the log, I now have this : “Connection closed by authenticating user “.
    Note that I can connect with root.
    Strange, no ?
    Thks for your advice,
    Thierry

Leave a Reply

Your email address will not be published. Required fields are marked *