How to Configure Secure SSH access to Pfsense ?
In this post I will guide you through the configuration of how to enable SSH accessibility to Pfsense on a non-standard SSH with private keys in order to more strengthen the security of connecting to your firewall.
First thing I will open the web browser to Pfsense then from System tab menu I will click on Advanced
I will scroll down to Secure Shell and enable the secure shell and use different SSH port rather than the standard one 22 and also disable password login for secure shell in order to use configured keys for the user that I wanna allow to connect to SSH.
After this option is enabled I will go to User Manager and create a new User by pressing on the + button far right
Then I will want this user to be part of the admin groups in order to have the required privileges to be able to configure anything from the SSH window without any issue.
Then before I save this user I will scroll down and enable the Authorized Key option.
In order to configure a Key, I will need to use a tool to generate a public and private key for the authorization of the user.
Using Puttygen Tool
In my case I will use Puttygen tool which is free and available to download anywhere on the internet, I will also attach the tool down in this page for anyone to use.
I will run Putty Generator and change the Number of bits in it to make the key harder to crack. So I will put 2048 bits instead of 1024.
I will click on Generate and move my mouse within the putty generator window until the key is generated.
You will have to keep moving your mouse cursor within this window in order for this bar to finish generating your key.
As you can see below the Public and private keys are generated but you will have to type your own “Key Passphrase” as you will need it when you connect to the SSH session.
I will copy the Public key where it says “Public key for pasting into OpenSSH authorized_keys file” and paste it in pfsense in Authorized Keys window
Then Now I will save both Public and private key in a folder for my own use. Let’s create a folder called (Pfsense_SSH_Key) and save both keys in it
I will need to only use the private key with an SSH tool to connect to Pfsense e.g. Putty.
Now I will get back to the user and add some effective Privileges that will allow the user to connect to the SSH, I will click on the + button
And from the System Privileges I will add user – system – shell account access and SSH tunneling
Then save these settings and then save the user settings.
Then configure a Firewall rule with the new SSH port that I have configured in Advanced window, I will go to Firewall tab -> Rules then create a new rule that will allow my public IP address (my work IP address) to my Pfsense’s WAN Address (My Home IP address) on port 2222.
Now I can test SSH connection using Putty tool (Not Putty generator) to see if this works as expected.
Type the IP address in the hostname field, then the port address that I configured for SSH and select SSH under Connection Type.
Before clicking on Open to open the connection I have to load the private key from SSH -> Auth
Now I will click on Open, it should give you a warning when it opens up
Click Yes and continue then type the Username that I setup and the passphrase that you set it up.
After successful login it will show the following and here you can startt
I am going to try and show the network configuration by typing Ifconfig …
So everything seems to be working as expected, If you want to provide more admin privileges to this particular user you will have to login as the admin and from the user’s “Effective Privileges” section add more system privileges to it.