Configure SSH on FreeBSD for Passwordless Logins to Servers
Part of the “FreeBSD on a Laptop” series.
Disable password logins on the FreeBSD SERVER in favour of using SSH keys for authentication. Create the necessary SSH keys on a FreeBSD CLIENT that will be used to secure access to remote devices.
- 1. Start Here
- 2. Create Public and Private Keys
- 3. Share Public Key
- 4. Disable Password Logins
- 5. Create an Alias
- 6. Keychain
1. Start Here
On BOTH the CLIENT and the SERVER
Create the .ssh directory and authorized_keys file in $HOME:
mkdir ~/.ssh && touch ~/.ssh/authorized_keys
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
2. Create Public and Private Keys
On the CLIENT
Create the SSH public/private key pair protected with a passphrase:
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname -s)-$(date +%Y-%m-%d)"
Start ssh-agent:
eval "$(ssh-agent -s)"
Add the newly-created SSH private key to the current session:
ssh-add ~/.ssh/id_ed25519
Any SSH logins launched during the session will now access this key stored in memory.
3. Share Public Key
On the CLIENT
Upload the public key to the SERVER and append to the authorized_keys file:
ssh-copy-id -i ~/.ssh/id_ed25519.pub [remote_ip_address]
Example: SERVER has a [remote_ip_address] of 178.123.1.45:
ssh-copy-id -i ~/.ssh/id_ed25519.pub 178.123.1.45
Verify key-based authentication is configured correctly by successfully logging in using ssh without a password:
ssh -o PasswordAuthentication=no 178.123.1.45
4. Disable Password Logins
On the SERVER
After verifying the SERVER can be accessed remotely using SSH keys, open sshd_config for editing:
doas vi /etc/ssh/sshd_config
Disable password authentication with these modifications:
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
As an additional security measure, change the port (by default port 22) that SSH listens for connections. Changing this to a dynamic or private port between 49152 through 65535 will frustrate automated attacks.
Example: Modify the SERVER listening port from #Port 22 to Port 52222:
Port 52222
Save changes and exit.
Reload SSH:
doas service sshd reload
On the CLIENT
While remaining logged into SERVER, open another terminal and verify the changes by attempting a new login using password authentication (which should fail):
$ ssh -p 52222 -o PreferredAuthentications=password -o PubkeyAuthentication=no 178.123.1.45
<username>@178.123.1.45: Permission denied (publickey).
Verify key-based authentication continues to work as before:
ssh -p 52222 178.123.1.45
Device is now secured to accept only SSH key authentication for logins.
5. Create an Alias
On the CLIENT
Create an alias for the SERVER in the user’s ssh_config:
vi ~/.ssh/config
Add an alias for SERVER named myserver:
Host myserver
HostName 178.123.1.45
Port 52222
Save changes and exit.
Now login to SERVER is simply:
ssh myserver
6. Keychain
On the CLIENT
For CLIENT devices that are not running desktop environments with their own built-in ssh key management, I like to install the keychain package to manage my keys:
doas pkg install keychain
When logging in for the first time after boot, it prompts me for the passphrase to unlock my key, then will maintain a single ssh-agent process across multiple login sessions.
Flush all cached keys from memory:
keychain --clear
NOTE
I rename my keys from id_ed25519* to the hostname of the device (hence the $(hostname -s) below).
If using bash as the user’s SHELL, add to .bashrc:
[[ -x "/usr/local/bin/keychain" ]] && eval $(keychain --eval --quiet ~/.ssh/$(hostname -s))
You can like, share, or comment on this post on the Fediverse 💬
» Next: FreeBSD Power Management
« Previous: Getting Started with OpenBSD