1. The Web Interface
  2. System
  3. SSH Access

SSH Access

Configure SSH

In this section you can switch the SSH server on or off. Three modes are available:

  • start SSH permanently
  • start SSH temporarily for 15 minutes
  • start SSH temporarily for 30 minutes

None

If one of this modes is enabled, you can reach IPFire over its (external and internal) IP address with root account and root password.

The option Set SSH port to default 22 (222 is used otherwise) is used to change the SSH port back to 22; which may be useful because port 222 is sometimes blocked by some ISPĀ“s. Note! IPFire uses for SSH Port 222 because of safety reasons.

SSH host keys

These keys are unique on each IPFire box and will be generated during the first start of the IPFire (after the installation).

Allow public key authentication

Below are two methods to configure password-less SSH login to IPFire: the Manual Method or the Script Method.

Manual Method

  1. Open the client Linux console or Mac terminal and enter:

ssh-keygen -f ~/.ssh/id_rsa -P ''
This will generate the needed key for SSH, with no passphrase, in the directory name .ssh.

None

  1. Access the IPFire web interface and go to the menu System > SSH Access. Enable Allow public key based authentication by clicking on the checkbox. Click Save. Enable SSH temporarily by clicking Stop SSH demon in 15 minutes (i.e., this enables the SSH access for 15 minutes).

  2. Copy the public key from the client computer to the IPFire:

ssh-copy-id -p222 root@ipfire

The requested password will be your IPFire root password.

None

The new client key is now appended to the existing authorized keys. To access IPFire enable SSH temporarily by clicking Stop SSH demon in 15 minutes and entering:

ssh -p 222 root@ipfire

Script Method

Download the script and execute it with a Console on the computer from which you want to access the "public key based authentication" on your IPFire. The Script automatically generates the keys and afterwards load it with a password query of the roots password on the IPFire. If this was successful, theres no need to enter passwords for the login with your SSH connection to IPFire anymore.

Below you'll find the script:

filename = /ssh-keyput

#!/bin/bash
#
# ssh-keyput -- set up passwordless openssh login.
#
# Copyright (C) 2001, 2002, 2006 by SWsoft.
# Author: Kir Kolyshkin
#
# This script is used to put your public ssh keys to another host's
# authorized_keys[2], so you will be able to ssh login without entering
# a password. Key pairs are generated if needed, and connectivity
# is checked after putting the keys.

PROGNAME=`basename $0`

function usage()
{
    echo "Usage: $PROGNAME [user@]IP [[user@]IP ...]" 1>&2
    exit 0
}

# Check for correct number of parameters
test $# -gt 0 || usage;

SSH_KEYGEN=`which ssh-keygen`
if test $? -ne 0; then
    # Error message is printed by 'which'
    exit 1
fi

SSH_DIR=~/.ssh
if ! test -d $SSH_DIR; then
    mkdir $SSH_DIR
fi
chmod 700 $SSH_DIR

if [ ! -f $SSH_DIR/identity ] || [ ! -f $SSH_DIR/identity.pub ]; then
    echo "Generating ssh1 RSA keys - please wait..."
    rm -f $SSH_DIR/identity $SSH_DIR/identity.pub
    $SSH_KEYGEN -t rsa1 -f $SSH_DIR/identity -P ''
    if [ $? -ne 0 ]; then
`echo "Command \"$SSH_KEYGEN -t rsa1 -f $SSH_DIR/identity" \`
`    "-P ''\" failed" 1>&2`
`exit 1`
    fi
else
    echo "ssh1 RSA key is present"
fi

if [ ! -f $SSH_DIR/id_dsa ] || [ ! -f $SSH_DIR/id_dsa.pub ]; then
    echo "Generating ssh2 DSA keys - please wait..."
    rm -f $SSH_DIR/id_dsa $SSH_DIR/id_dsa.pub
    $SSH_KEYGEN -t dsa -f $SSH_DIR/id_dsa -P ''
    if test $? -ne 0; then
`echo "Command \"$SSH_KEYGEN -t dsa -f $SSH_DIR/id_dsa" \`
`    "-P ''\" failed" 1>&2`
`exit 1`
    fi
else
    echo "ssh2 DSA key is present"
fi

SSH1_RSA_KEY=`cat $SSH_DIR/identity.pub`
SSH2_DSA_KEY=`cat $SSH_DIR/id_dsa.pub`

for IP in $*; do
    echo "You will now be asked for password for $IP"
#   set -x
    ssh -p222 -oStrictHostKeyChecking=no $IP "mkdir -p ~/.ssh; chmod 700 ~/.ssh; \
`echo \"$SSH1_RSA_KEY\" >> ~/.ssh/authorized_keys; \`
`echo \"$SSH2_DSA_KEY\" >> ~/.ssh/authorized_keys2; \`
`chmod 600 ~/.ssh/authorized_keys ~/.ssh/authorized_keys2"`
#   set +x
    if test $? -eq 0; then
`echo "Keys were put successfully"`
    else
`echo "Error putting keys to $IP" 1>&2`
    fi
done

for IP in $*; do
    for ver in 1 2; do
`echo -n "Checking $IP connectivity by ssh$ver... "`
`ssh -p222 -q -oProtocol=${ver} -oBatchMode=yes \`
`  -oStrictHostKeyChecking=no $IP /bin/true`
        if [ $? -eq 0 ]; then
`   echo "OK"`
`else`
`   echo "failed" 1>&2`
`fi`
    done
done
Questions?

If there are any questions about the Script or having problems executing it, visit us in our forum.

Edit Page ‐ Yes, you can edit!

Older Revisions • August 5 at 10:24 pm • Jon