Configure SSH access and enable the SSH server.
SSH Access
Enable SSH access until disabled by this checkbox. This will launch the SSH server and let it run permanently. This is not recommended. See Run modes for SSH below for other choices.
Allow SSH Agent Forwarding
Enable SSH agent forwarding allows use of a private, local SSH key remotely without leaving confidential data on the server.
Links
- Steve Friedl's Unixwiz.net Tech Tips -An Illustrated Guide to SSH Agent Forwarding
- How-To Geek - What is SSH Agent Forwarding and How Do You Use It?
- GitHub Docs - Using SSH agent forwarding
Allow TCP forwarding
Enable TCP port forwarding, also known as tunnelling, that allows other TCP applications to forward their network data over a secure SSH connection
Links
Allow password based authentication
Enable ID & password log-in method to access SSH. The root ID and root password are entered when accessing the IPFire device via the Terminal (or console) when using ssh or scp.
Allow public key based authentication
Enable secure log-in method for SSH access. See SSH host keys below.
Set SSH port to default 22 (222 is used otherwise)
Enable the checkbox to access SSH via port 22. To access SSH open the Terminal (or console) and enter:
ssh root@ipfire.localdomain
Disabled allows access to SSH via port 222. To access open the Terminal (or console) and enter:
ssh -p 222 root@ipfire.localdomain
Note - IPFire uses SSH Port 222 for safety reasons.
Run modes for SSH
Keep in mind the SSH daemon is normally not running. There are three run modes available for SSH:
Launch SSH and let it run permanently
To enable click the SSH Access checkbox and click Save. The SSH server will now run until it is disabled by this checkbox.
Note - This is not recommended. It is better to use one of the next two options.
Launch SSH and temporarily run for 15 minutes
Click on the Stop SSH Daemon in 15 minutes button. After fifteen minutes the SSH daemon will stop running.
Launch SSH and temporarily run for 30 minutes
Click on the Stop SSH Daemon in 30 minutes button. After thirty minutes the SSH daemon will stop running.
If one of the SSH modes is enabled, you can access IPFire via an internal IP address using the root account and root password.
$ ssh -p 222 root@192.168.1.1
root@192.168.1.1's password: <enter_root_password>
Last login: Thu Sep 29 16:49:11 2022 from 192.168.6.100
[root@ipfire ~]#
SSH host keys
These keys are unique on each IPFire box and will be generated during the first start of the IPFire (after the installation).
Allow public key authentication
- Open the client Linux console or Mac terminal and enter:
ssh-keygen -t ed25519 -f ~/.ssh/key_name -P ''
Note: ed25519 is a highly recommended public-key algorithm.
This will generate the needed key for SSH, with no passphrase, in the directory name .ssh.
-
Access the IPFire web interface and go to the menu System > SSH Access. Enable Allow public key based authentication by clicking on the checkbox. Click Save. Enable SSH temporarily by clicking Stop SSH daemon in 15 minutes (i.e., this enables the SSH access for 15 minutes).
-
Copy the public key from the client computer to the IPFire:
ssh-copy-id -i ~/.ssh/key_name -p222 root@ipfire.localdomain
Note: As an alternative to ssh-copy-id (not always available), it is possible to transfer the key to the IPFire user account with this shell script:
cat ~/.ssh/key_name.pub | ssh -p222 root@ipfire.localdomain "mkdir -m 700 ~/.ssh; cat >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys"
The requested password will be your IPFire root password.
The new client key is now appended to the existing authorized keys. To access IPFire, enable SSH temporarily by clicking Stop SSH daemon in 15 minutes and entering:
ssh -p 222 root@ipfire.localdomain
This will allow remote login, secured by strong asymmetric key cryptography.
To reduce the surface of attack (e.g. weak passwords), the option "Allow Password Based Authentication" now can be disabled as the login will not require the password input anymore.