Configure SSH access and enable the SSH server.
Enable SSH access until disabled by this checkbox. This will launch the SSH server and let it run permanently. This is not recommended. See Run modes for SSH below for other choices.
Enable SSH agent forwarding allows use of a private, local SSH key remotely without leaving confidential data on the server.
Enable TCP port forwarding, also known as tunnelling, that allows other TCP applications to forward their network data over a secure SSH connection
Enable ID & password log-in method to access SSH. The root
ID and root password are entered when accessing the IPFire device via the Terminal (or console) when using ssh
or scp
.
Enable secure log-in method for SSH access. See SSH host keys below.
Enable the checkbox to access SSH via port 22. To access SSH open the Terminal (or console) and enter:
ssh root@ipfire.localdomain
Disabled allows access to SSH via port 222. To access open the Terminal (or console) and enter:
ssh -p 222 root@ipfire.localdomain
Note - IPFire uses SSH Port 222 for safety reasons.
Keep in mind the SSH daemon is normally not running. There are three run modes available for SSH:
To enable click the SSH Access checkbox and click Save. The SSH server will now run until it is disabled by this checkbox.
Note - This is not recommended. It is better to use one of the next two options.
Click on the Stop SSH Daemon in 15 minutes button. After fifteen minutes the SSH daemon will stop running.
Click on the Stop SSH Daemon in 30 minutes button. After thirty minutes the SSH daemon will stop running.
If one of the SSH modes is enabled, you can access IPFire via an internal IP address using the root account and root password.
$ ssh -p 222 root@192.168.1.1
root@192.168.1.1's password: <enter_root_password>
Last login: Thu Sep 29 16:49:11 2022 from 192.168.6.100
[root@ipfire ~]#
These keys are unique on each IPFire box and will be generated during the first start of the IPFire (after the installation).
ssh-keygen -t ed25519 -f ~/.ssh/key_name -P ''
Note: ed25519 is a highly recommended public-key algorithm.
This will generate the needed key for SSH, with no passphrase, in the directory name .ssh
.
Access the IPFire web interface and go to the menu System > SSH Access. Enable Allow public key based authentication by clicking on the checkbox. Click Save. Enable SSH temporarily by clicking Stop SSH daemon in 15 minutes (i.e., this enables the SSH access for 15 minutes).
Copy the public key from the client computer to the IPFire:
ssh-copy-id -i ~/.ssh/key_name -p222 root@ipfire.localdomain
Note: As an alternative to ssh-copy-id (not always available), it is possible to transfer the key to the IPFire user account with this shell script:
cat ~/.ssh/key_name.pub | ssh -p222 root@ipfire.localdomain "mkdir -m 700 ~/.ssh; cat >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys"
The requested password will be your IPFire root password.
The new client key is now appended to the existing authorized keys. To access IPFire, enable SSH temporarily by clicking Stop SSH daemon in 15 minutes and entering:
ssh -p 222 root@ipfire.localdomain
This will allow remote login, secured by strong asymmetric key cryptography.
To reduce the surface of attack (e.g. weak passwords), the option "Allow Password Based Authentication" now can be disabled as the login will not require the password input anymore.
Older Revisions • January 5 at 9:01 pm • teliac