SSH Access

Configure SSH access and enable the SSH server.

SSH Access

Enable SSH access until disabled by this checkbox. This will launch the SSH server and let it run permanently. This is not recommended. See Run modes for SSH below for other choices.

Allow SSH Agent Forwarding

Enable SSH agent forwarding allows use of a private, local SSH key remotely without leaving confidential data on the server.

Links

Allow TCP forwarding

Enable TCP port forwarding, also known as tunnelling, that allows other TCP applications to forward their network data over a secure SSH connection

Links

Linuxize - How to Set up SSH Tunneling (Port Forwarding)

Allow password based authentication

Enable ID & password log-in method to access SSH. The root ID and root password are entered when accessing the IPFire device via the Terminal (or console) when using ssh or scp.

Allow public key based authentication

Enable secure log-in method for SSH access. See SSH host keys below.

Set SSH port to default 22 (222 is used otherwise)

Enable the checkbox to access SSH via port 22. To access SSH open the Terminal (or console) and enter:

ssh root@ipfire.localdomain

Disabled allows access to SSH via port 222. To access open the Terminal (or console) and enter:

ssh -p 222 root@ipfire.localdomain

Note - IPFire uses SSH Port 222 for safety reasons.

Run modes for SSH

Keep in mind the SSH daemon is normally not running. There are three run modes available for SSH:

Launch SSH and let it run permanently

To enable click the SSH Access checkbox and click Save. The SSH server will now run until it is disabled by this checkbox.

Note - This is not recommended. It is better to use one of the next two options.

Launch SSH and temporarily run for 15 minutes

Click on the Stop SSH Daemon in 15 minutes button. After fifteen minutes the SSH daemon will stop running.

Launch SSH and temporarily run for 30 minutes

Click on the Stop SSH Daemon in 30 minutes button. After thirty minutes the SSH daemon will stop running.

If one of the SSH modes is enabled, you can access IPFire via an internal IP address using the root account and root password.

$ ssh -p 222 root@192.168.1.1
root@192.168.1.1's password: <enter_root_password>
Last login: Thu Sep 29 16:49:11 2022 from 192.168.6.100
[root@ipfire ~]#

SSH host keys

These keys are unique on each IPFire box and will be generated during the first start of the IPFire (after the installation).

Allow public key authentication

Open the client Linux console or Mac terminal and enter:

ssh-keygen -t ed25519 -f ~/.ssh/key_name -P ''

Note: ed25519 is a highly recommended public-key algorithm.

This will generate the needed key for SSH, with no passphrase, in the directory name .ssh.

Access the IPFire web interface and go to the menu System > SSH Access. Enable Allow public key based authentication by clicking on the checkbox. Click Save. Enable SSH temporarily by clicking Stop SSH daemon in 15 minutes (i.e., this enables the SSH access for 15 minutes).
Copy the public key from the client computer to the IPFire:

ssh-copy-id -i ~/.ssh/key_name -p222 root@ipfire.localdomain

Note: As an alternative to ssh-copy-id (not always available), it is possible to transfer the key to the IPFire user account with this shell script:

cat ~/.ssh/key_name.pub | ssh -p222 root@ipfire.localdomain "mkdir -m 700 ~/.ssh; cat >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys"

The requested password will be your IPFire root password.

The new client key is now appended to the existing authorized keys. To access IPFire, enable SSH temporarily by clicking Stop SSH daemon in 15 minutes and entering:

ssh -p 222 root@ipfire.localdomain

This will allow remote login, secured by strong asymmetric key cryptography.

To reduce the surface of attack (e.g. weak passwords), the option "Allow Password Based Authentication" now can be disabled as the login will not require the password input anymore.