Using Keys Rather than Passwords to ssh Into Firewalla Gold
Typing passwords
Typing passwords is a pain and not that secure these days. A better approach to server access is through the use of shared keys. This write-up shows how to access the Firewalla Gold with a ssh key eliminating the need to type a password when accessing the Gold from the configured client machine.
The ssh keys will be in the .ssh directory (by default).
MyUserName@CLIENTCOMPUTER:~$ ls -la
total 100424
…
drwxr-xr-x 1 MyUserName MyUserName 4096 Sep 14 10:01 .
drwxr-xr-x 1 root root 4096 Jun 11 11:33 ..
drwx------ 1 MyUserName MyUserName 4096 Jun 9 11:18 .ssh
…
The default .ssh directory has information about hosts to which ssh connections have been previously made.
MyUserName@CLIENTCOMPUTER:~$ ls .ssh -la
total 8
drwx------ 1 MyUserName MyUserName 4096 Jun 9 11:18 .
drwxr-xr-x 1 MyUserName MyUserName 4096 Sep 14 10:01 ..
-rw------- 1 MyUserName MyUserName 2664 Aug 31 08:56 known_hosts
-rw-r--r-- 1 MyUserName MyUserName 888 May 26 13:06 known_hosts.old
Generate ssh Keys
First task is to generate a public / private RSA key-pair. Taking the defaults is usually sufficient.
Run ssh-keygen
MyUserName@CLIENTCOMPUTER:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/MyUserName/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/MyUserName/.ssh/id_rsa.
Your public key has been saved in /home/MyUserName/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PqPRkAQrcb8f4Ac0xeN7CDuuo3QA5fMJIP0j3pbVD8 MyUserName@CLIENTCOMPUTER
The key's randomart image is:
+---[RSA 2048]----+
| o+==*oo |
| .=o+ =. |
|. .+.O oE |
| . oo @ ..+o |
| . *S . |
| ..= . o |
| ..= . + o |
| ++= + . |
| o*+o+oo. |
+----[SHA256]-----+
Copy the Key to the Server
The new key needs to be shared with the server to which an ssh connection will be made. When both machines have shared keys the ssh onnection can be made without a password.
On Linux use the command ...
ssh-copy-id -i ~/.ssh/id_rsa.pub pi@192.168.1.1
On Windows use the command ...
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh pi@192.168.1.1 "cat >> .ssh/authorized_keys"
... to copy the new client key to the server.
Linux
MyUserName@CLIENTCOMPUTER:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub pi@192.168.1.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/MyUserName/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
pi@192.168.1.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'pi@192.168.1.1'"
and check to make sure that only the key(s) you wanted were added.
Windows
PS C:\users\MYUSERNAME\.ssh> type $env:USERPROFILE\.ssh\id_rsa.pub | ssh pi@192.168.1.1 "cat >> .ssh/authorized_keys"
pi@192.168.1.1's password:
PS C:\users\MYUSERNAME\.ssh> ssh pi@192.168.1.1
Confirm the Key Installation
Attempt to see if a connection can be made without a password being entered.
MyUserName@CLIENTCOMPUTER:~$ ssh pi@192.168.1.1
▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄ ▄▄ ▄ ▄ ▄▄
█ █ █ ▀█ █ █ █ █ ██ █ █ ██
█▄▄▄▄▄ █ █▄▄▄▄▀ █▄▄▄▄▄▀ █▀█ █ █ █ █ █ █ █
█ █ █ ▀▄ █ ██ ██▀ █▄▄█ █ █ █▄▄█
█ ▄▄█▄▄ █ ▀ █▄▄▄▄▄ █ █ █ █ █▄▄▄▄▄ █▄▄▄▄▄ █ █
Welcome to FIREWALLA GOLD 18.04.3 LTS (Bionic Beaver) Ubuntu 18.04.3 LTS 4.15.0-70-generic
System information as of Wed Sep 16 08:47:16 EDT 2020
System load: 0.97 IP address for eth0: xx.xx.xx.xx
Usage of /home: unknown IP address for br0: 192.168.1.1
Memory usage: 21% IP address for tun_fwvpn: 10.xx.xx.xx
Swap usage: 0% IP address for br-c63679e66170: 172.0.0.1
Processes: 210 IP address for docker0: 172.17.0.1
Users logged in: 1
tmpfs-root /media/root-rw tmpfs rw,relatime,size=204800k 0 0
overlayroot / overlay rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_ 0 0
/dev/mmcblk0p3 /media/root-ro ext4 ro,relatime,data=ordered 0 0
Last login: Wed Sep 16 08:37:56 2020 from 192.168.1.199
pi@firewalla:~$ exit
It works.
Notes For Those Who Care
Notes on Key Passphrase
The passphrase encrypts the key locally. An attacker with access to the system will not be able to read the private key, because it's encrypted. If a laptop is stolen for example, the ssh key might still be secure if a strong passphrase has been used.
It's optional because it’s up to a user if the risk of a non-encrypted key in storage is acceptable.
Notes on Randomart
The randomart is meant to be an easier way for humans to validate keys.
Validation is normally done by a comparison of meaningless strings (i.e. the hexadecimal representation of the key fingerprint), which humans are pretty slow and inaccurate at comparing. Randomart replaces this with structured images that are faster and easier to compare.
See "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" for some interesting discussion on this.
-
Anything ~pi/ will persist
and 1.971
4. Customized Scripting and Docker
Custom hooks to safely execute user programs and scripts when Firewalla is rebooted. The scripts must be created under:
/home/pi/.firewalla/config/post_main.d
Please see this https://help.firewalla.com/hc/en-us/articles/360051625034 for a pi-hole docker example.
Please sign in to leave a comment.
Comments
5 comments