Using Keys Rather than Passwords to ssh Into Firewalla Gold

Follow

Chris Hewitt

• September 18, 2020 01:41
• Edited

Typing passwords

Typing passwords is a pain and not that secure these days. A better approach to server access is through the use of shared keys. This write-up shows how to access the Firewalla Gold with a ssh key eliminating the need to type a password when accessing the Gold from the configured client machine.

The ssh keys will be in the .ssh directory (by default).

MyUserName@CLIENTCOMPUTER:~$ ls -la
total 100424

…
drwxr-xr-x 1 MyUserName MyUserName     4096 Sep 14 10:01 .
drwxr-xr-x 1 root       root           4096 Jun 11 11:33 ..
drwx------ 1 MyUserName MyUserName     4096 Jun  9 11:18 .ssh
…

The default .ssh directory has information about hosts to which ssh connections have been previously made.

MyUserName@CLIENTCOMPUTER:~$ ls .ssh -la
total 8

drwx------ 1 MyUserName MyUserName 4096 Jun  9 11:18 .
drwxr-xr-x 1 MyUserName MyUserName 4096 Sep 14 10:01 ..
-rw------- 1 MyUserName MyUserName 2664 Aug 31 08:56 known_hosts
-rw-r--r-- 1 MyUserName MyUserName  888 May 26 13:06 known_hosts.old

Generate ssh Keys

First task is to generate a public / private RSA key-pair. Taking the defaults is usually sufficient.

Run ssh-keygen

MyUserName@CLIENTCOMPUTER:~$ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/MyUserName/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/MyUserName/.ssh/id_rsa.
Your public key has been saved in /home/MyUserName/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PqPRkAQrcb8f4Ac0xeN7CDuuo3QA5fMJIP0j3pbVD8 MyUserName@CLIENTCOMPUTER
The key's randomart image is:
+---[RSA 2048]----+
| o+==*oo         |
| .=o+ =.         |
|. .+.O oE        |
| . oo @ ..+o     |
|  .    *S   .    |
|       ..= . o   |
|      ..= . + o  |
|       ++=   + . |
|     o*+o+oo.    |
+----[SHA256]-----+

Copy the Key to the Server

The new key needs to be shared with the server to which an ssh connection will be made. When both machines have shared keys the ssh onnection can be made without a password.

On Linux use the command ...

ssh-copy-id -i ~/.ssh/id_rsa.pub pi@192.168.1.1

On Windows use the command ...

type $env:USERPROFILE\.ssh\id_rsa.pub | ssh pi@192.168.1.1 "cat >> .ssh/authorized_keys"

... to copy the new client key to the server.

Linux

MyUserName@CLIENTCOMPUTER:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub pi@192.168.1.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/MyUserName/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
pi@192.168.1.1's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'pi@192.168.1.1'"
and check to make sure that only the key(s) you wanted were added.

Windows

PS C:\users\MYUSERNAME\.ssh> type $env:USERPROFILE\.ssh\id_rsa.pub | ssh pi@192.168.1.1 "cat >> .ssh/authorized_keys"
pi@192.168.1.1's password:
PS C:\users\MYUSERNAME\.ssh> ssh pi@192.168.1.1

Confirm the Key Installation

Attempt to see if a connection can be made without a password being entered.

MyUserName@CLIENTCOMPUTER:~$ ssh pi@192.168.1.1

 ▄▄▄▄▄▄ ▄▄▄▄▄  ▄▄▄▄▄  ▄▄▄▄▄▄▄     ▄   ▄▄   ▄      ▄        ▄▄
 █        █    █   ▀█ █     █  █  █   ██   █      █        ██
 █▄▄▄▄▄   █    █▄▄▄▄▀ █▄▄▄▄▄▀ █▀█ █  █  █  █      █       █  █
 █        █    █   ▀▄ █      ██ ██▀  █▄▄█  █      █       █▄▄█
 █      ▄▄█▄▄  █    ▀ █▄▄▄▄▄ █   █  █    █ █▄▄▄▄▄ █▄▄▄▄▄ █    █



Welcome to FIREWALLA GOLD 18.04.3 LTS (Bionic Beaver)  Ubuntu 18.04.3 LTS 4.15.0-70-generic

  System information as of Wed Sep 16 08:47:16 EDT 2020

  System load:     0.97      IP address for eth0:            xx.xx.xx.xx
  Usage of /home:  unknown   IP address for br0:             192.168.1.1
  Memory usage:    21%       IP address for tun_fwvpn:       10.xx.xx.xx
  Swap usage:      0%        IP address for br-c63679e66170: 172.0.0.1
  Processes:       210       IP address for docker0:         172.17.0.1
  Users logged in: 1

tmpfs-root /media/root-rw tmpfs rw,relatime,size=204800k 0 0
overlayroot / overlay rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_ 0 0
/dev/mmcblk0p3 /media/root-ro ext4 ro,relatime,data=ordered 0 0

Last login: Wed Sep 16 08:37:56 2020 from 192.168.1.199

pi@firewalla:~$ exit

It works.

 

Notes For Those Who Care

Notes on Key Passphrase

The passphrase encrypts the key locally. An attacker with access to the system will not be able to read the private key, because it's encrypted. If a laptop is stolen for example, the ssh key might still be secure if a strong passphrase has been used.

It's optional because it’s up to a user if the risk of a non-encrypted key in storage is acceptable.

Notes on Randomart

The randomart is meant to be an easier way for humans to validate keys.

Validation is normally done by a comparison of meaningless strings (i.e. the hexadecimal representation of the key fingerprint), which humans are pretty slow and inaccurate at comparing. Randomart replaces this with structured images that are faster and easier to compare.

See "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" for some interesting discussion on this.

3

• 

  Firewalla

  • September 16, 2020 21:16

  awsome!! 

  0

  Comment actions Permalink
• 

  Dave Kellermanns

  • September 17, 2020 02:35
  • Edited

  Great job - do you know if it persistent with the current production firmware?

  0

  Comment actions Permalink
• 

  Firewalla

  • September 17, 2020 06:08

  .ssh keys always persist

  0

  Comment actions Permalink
• 

  FF

  • September 22, 2020 17:07

  speaking of persistence... so do we have a place to add scripts that will persist after reboot/FW upgrade already and can be run at boot time (or through cron)? 

   

   

  0

  Comment actions Permalink
• 

  Firewalla

  • September 22, 2020 18:38

  Anything ~pi/ will persist

  and 1.971 

  4. Customized Scripting and Docker 

  Custom hooks to safely execute user programs and scripts when Firewalla is rebooted. The scripts must be created under: 

  /home/pi/.firewalla/config/post_main.d

  Please see this https://help.firewalla.com/hc/en-us/articles/360051625034 for a pi-hole docker example.

   

  2

  Comment actions Permalink
• 

  raging_mouse

  • February 08, 2025 17:36
  • Edited

  For anyone using a password manager that handles SSH keys, eg 1password, you can use that to store the key.

  1. Edit the '~/.ssh/config' file on your client device:

  Host firewalla
      HostName <IP_ADDRESS>
      User pi

  2. Create the key in 1password. Be sure to add the url as shown below, using the hostname from the ssh config file. This serves as a "bookmark" for the key and will use the specified key and avoid the "Too many authentication failures" error if you have too many other keys.

  url
  ssh://firewalla

  3. On the firewalla device, add the public key to '~/.ssh/authorized_keys' file.

  4. SSH to the firewalla device using your preferred 1password authentication method.

  1

  Comment actions Permalink
• 

  InvaderJim

  • March 04, 2025 03:25

  Thanks for this great guide.  Works for the Firewalla Purple as well.  One other thing I do is to add my Firewalla box to my ssh config file so I can ssh in just by running 'ssh firewalla'.  The (Linux) commands I use are:

  # Create the key:
  ssh-keygen -t ed25519 -C Firewalla -f ~/.ssh/Firewalla_id_ed25519
  # Update my ssh config file:
  cat << EOF >>~/.ssh/config
  # `date +%Y%m%d`: Now I can SSH to the Firewalla by running 'ssh firewalla'
  Host firewalla
  HostName 192.168.1.1
  IdentityFile ~/.ssh/Firewalla_id_ed25519
  User pi
  Compression yes
  VisualHostKey=yes
  EOF
  
  

  1

  Comment actions Permalink

Please sign in to leave a comment.