Quick Way to Configure OpenSSH Server on FreeBSD

OpenSSH is a set of open source utilities that implements the SSH (Secure Shell) protocol. SSH is a secure version of telnet. SSH provides administrators and users access to remote systems as if they were physically located at the console. SSH uses encryption to prevent eavesdropping on connections made between clients and servers. OpenSSH controls 87 percent of the remote console market. Using OpenSSH is very practical and can be applied to all Linux and BSD distributions, as well as Apple Mac OS

The SSH protocol was first developed in 1995 by Tatu Ylonen, a researcher from Helsinki University of Technology. Ylonen founded SSH Communications Security in late 1995 to develop and market SSH. His company currently markets SSH Server/Client Tectia. OpenSSH was originally created by the OpenBSD team as part of the OpenBSD 2.6 release in December 1999.

The team used code from Tatu Ylonen's SSH project, which was originally open source. Bugs fixed and features added in OpenSSH releases. Soon after the release of OpenSSH, its developers decided to split into two teams. One group concentrates on developing OpenSSH for OpenBSD while another group develops portable versions of OpenSSH for use on other platforms. The portable edition has the letter P added to the version to denote this. OpenSSH continues to be developed by the OpenBSD team led by its founder, Theo de Raadt.

In this article, we will explain about OpenSSH, especially those related to installing and configuring OpenSSH on a FreeBSD system. OpenSSH is part of the standard FreeBSD distribution. In this article, we will replace the base version with a newer version of OpenSSH taken from the FreeBSD port collection. To start the OpenSSH installation process, type the following command line.

root@ns1:~ # cd /usr/ports/security/openssh-portable
root@ns1:/usr/ports/security/openssh-portable # make -D WITH_OVERWRITE_BASE install clean
Once the installation process is complete, it's time to configure OpenSSH for use on the FreeBSD system. Add the script "NO_OPENSSH = YES" to the /etc/make.conf file in /etc. This script is useful for telling make not to build a base version of OpenSSH and preventing the system from downgrading OpenSSH to an older base version.

root@ns1:/usr/ports/security/openssh-portable # echo "NO_OPENSSH = YES" >> /etc/make.conf
The next step is to delete the default SSH folder built into the FreeBSD system, namely the "/etc/ssh" folder, and then we replace it with a symlink from the folder in "/usr/local/etc/ssh".

root@ns1:/usr/ports/security/openssh-portable # rm -rf /etc/ssh
root@ns1:/usr/ports/security/openssh-portable # ln -s /usr/local/etc/ssh /etc
After the symlink creation process is complete, we continue by creating the Startup script rc.d, which is used to start the OpenSSH Server automatically when the computer boots. To create Startup rc.d, we edit the /etc/rc.conf file and add the following script to the /etc/rc.conf file.

root@ns1:/usr/ports/security/openssh-portable # ee /etc/rc.conf
sshd_enable="NO"
openssh_enable="YES"
openssh_flags=""
openssh_pidfile="/var/run/sshd.pid"
Next, we edit the SSH configuration file, namely the /usr/local/etc/ssh/sshd_config file.

root@ns1:~ # cd /usr/local/etc/ssh
root@ns1:/usr/local/etc/ssh # ee sshd_config

#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

Port 22
#AddressFamily any
ListenAddress 192.168.5.2
#ListenAddress ::
##AllowUsers udin@192.168.5.2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM yes

AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory /usr/local/etc/ssh
#UseBlacklist no
#VersionAddendum FreeBSD-20230316

# no default banner path
#Banner none
Banner /usr/local/etc/ssh/banner
# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
In the script above OpenSSH runs on port 22 and uses the internal/private IP address of our FreeBSD server, namely 192.168.5.2.


1. Create OpenSSH Keys

SSH servers authenticate clients using a number of different techniques. The most frequent authentication mechanisms are passwords and SSH keys. Although passwords provide protection against unwanted access, SSH keys are by far more secure. The problem with passwords is that they are often created manually and lack length and complexity.

Therefore, hacker attacks can compromise their security. SSH keys provide a consistently secure option. Each SSH key pair consists of a private key and a matching public key, and can be used in place of a password for authentication. Follow the steps below to create an OpenSSH key.

root@ns1:~ # ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  tekan ENTER
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): masukkan password
Enter same passphrase again:  masukkan password
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:0RflgIyj4gSxDsASSTM3UQsMgYLDO2GYm8lnejbNbXY root@router2
The key's randomart image is:
+---[RSA 3072]----+
|XX=*o.   o .o..  |
|@==oo . o.o  +   |
|*=+. . .... . .  |
|+* oo .  . .     |
|  *oo.. S        |
| . +.o + E       |
|  o . o .        |
|                 |
|                 |
+----[SHA256]-----+
The script command above will create a new folder /root/.ssh, which contains the id_rsa file (private key) and the id_rsa.pub file (public key). If key generation has been completed, continue by installing the public SSH key used for the remote console.

root@ns1:~ # cat ~/.ssh/id_rsa.pub | ssh root@ns1.unixexplore.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
The authenticity of host 'router2.unixexplore.com (192.168.9.3)' can't be established.
ED25519 key fingerprint is SHA256:cUadBvuFWb38iZ0cdUR8NtkOehQg8vZ3Vh7MWUTaXI0.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: router2
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'router2.unixexplore.com' (ED25519) to the list of known hosts.
                                                               #####
                                                                #######
                   #                                            ##O#O##
  ######          ###                                           #VVVVV#
    ##             #                                          ##  VVV  ##
    ##         ###    ### ####   ###    ###  ##### #####     #          ##
    ##        #  ##    ###    ##  ##     ##    ##   ##      #            ##
    ##       #   ##    ##     ##  ##     ##      ###        #            ###
    ##          ###    ##     ##  ##     ##      ###       QQ#           ##Q
    ##       # ###     ##     ##  ##     ##     ## ##    QQQQQQ#       #QQQQQQ
    ##      ## ### #   ##     ##  ###   ###    ##   ##   QQQQQQQ#     #QQQQQQQ
  ############  ###   ####   ####   #### ### ##### #####   QQQQQ#######QQQQQ
(root@ns1.unixexplore.com) Password for root@router2:  ketikkan password root
root@ns1:~ #
The next step is to connect the SSH server using a private key, below is an example script.

root@ns1:~ # ssh -i ~/.ssh/id_rsa -p 22 root@ns1.unixexplore.com
                                                               #####
                                                                #######
                   #                                            ##O#O##
  ######          ###                                           #VVVVV#
    ##             #                                          ##  VVV  ##
    ##         ###    ### ####   ###    ###  ##### #####     #          ##
    ##        #  ##    ###    ##  ##     ##    ##   ##      #            ##
    ##       #   ##    ##     ##  ##     ##      ###        #            ###
    ##          ###    ##     ##  ##     ##      ###       QQ#           ##Q
    ##       # ###     ##     ##  ##     ##     ## ##    QQQQQQ#       #QQQQQQ
    ##      ## ### #   ##     ##  ###   ###    ##   ##   QQQQQQQ#     #QQQQQQQ
  ############  ###   ####   ####   #### ### ##### #####   QQQQQ#######QQQQQ
Enter passphrase for key '/root/.ssh/id_rsa': masukkan password
If a passphrase is used, the user is prompted every time a connection is made with the server. You can use ssh-agent and ssh-add to load SSH keys into memory and eliminate the need to enter the password every time. ssh-agent handles authentication using the private key entered into it. ssh-agent can be used to run a shell or window manager, among other applications. To use ssh-agent in the shell, pass the shell as a command parameter. Add an identity by running ssh-add and providing the private key passphrase. Users will then be able to ssh into any host with the public key installed.

root@ns1:~ # ssh-agent csh
root@ns1:~ # ssh-add
Enter passphrase for /root/.ssh/id_rsa: masukkan kata sandi
Identity added: /root/.ssh/id_rsa (root@ns1)
After the OpenSSH key is created, continue by creating the OpenSSH Banner file. We name the Banner file "banner" and place it in the /usr/local/etc/ssh folder and in the /usr/local/etc/ssh/banner file we enter the script below.

root@ns1:~ # touch /usr/local/etc/ssh/banner
root@ns1:~ # ee /usr/local/etc/ssh/banner
                                                               #####
                                                                #######
                   #                                            ##O#O##
  ######          ###                                           #VVVVV#
    ##             #                                          ##  VVV  ##
    ##         ###    ### ####   ###    ###  ##### #####     #          ##
    ##        #  ##    ###    ##  ##     ##    ##   ##      #            ##
    ##       #   ##    ##     ##  ##     ##      ###        #            ###
    ##          ###    ##     ##  ##     ##      ###       QQ#           ##Q
    ##       # ###     ##     ##  ##     ##     ## ##    QQQQQQ#       #QQQQQQ
    ##      ## ### #   ##     ##  ###   ###    ##   ##   QQQQQQQ#     #QQQQQQQ
  ############  ###   ####   ####   #### ### ##### #####   QQQQQ#######QQQQQ
Now activate the OpenSSH server, is it running or not?

root@ns1:~ # service openssh restart
Performing sanity check on openssh configuration.
Stopping openssh.
Waiting for PIDS: 2481.
Performing sanity check on openssh configuration.
Starting openssh.
root@ns1:~ #
If it looks like above, then the OpenSSH server is running well.


2. Log In With Multi User

One of the advantages of the FreeBSD server is that it can create large numbers of users and groups. Each user can connect to the OpenSSH server and can access the FreeBSD system. We do not explain how to create users and groups in this article, you can read the previous article which discusses techniques for creating users and groups in FreeBSD.

In this article we assume the FreeBSD server has users and groups with the following names:
User Name                   User Password
udin                                routerudin
anto                                routeranto
jaka                                routerjaka
sari                                 routersari

Let's give an example, for example the Udin user wants to access the OpenSSH server, use the following script.

root@ns1:~ # ssh udin@ns1.unixexplore.com
                                                              #####
                                                                #######
                   #                                            ##O#O##
  ######          ###                                           #VVVVV#
    ##             #                                          ##  VVV  ##
    ##         ###    ### ####   ###    ###  ##### #####     #          ##
    ##        #  ##    ###    ##  ##     ##    ##   ##      #            ##
    ##       #   ##    ##     ##  ##     ##      ###        #            ###
    ##          ###    ##     ##  ##     ##      ###       QQ#           ##Q
    ##       # ###     ##     ##  ##     ##     ## ##    QQQQQQ#       #QQQQQQ
    ##      ## ### #   ##     ##  ###   ###    ##   ##   QQQQQQQ#     #QQQQQQQ
  ############  ###   ####   ####   #### ### ##### #####   QQQQQ#######QQQQQ
(udin@ns1.unixexplore.com) Password for udin@ns1: masukkan password user udin
Last login: Tue Oct 31 21:03:02 2023 from 192.168.5.2
FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
sh (the default Bourne shell in FreeBSD) supports command-line editing.  Just
``set -o emacs'' or ``set -o vi'' to enable it. Use "<TAB>" key to complete
paths.
udin@ns1:~ $
Now we try again with the username anto. In this example, the username Anto wants to access the SSH server. The following is an example.

udin@ns1:~ $ ssh anto@192.168.5.2
                                                              #####
                                                                #######
                   #                                            ##O#O##
  ######          ###                                           #VVVVV#
    ##             #                                          ##  VVV  ##
    ##         ###    ### ####   ###    ###  ##### #####     #          ##
    ##        #  ##    ###    ##  ##     ##    ##   ##      #            ##
    ##       #   ##    ##     ##  ##     ##      ###        #            ###
    ##          ###    ##     ##  ##     ##      ###       QQ#           ##Q
    ##       # ###     ##     ##  ##     ##     ## ##    QQQQQQ#       #QQQQQQ
    ##      ## ### #   ##     ##  ###   ###    ##   ##   QQQQQQQ#     #QQQQQQQ
  ############  ###   ####   ####   #### ### ##### #####   QQQQQ#######QQQQQ
(anto@192.168.5.2) Password for anto@ns1: masukkan password username anto
Last login: Tue Oct 31 21:01:35 2023 from 192.168.5.2
FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
Need to see the calendar for this month? Simply type "cal".  To see the
whole year, type "cal -y".
                -- Dru <genesis@istar.ca>
anto@ns1:~ $
Another example, namely that we will use the root user to access the OpenSSH server.

anto@ns1:~ $ ssh root@192.168.5.2
                                                              #####
                                                                #######
                   #                                            ##O#O##
  ######          ###                                           #VVVVV#
    ##             #                                          ##  VVV  ##
    ##         ###    ### ####   ###    ###  ##### #####     #          ##
    ##        #  ##    ###    ##  ##     ##    ##   ##      #            ##
    ##       #   ##    ##     ##  ##     ##      ###        #            ###
    ##          ###    ##     ##  ##     ##      ###       QQ#           ##Q
    ##       # ###     ##     ##  ##     ##     ## ##    QQQQQQ#       #QQQQQQ
    ##      ## ### #   ##     ##  ###   ###    ##   ##   QQQQQQQ#     #QQQQQQQ
  ############  ###   ####   ####   #### ### ##### #####   QQQQQ#######QQQQQ
(root@192.168.5.2) Password for root@ns1: masukkan password username root
Last login: Tue Oct 31 21:03:49 2023 from 192.168.5.2
FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
root@ns1:~ #
In the Log In username script above, you see that ns1 is the Host name of the FreeBSD server and unixexplore.com is the Domain name of our FreeBSD server. Once you have finished reading this article, you can now connect using the ssh command and start a secure remote management session.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post