Let’s kick things off by learning how to Configure PFsense Remote Access using SSH.
First things first. SSH stands for secure shell.
The advantage of using a secure shell over telnet cannot be overemphasized. For one thing, telnet sends your login credentials in an unencrypted format(plain text) whereas ssh encrypts your credentials.
As if this were not enough, ssh can further enhance your security by the use of RSA(Rivest Shamir Adleman) and DSA(Digital Signature Algorithm) keys for digitally signing and encrypting your data, after all, security is the major reason why we are deploying PFsense, right? This is an enhancement over the use of a traditional username and password that is still secure and available to be used in ssh. We will cover first, ssh with the traditional username and password login and then, we will generate keys to be used to sign in to our pfsense system.
Configure PFsense Remote Access using SSH Username and Password
To enable ssh on PFsense, navigate to System -> Advanced -> Click on Admin access as shown below.
Next scroll down the page to the secure shell section and tick secure shell server. It is widely known that ssh uses port 22. Hackers may try to exploit this port at various times, so it may be a good practice to change the port number to something else, say, 2222. Now scroll down to the bottom of the page and click save.
TEST IF THIS SETUP WORKED.
To test our configuration easily, download the program called putty, a free ssh client for windows from https://www.putty.org. Install it and launch it.
Enter the IP address of your pfsense router in the hostname field. Enter in the port number 2222 in our case, in the port field. You could choose to save the session and then click open.
Probably putty will throw up a warning, similar to this, requesting that you click yes only if you trust the host. Simply click yes and proceed.
Login with your admin username and password, and you will be taken to the familiar-looking screen to configure pfsense.
For Linux users, the ssh client is already present in almost all Linux distros. In most cases, a simple :
#ssh username@pfsense ip address will take you to the pfsense console.
e.g #ssh firstname.lastname@example.org
More Secure Way To Configure PFsense Remote Access using SSH Public Keys
If you want to use a more secure form of accessing pfsense via ssh, click on System -> Advanced -> and in the secure shell section, make sure that public key only is selected for the sshd key. This will enable access for each user who has the authorized ssh keys. You could, however, choose to enable both public key access and password access if you like.
To generate RSA or DSA keys, visit this link to download a small nifty program called puttygen. https://www.puttygen.com/
Launch the puttygen program and tick RSA or DSA in the parameters section. Note: RSA is faster than DSA in verifying digital signatures while DSA is faster than RSA in generating digital signatures.
Click on the generate button to generate 2 keys(public and private) using the 2048 number of bits.
You will have to move your mouse randomly over the blank space to generate the keys.
Click on Save private key to save the private key to your computer. This will be needed later by your ssh client(putty).
Now copy the public key shown above.
Switch to your pfsense web configurator, navigate to System -> User manager, and click on users tab.
Click on the edit button beside the user you want to authorize using the RSA key.
Locate the keys section and paste the public key in the authorized RSA key field. Now click on save.
One more step to go, be patient.
Open up the putty client (not puttygen), in the left category pane, click on connection + sign to reveal ssh. Also, click on the ssh + sign to reveal Auth. Click directly on Auth and browse to the location of your private key. The same key you saved on your computer earlier.
You can now click directly on session in the left pane of the putty program. Enter in the IP address for pfsense and the correct port. Click on open.
Enter your admin username and you do not need to enter a password to be taken to the pfsense console.
This wraps up our guide on How To Configure PFsense Remote Access using SSH.
Check out these guides, in case you missed them: