Change the web gui admin user name in System|General under WebGUI->Username.
Change the default password in System|General|Password.
Setup key pair authentication for SSH and secure FreeNAS.
Clean out any existing files in ~/.ssh on your client machine.
At command prompt on client:
$ ssh-keygen -t rsa
agree to location that ssh-keygen wants to store the keys… ~/.ssh
Enter a pass phrase twice to confirm. This is the pass phrase for the public key.
Keys are now in ~/.ssh
I created the home directory in /mnt/FileServer and chown’d it to root:wheel.
mkdir /mnt/FileServer/home chown root:wheel /mnt/FileServer/home
Created the myuser directory in /mnt/FileServer/home.
In the web UI Access|Users|Edit for my user. I set the Home directory to /mnt/FileServer/home/myuser/
The reason we can’t use the default ~ directory of /mnt is because everything in front of /mnt/FileServer (the mount point of my RAID) is part of the FreeNAS ROM.
It’s destroyed on each reboot. Matt Rude brought this to my attention here
Log in to FreeNAS using SSH
ssh myuser@nameoffileserver
create the .ssh directory on /mnt/FileServer/home/myuser/
as myuser, create the authorized_keys file in /mnt/FileServer/home/myuser/.ssh if it doesn’t already exist
$ touch authorized_keys
Copy the public key to the file server
scp ~/.ssh/id_rsa.pub myuser@nameoffileserver:
Make sure you have the collan at the end of the above command, else the file won’t be copied.
Type yes to the prompt that the authenticity of the server you are tryign to scp to can’t be established and you want to continue.
The server you are trying to connect to is added to the list of known hosts on the local machine.
Thats /home/myuser/.ssh/known_hosts
On the server, from the ~ directory (thats /mnt/FileServer/home/myuser in our case)
The public key needs to be put into the list of authorized clients that may connect to the sshd.
$ cat id_rsa.pub >> .ssh/authorized_keys
Although this is a better way to copy the public key:
ssh-copy-id MyUserName@MyWindows7Box
We need to change some permissions on…
your home directory on the server (/mnt/FileServer/home/myuser) may have the wrong permissions. We need to remove the write perms for group and other.
$ su root # chmod go-w /mnt/FileServer/home/myuser
The /mnt/FileServer/home/myuser/.ssh currently had 755 so
# chmod go-w /mnt/FileServer/home/myuser/.ssh
had no effect.
/mnt/FileServer/home/myuser/.ssh/authorized_keys needed to be chmod 600. In fact anything/everything in the ~/.ssh dir (if there is anything else) needs to be chmod 600
Also need to
nameoffileserver:/mnt/FileServer/home/myuser/.ssh# chown myuser authorized_keys
We can now remove the ~/id_rsa.pub from the server, now that the key is in ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
Should now be able to log in using key pair authentication.
Turn password authentication off, and changed the default ssh port in the web gui Services|SSH.
Turned ssl on to access the web gui in System|General Setup.
When I open up the FreeNAS server to the internet, it’ll be by way of SSH tunnel rather than just opening up the firewall to https to the server.
Looks like there is a pretty simple guide here to do that.
Used the following resources:
http://www.learnfreenas.com/blog/
http://phanvinhthinh.blogspot.com/2010/02/how-to-secure-your-freenas-server.html
http://www.freenaskb.info/kb/?View=entry&EntryID=257
http://www.learnfreenas.com/blog/2009/07/22/how-to-connect-to-your-freenas-server-via-ssh-without-a-password-password-free-logins-via-public-key-authentication/
http://www.freebsd.org/doc/en/articles/committers-guide/ssh.guide.html
Tags: FreeBSD, FreeNAS, Networking, Security, SSH
April 27, 2013 at 18:19 |
This is a really good tip especially to those fresh to the blogosphere.
Short but very accurate information… Many thanks for sharing this one.
A must read post!