How to set SSH Host Key?

[keleathi]

I'm looking for how to set the SSH host keys. (I have a network scanner which requires a match on the SSH host key pair in order to allow an SFTP connect which means that I need the FreeNAS system to have a fixed host key). I had this working on an older version of FreeNAS.

I'm now on FreeNAS-11.2-RELEASE-U1 and I can't find a way to do so.

The GUI field seems to have removed as part of the following bug report: https://redmine.ixsystems.com/issues/6674.

Is there any way to fix this on the shell, or do I need to open a feature request?

Thanks!

 

[dlavigne]

The system already has several automatically generated host keys (for different algorithms). They are located in /etc/ssh .

 

[pasiz]

I'm looking for how to set the SSH host keys. (I have a network scanner which requires a match on the SSH host key pair in order to allow an SFTP connect which means that I need the FreeNAS system to have a fixed host key). I had this working on an older version of FreeNAS.

I'm now on FreeNAS-11.2-RELEASE-U1 and I can't find a way to do so.

The GUI field seems to have removed as part of the following bug report: https://redmine.ixsystems.com/issues/6674.

Is there any way to fix this on the shell, or do I need to open a feature request?

Thanks!

In my understanding GUI have never worked in that manner.


Use ssh-keygen to generate key-pairs. They are stored in users home directory, under ~/.ssh/

For further information, execute in console:

man ssh-keygen

Easy way to spread your key-pair public key is ssh-copy-id

 

[danb35]

Use ssh-keygen to generate key-pairs. They are stored in users home directory, under ~/.ssh/

OP is talking about the server's key, not user keys--different things.

 

[pasiz]

OP is talking about the server's key, not user keys--different things.

OP was asking, how to have fixed key on server (in my understanding it is, in my freenas at least, not changing between boots).

sftp authentication is then made with with user keypair.

ssh-keygen can also be used to generate new server key, if needed. But matching keypair against server key is made by accepting the server key on connect. I have never changed servers private / public key in single server (only in cluster systems it is necessary or after private key leak).

 

[danb35]

in my understanding it is, in my freenas at least, not changing between boots

Your understanding is correct, which makes OP's question kind of strange. The question really only makes sense if the scanner application has a hard-coded host key and there's no way to update that key, which would be exceedingly poor design.

 

[PesterT]

In case someone does want to do this (see also previous threads), the keys are stored in /data/freenas-v1.db across reboots, but instead of accessing the database manually, you can just overwrite the keys in /usr/local/etc/ssh/ and run /etc/ix.rc.d/ix_sshd_save_keys (or just restart SSH, since ix_sshd_save_keys is run on sshd start/reload/restart).

If you simply want to regenerate the keys, then deleting them and restarting SSH should work (since the startup scripts will generate missing keys, and then ix_sshd_save_keys will run). It may be worth restarting the server to check that it has persisted correctly.

(FWIW I regenerated keys because I wanted to make sure that the keys were generated after the system had collected a reasonable amount of entropy, and I wanted to upgrade RSA to a 4096-bit key and disable DSA.)

 

[ursaiz]

Hi,

I'm trying to regenerate the ssh_host keys, but it' seems to read again from DB when i restart SSH service , i'm trying to template as VM on the last 12 version ( U3 ) , have you tried anyone ?

Code:

root@truenasXXXX[~]# ssh-keygen -lf /usr/local/etc/ssh/ssh_host_rsa_key -E md5
3072 MD5:57:0a:a7:82:14:8c:9b:d9:ed:11:fc:89:01:01:0e:cc root@truenasXXX.local (RSA)
root@truenasXXX[~]# rm -f /usr/local/etc/ssh/ssh_host_*
root@truenasXXX[~]# curl -k -u root:XXXXXX -X POST "https://10.5.98.104/api/v2.0/service/restart" -H "accept: */*" -H "Content-Type: application/json" -d "{\"service\":\"ssh\",\"service-control\":{\"ha_
true#                                                                                                                                                                                                           
root@truenasXXXX[~]# ssh-keygen -lf /usr/local/etc/ssh/ssh_host_rsa_key -E md5
3072 MD5:57:0a:a7:82:14:8c:9b:d9:ed:11:fc:89:01:01:0e:cc root@truenasXXXX.local (RSA)

Thanks

 

[danb35]

FreeNAS/TrueNAS have never supported setting a specified SSH host keypair--it's auto-generated on the first boot, saved to the configuration database, and it's static from there on out. There's never been a way to (effectively) set it through the GUI, and there's no way to do so today; I don't believe it's possible to do it through the API either. The ticket referenced two years ago up-thread removed the field from the GUI, but (according to the comments on that ticket) that field never did anything anyway. I'm not sure what value this would have, but if you have a perceived need to be able to set the SSH host keypair to use your pre-generated keys, I'd suggest filing a ticket using the "report a bug" link at the top of the page.