Use multiple SSH clients with one user

[petersonguo]

I'm kind of new to all this networking stuff and I was trying to setup ssh with multiple client systems for one of my users. I have a Windows 10 PC and a Linux Laptop and I am trying to get both of them to access the same user but only the Linux laptop is able to use SSH while the Windows PC says Permission denied (publickey) even though I copied the public key over to the windows system.

I have tried to follow this thread: https://www.truenas.com/community/t...ser-connecting-from-multiple-computers.35906/ but nothing seems to work.

 

[Samuel Tai]

What version of TrueNAS?

 

[petersonguo]

What version of TrueNAS?

12.1

 

[Samuel Tai]

Are you sure? There was no version 12.1 released. The current versions in circulation are 12.0-U8.1 and 13.0. You can find the version in the Dashboard.

 

[petersonguo]

Are you sure? There was no version 12.1 released. The current versions in circulation are 12.0-U8.1 and 13.0. You can find the version in the Dashboard.

My bad it’s 12.0-U8.1

 

[Samuel Tai]

OK, I think you have the right idea, but the wrong keys. For SSH from different clients, the SSH target needs the public key for the user installed. (This would be pasted into the user's SSH public key field in the Users GUI in TrueNAS.) Each client would then have the private key installed. This makes sense, as the SSH server is considered "public" (pretend it's on the Internet), so the clients would be considered "private".

For the Linux client, the private key goes in ~/.ssh/id_rsa, and ~/.ssh/id_rsa.pub gets copied to the SSH server's ~/.ssh/authorized_keys.

For the Windows client, assuming you're using PuTTY, you'll need PUTTYGEN.exe to convert the private key to PuTTY's PPK private key format, and will use the path for the PPK in PuTTY's Connection->SSH->Auth->Private key file for authentication.

 

[petersonguo]

Thanks. I will try this. Does truenas have a feature where you can use multiple keys though? I didn’t want to reuse keys and I was thinking I could have something like Github’s key authentication.

 

[jgreco]

Does truenas have a feature where you can use multiple keys though?

No. SSH is not TrueNAS functionality. It's just the commonly available OpenSSH. OpenSSH will allow you as many keys as you like. The TrueNAS GUI is just a wrapper to edit OpenSSH's ~/.ssh/authorized_keys

The one thing to note here is that there's probably some limit to the TrueNAS GUI and how many lines of authorized_keys content it will safely tolerate, so you are probably better off editing the user's ~/.ssh/authorized_keys file directly, rather than using the GUI. It would probably be super annoying to try to manage more than two keys through the GUI IMO, and once you get rid of that aspect, then, yes, you can have thousands of keys in the file.

 

[petersonguo]

No. SSH is not TrueNAS functionality. It's just the commonly available OpenSSH. OpenSSH will allow you as many keys as you like. The TrueNAS GUI is just a wrapper to edit OpenSSH's ~/.ssh/authorized_keys

The one thing to note here is that there's probably some limit to the TrueNAS GUI and how many lines of authorized_keys content it will safely tolerate, so you are probably better off editing the user's ~/.ssh/authorized_keys file directly, rather than using the GUI. It would probably be super annoying to try to manage more than two keys through the GUI IMO, and once you get rid of that aspect, then, yes, you can have thousands of keys in the file.

I got that it’s an OpenSSH feature but when I edit the authorized_keys file and put an extra line with a second public key, it also appears in the TrueNAS gui and I am unable to ssh into the NAS since the public key in the truenas gui is just both the keys that I put in the authorized_keys file. So my question was if there was a TrueNAS feature that omits this

 

[jgreco]

I got that it’s an OpenSSH feature but when I edit the authorized_keys file and put an extra line with a second public key, it also appears in the TrueNAS gui and I am unable to ssh into the NAS since the public key in the truenas gui is just both the keys that I put in the authorized_keys file. So my question was if there was a TrueNAS feature that omits this

Yes, it's supposed to show up in the GUI, but the GUI is a poor interface for editing more than maybe two records, in my opinion.

The TrueNAS GUI has absolutely NOTHING to do with the operation of OpenSSH, however. If you edited the authorized_keys file and put an extra line in with a second key, and it didn't work, you need to debug that as an SSH problem. The TrueNAS middleware and GUI are not involved in that workflow, it's just your client, sshd, and the local shell. Look at the logs and see what's happening.

OpenSSH is very twitchy and it is entirely possible that you've made an error in permissions on the file, or on the homedir/dotsshdir. I don't know how robust the GUI is these days; it used to be that you could break OpenSSH by reassigning the UID of a user in the GUI, causing OpenSSH to see the "old" UID as a mismatched UID, and it'd refuse the file. There are probably all sorts of edge cases that may be hurting you. It is best to treat debugging SSH problems as a pure FreeBSD or Linux issue, looking at the error messages, permissions, etc., directly, and then once you resolve your boggle, try the GUI and see if anything breaks.

This is one of those cases where it really pays off to remember that the GUI is "just" a wrapper there to help you manage a common UNIX operating system. This means it can save you from mistakes, but it also isn't really smart enough to capture every potential misconfiguration. Misconfigurations CAUSED by the GUI are certainly something the development team will want to fix, but in my experience those are kinda rare.

 

[petersonguo]

I ended up fixing it by deleting the .ssh folders in root and my user and created another public key that I pasted in the gui to reconfigure the .ssh folders. Then I used chmod to set the correct positions and pasted the multiple keys into the authorized_keys file and it started working. Thanks for your help though. Loved how detailed the responses were.

 

[jgreco]

Loved how detailed the responses were.

Careful, though, sometimes we dig really deep rabbit holes.