[GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)

    • OMV 1.0

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • [GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)

      Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)

      Intro


      This guide covers how to enable ssh access in omv with PKA, this will secure access to the text console to allow only the person who has the private key to access OMV secure shell console in the server.

      Requirements
      • OMV 1.0 or higher
      • Linux Desktop, MAC OSX or Windows with putty and puttygen, or Windows with cygwin


      SSH Setup

      First we go to to the OMV webUI, in the SSH section we enable the service and check-uncheck the following:
      - Disable root login
      - Disable interactive login (disable password)
      - Enable PKA,
      - Enable forwarding (this is use for SOCKS proxy and tunneling)

      Screenshot-2.png

      Next we can open a terminal in a linux or OSX desktop or use puttygen in windows to create our ssh key pair

      ssh-keygen -t rsa

      This will prompt for a location to put, specify a path, it can also be protected with a pass-phrase. Can be as long as you want, have spaces, non-alphanumeric chars, etc etc. This will create two files, the one .pub extension is the public key, the one without is the private key.

      Screenshot-3.png

      /home/user/.ssh/sshremotePrivate Key (Very important, not loose and does not leave the host where it was created)
      /home/user/.ssh/sshremote.pubPublic Key


      EDIT: OpenMediaVault now requires since version 2.0 that the public key needs to be entered in RFC4716 SSH public key file format. So after we create the key pair, we export the public key with:

      ssh-keygen -e -f ~/.ssh/sshremote.pub we copy the output to the clipbaord.

      PUTTYGEN
      Once we generate the key pair in puttygen, select the public key from the text field in puttygen and copy it to clipboard. Press save private key (.ppk extension), and place it in secure location in your windows workstation.

      puttygen.png

      Go to a *nix terminal(it can be your OpenMediaVault server), create a text file nano sshremote.pub, paste the contents inside save with CTRL+X.
      We then need to run the conversion to RFC4716.

      ssh-keygen -e -f sshremote.pub, select the output and copy to clipboard.

      Now we go to the users section in OMV, we will create a dummy user (you can use a current one if you wish), give him a password, put him in the SSH group and give him a limited bash (RBASH) . We go to the public keys tab, click add and paste the contents from the sshremote.pub key converted to RFC4716. Finally we save.

      Screenshot-7.png

      EDIT: This is the panel in OMV 2.0 or higher with RFC 4716 SSH format requirement, and can have multiple public keys per user.

      omv 2.x.png

      Now in the same linux desktop we can type in terminal

      ssh ssh-user-access@IP_OF_NAS -i ~/.ssh/sshacess

      If the private key is pass phrase protected it will ask to provide it.

      For putty:

      Go to the Connection->SSH->Auth, click browse on "Private key for authentication" and select the .ppk file (private key) you save from before.

      putty.png

      If we must perform root operations we type su in the console and type the root password.

      Screenshot-Terminal.png

      This schema will provide three layers of security to your ssh access:
      1. Brute force ssh logins always attempt root user name, in this case root login is disabled, so is another var to take in consideration for a remote attacker
      2. Only the ssh-user-access user is authorised to login and only if he posses the private key
      3. If your private key is compromised, and someone gains login, he still needs to bypass the restricted shell to become root by trying to guess the password.
      Security notes:
      • You can forward any port in your router to port 22 in your server. Do no forward port 22. Put a high random port. This brings almost to zero the bots fingering on the WAN line. They are always targeting standard ports
      • As a security policy the private key never leaves the client. That's why you create the key pair in the remote place. The public key can go through txt messages, chats, clipboards, private messaging, mail, etc, without any security concern, so don't worry. If you want to give a friend access to your server, tell him/her to generate their own key pair in their PC machine and sent the public key to you by any transport, then paste the key in place.
      • Don't use passphrase protected keys if you're going to use them in non-interactive mode. Example: Cron task of rsync with ssh.
      Using a SOCKS PROXY

      The ssh daemon provides the ability to create secure tunnels inside the ssh layer, it can bring remote ports in the machine to localhost in the client to access certain services (ports) . Ssh can also provide dynamic creation of tunnels, that can be used in web browsers to use a SOCKS proxy to access remote web resources.

      In this case we just change the connection command in the terminal to specify the dynamic port

      ssh ssh-user-access@WAN_IP -i ~/.ssh/sshremote -D9000

      In putty, in the tunnel section

      FNrpL.jpg

      In the above case is assumed you forwarded the WAN port to the internal OMV IP

      Then in the web browser in Firefox we can specify the SOCKS in the network section

      Screenshot-6.png

      After this Firefox will pass all traffic through the ssh tunnel. If you access remotely from WAN, you just type the OMV internal LAN IP address and it will display the webUI login. It can also access all other LAN clients that have internal web services available in the LAN.

      This setup avoids opening a port in the router to access OMV webUI. Limiting access only to people that establish a secure tunnel to access internal LAN resources.

      Using a SSH CONFIG

      The openssh client in linux and OSX reads the default ~/.ssh/config file which can be used to have different ssh client configurations for different servers. So you can create that file and add this content:

      Source Code

      1. Host omv
      2. Hostname 10.1.1.20
      3. User ssh-access
      4. Compression yes
      5. Port 22
      6. IdentityFile ~/.ssh/sshaccess


      Then you access the server with just typing ssh omv in terminal
      You can add as many configs as you want inside the file, just make sure they have different Host values.

      You can read about more directives typing man ssh_config in terminal

      Note: the "~" character represents in linux (unix) and OSX the home folder of the current user in terminal

      Questions / Problems / Discussions
      Click here to get to the discussions thread
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 40 times, last by subzero79 ().