[GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)

    • Offizieller Beitrag

    Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)

    Intro


    This guide covers how to enable ssh access in omv with PKA, this will secure access to the text console to allow only the person who has the private key to access OMV secure shell console in the server.


    Requirements

    • OMV 1.0 or higher
    • Linux Desktop, MAC OSX or Windows with putty and puttygen, or Windows with cygwin


    SSH Setup


    First we go to to the OMV webUI, in the SSH section we enable the service and check-uncheck the following:
    - Disable root login
    - Disable interactive login (disable password)
    - Enable PKA,
    - Enable forwarding (this is use for SOCKS proxy and tunneling)


    Screenshot-2.png


    Next we can open a terminal in a linux or OSX desktop or use puttygen in windows to create our ssh key pair


    ssh-keygen -t rsa


    This will prompt for a location to put, specify a path, it can also be protected with a pass-phrase. Can be as long as you want, have spaces, non-alphanumeric chars, etc etc. This will create two files, the one .pub extension is the public key, the one without is the private key.


    Screenshot-3.png


    /home/user/.ssh/sshremotePrivate Key (Very important, not loose and does not leave the host where it was created)
    /home/user/.ssh/sshremote.pubPublic Key



    EDIT: OpenMediaVault now requires since version 2.0 that the public key needs to be entered in RFC4716 SSH public key file format. So after we create the key pair, we export the public key with:


    ssh-keygen -e -f ~/.ssh/sshremote.pub we copy the output to the clipbaord.


    PUTTYGEN
    Once we generate the key pair in puttygen, select the public key from the text field in puttygen and copy it to clipboard. Press save private key (.ppk extension), and place it in secure location in your windows workstation.


    puttygen.png


    Go to a *nix terminal(it can be your OpenMediaVault server), create a text file nano sshremote.pub, paste the contents inside save with CTRL+X.
    We then need to run the conversion to RFC4716.


    ssh-keygen -e -f sshremote.pub, select the output and copy to clipboard.


    Now we go to the users section in OMV, we will create a dummy user (you can use a current one if you wish), give him a password, put him in the SSH group and give him a limited bash (RBASH) . We go to the public keys tab, click add and paste the contents from the sshremote.pub key converted to RFC4716. Finally we save.


    Screenshot-7.png


    EDIT: This is the panel in OMV 2.0 or higher with RFC 4716 SSH format requirement, and can have multiple public keys per user.


    omv 2.x.png


    Now in the same linux desktop we can type in terminal


    ssh ssh-user-access@IP_OF_NAS -i ~/.ssh/sshacess


    If the private key is pass phrase protected it will ask to provide it.


    For putty:


    Go to the Connection->SSH->Auth, click browse on "Private key for authentication" and select the .ppk file (private key) you save from before.


    putty.png


    If we must perform root operations we type su in the console and type the root password.


    Screenshot-Terminal.png


    This schema will provide three layers of security to your ssh access:

    • Brute force ssh logins always attempt root user name, in this case root login is disabled, so is another var to take in consideration for a remote attacker
    • Only the ssh-user-access user is authorised to login and only if he posses the private key
    • If your private key is compromised, and someone gains login, he still needs to bypass the restricted shell to become root by trying to guess the password.

    Security notes:

    • You can forward any port in your router to port 22 in your server. Do no forward port 22. Put a high random port. This brings almost to zero the bots fingering on the WAN line. They are always targeting standard ports
    • As a security policy the private key never leaves the client. That's why you create the key pair in the remote place. The public key can go through txt messages, chats, clipboards, private messaging, mail, etc, without any security concern, so don't worry. If you want to give a friend access to your server, tell him/her to generate their own key pair in their PC machine and sent the public key to you by any transport, then paste the key in place.
    • Don't use passphrase protected keys if you're going to use them in non-interactive mode. Example: Cron task of rsync with ssh.

    Using a SOCKS PROXY


    The ssh daemon provides the ability to create secure tunnels inside the ssh layer, it can bring remote ports in the machine to localhost in the client to access certain services (ports) . Ssh can also provide dynamic creation of tunnels, that can be used in web browsers to use a SOCKS proxy to access remote web resources.


    In this case we just change the connection command in the terminal to specify the dynamic port


    ssh ssh-user-access@WAN_IP -i ~/.ssh/sshremote -D9000


    In putty, in the tunnel section


    FNrpL.jpg


    In the above case is assumed you forwarded the WAN port to the internal OMV IP


    Then in the web browser in Firefox we can specify the SOCKS in the network section


    Screenshot-6.png


    After this Firefox will pass all traffic through the ssh tunnel. If you access remotely from WAN, you just type the OMV internal LAN IP address and it will display the webUI login. It can also access all other LAN clients that have internal web services available in the LAN.


    This setup avoids opening a port in the router to access OMV webUI. Limiting access only to people that establish a secure tunnel to access internal LAN resources.


    Using a SSH CONFIG


    The openssh client in linux and OSX reads the default ~/.ssh/config file which can be used to have different ssh client configurations for different servers. So you can create that file and add this content:


    Code
    Host omv
    Hostname 10.1.1.20
    User ssh-access
    Compression yes
    Port 22
    IdentityFile ~/.ssh/sshaccess


    Then you access the server with just typing ssh omv in terminal
    You can add as many configs as you want inside the file, just make sure they have different Host values.


    You can read about more directives typing man ssh_config in terminal


    Note: the "~" character represents in linux (unix) and OSX the home folder of the current user in terminal


    Questions / Problems / Discussions
    Click here to get to the discussions thread

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!