Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)
This guide covers how to enable ssh access in omv with PKA, this will secure access to the text console to allow only the person who has the private key to access OMV secure shell console in the server.
- OMV 1.0 or higher
- Linux Desktop, MAC OSX or Windows with putty and puttygen, or Windows with cygwin
First we go to to the OMV webUI, in the SSH section we enable the service and check-uncheck the following:
- Disable root login
- Disable interactive login (disable password)
- Enable PKA,
- Enable forwarding (this is use for SOCKS proxy and tunneling)
Next we can open a terminal in a linux or OSX desktop or use puttygen in windows to create our ssh key pair
ssh-keygen -t rsa
This will prompt for a location to put, specify a path, it can also be protected with a pass-phrase. Can be as long as you want, have spaces, non-alphanumeric chars, etc etc. This will create two files, the one .pub extension is the public key, the one without is the private key.
/home/user/.ssh/sshremote → Private Key (Very important, not loose and does not leave the host where it was created)
/home/user/.ssh/sshremote.pub → Public Key
EDIT: OpenMediaVault now requires since version 2.0 that the public key needs to be entered in RFC4716 SSH public key file format. So after we create the key pair, we export the public key with:
ssh-keygen -e -f ~/.ssh/sshremote.pub we copy the output to the clipbaord.
Once we generate the key pair in puttygen, select the public key from the text field in puttygen and copy it to clipboard. Press save private key (.ppk extension), and place it in secure location in your windows workstation.
Go to a *nix terminal(it can be your OpenMediaVault server), create a text file nano sshremote.pub, paste the contents inside save with CTRL+X.
We then need to run the conversion to RFC4716.
ssh-keygen -e -f sshremote.pub, select the output and copy to clipboard.
Now we go to the users section in OMV, we will create a dummy user (you can use a current one if you wish), give him a password, put him in the SSH group and give him a limited bash (RBASH) . We go to the public keys tab, click add and paste the contents from the sshremote.pub key converted to RFC4716. Finally we save.
EDIT: This is the panel in OMV 2.0 or higher with RFC 4716 SSH format requirement, and can have multiple public keys per user.
Now in the same linux desktop we can type in terminal
ssh ssh-user-access@IP_OF_NAS -i ~/.ssh/sshacess
If the private key is pass phrase protected it will ask to provide it.
Go to the Connection->SSH->Auth, click browse on "Private key for authentication" and select the .ppk file (private key) you save from before.
If we must perform root operations we type su in the console and type the root password.
This schema will provide three layers of security to your ssh access:
- Brute force ssh logins always attempt root user name, in this case root login is disabled, so is another var to take in consideration for a remote attacker
- Only the ssh-user-access user is authorised to login and only if he posses the private key
- If your private key is compromised, and someone gains login, he still needs to bypass the restricted shell to become root by trying to guess the password.
- You can forward any port in your router to port 22 in your server. Do no forward port 22. Put a high random port. This brings almost to zero the bots fingering on the WAN line. They are always targeting standard ports
- As a security policy the private key never leaves the client. That's why you create the key pair in the remote place. The public key can go through txt messages, chats, clipboards, private messaging, mail, etc, without any security concern, so don't worry. If you want to give a friend access to your server, tell him/her to generate their own key pair in their PC machine and sent the public key to you by any transport, then paste the key in place.
- Don't use passphrase protected keys if you're going to use them in non-interactive mode. Example: Cron task of rsync with ssh.
Using a SOCKS PROXY
The ssh daemon provides the ability to create secure tunnels inside the ssh layer, it can bring remote ports in the machine to localhost in the client to access certain services (ports) . Ssh can also provide dynamic creation of tunnels, that can be used in web browsers to use a SOCKS proxy to access remote web resources.
In this case we just change the connection command in the terminal to specify the dynamic port
ssh ssh-user-access@WAN_IP -i ~/.ssh/sshremote -D9000
In putty, in the tunnel section
In the above case is assumed you forwarded the WAN port to the internal OMV IP
Then in the web browser in Firefox we can specify the SOCKS in the network section
After this Firefox will pass all traffic through the ssh tunnel. If you access remotely from WAN, you just type the OMV internal LAN IP address and it will display the webUI login. It can also access all other LAN clients that have internal web services available in the LAN.
This setup avoids opening a port in the router to access OMV webUI. Limiting access only to people that establish a secure tunnel to access internal LAN resources.
Using a SSH CONFIG
The openssh client in linux and OSX reads the default ~/.ssh/config file which can be used to have different ssh client configurations for different servers. So you can create that file and add this content:
Then you access the server with just typing ssh omv in terminal
You can add as many configs as you want inside the file, just make sure they have different Host values.
You can read about more directives typing man ssh_config in terminal
Note: the "~" character represents in linux (unix) and OSX the home folder of the current user in terminal
Questions / Problems / Discussions
Click here to get to the discussions thread