Quick and dirty SSH key for pfSense / OPNsense gateway

PSA: Stop using password login for root on your router! NOW!!!

OK, now that I got your attention, here’s how I did it in Git Bash (MINGW64) on Windows LTSC. I promise this is QUICK and EASY, so there’s NO EXCUSE not to do it.

Open your terminal and run ssh-keygen – you don’t need a passphrase unless you want one (just hit enter).

Navigate to ~/.ssh/ and display your id_rsa.pub file:

avery@winsalad MINGW64 /c/users/avery/.ssh
$ cat id_rsa.pub

Copy the redacted portion above from ssh-rsa to the username@computername portion (get all of it)

Log into your gateway via SSH, drop to shell and run ssh-keygen (if you haven’t already):

avery@winsalad MINGW64 /c/users/avery/.ssh
$ ssh root@gateway
Last login: Mon Dec 16 21:21:17 2019 from
|      Hello, this is OPNsense 19.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Lists:        https://lists.opnsense.org/  |        @@@@         @@@@
| Code:         https://github.com/opnsense  |         @@@@@@@@@@@@@@@
*** gateway.webtool.space: OPNsense 19.7.7 (amd64/OpenSSL) ***
 LAN (vmx0)      -> v4:
                    v6/t6: REDACTED ... REDACTED .../64
 WAN (em0)       -> v4/DHCP4: REDACTED ... /21
                    v6/DHCP6: REDACTED ... REDACTED .../128
               REDACTED ... REDACTED ...REDACTED ... REDACTED ...
 SSH:   SHA256 REDACTED ... REDACTED ...  (ED25519)
  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup
Enter an option: 8
root@gateway:~ # ssh-keygenCode language: CSS (css)

paste your id_rsa.pub to the end of ~/.ssh/authorized_keys :

root@gateway:~/.ssh # echo 'ssh-rsa  REDACTED ... REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ...REDACTED ... = avery@winsalad' >> authorized_keysCode language: PHP (php)

Navigate to your web UI and de-select “Permit password login” under SSH section (or similar – depending on your gateway of preference, I’m using OPNsense):

OPNsense gateway used as example

Note: You should probably create a new user and su to root once you’re connected via SSH, but this is the “quick and dirty” version, so we’ll save that for another day.

Open A NEW TERMINAL instance or tab (don’t log out of SSH yet!) and try logging into your gateway. I’ve found it good practice to always try things that effect SSH login in a new instance because you never know when your settings alterations will lock you out. It’s not such a big deal in this example, but it’s a good practice to be in the habit of.

If you’ve gone through these steps properly, you should be able to log into your gateway without a password now (unless you specified a passphrase using ssh-keygen).

Now you’ll be limited to connecting via SSH only with this one machine. For additional machines, there’s several things you could do:

  • Copy the contents of your ~/.ssh folder to other machines
  • repeat the ssh-keygen step for the next computer and copy the id_rsa.pub to the gateway’s authorized_keys again
  • My personal favorite, read this man page: https://www.ssh.com/ssh/copy-id

OK that’s all for now. Happy hashing!

Author: Avery Freeman

MBA / Audio Engineering alumnus enjoys taking adjunct courses in data sciences, management, and software development. Passionate about collaboratively improving humanity through open source information ecosystems. Tenaciously solves problems of near-universally intolerable tediousness. Proficient in SQL, Python, Javascript, has forgotten SAS, and misses OpenSolaris. Eminently effervescent about Unix-like operating systems and software defined networks, including an unmistakable urge to Berkeley packet filter all the things. Fanatically fond of zfs and linux volume manager. Has lived in Tokyo, SF, Oakland, and now Seattle. Can't forget cooking, hiking, gardening, and playing with your cat.

Leave a Reply

Your email address will not be published. Required fields are marked *