Run Secure Shell (ssh) on FreeBSD

Bottom Line: connecting to other computers over the network can be a risky proposition. In the "days of yore," *NIX systems would use a program called telnet. One glaring security problem with this command was the user's password was sent unencrypted over the network.

Secure Shell (ssh) was developed to overcome this deficiency.

This Instructable will show you how to get ssh and its corresponding daemon sshd running on your FreeBSD system.

Your FreeBSD system should be using a version of OpenSSH, a group of network connectivity tools to connect securely to remote machines. OpenSSH encrypts all traffic across connections to minimize exploitation through eavesdropping, spoofing and man-in-the-middle attacks.

First step: See if you have SSH keys already installed:

Type in:

# ls /etc/ssh

If the output has a few files named *.pub or the word "key" in them, then SSH keys are most likely already installed. If your output does not contain these, you will not be able to start the SSH daemon properly until the keys are created.

Add the following line to /etc/rc.conf:

sshd_enable="YES"

Then restart your system:

# shutdown -r now

This will force the SSH daemon to start-up when your system is rebooted, and generate the appropriate keys.

Note: if this line is not in /etc/rc.conf, the SSH daemon will not start on reboot, and will have to be started manually.

You should receive something like this:

*******************************************************************************

Starting final network daemons: creating ssh1 RSA host key
Generating public/private rsa1 key pair. Your identification has been saved in /etc/ssh/ssh_host_key. Your public key has been saved in /etc/ ssh/ssh_host_key.pub. The key fingerprint is: 16:d9:3d:f3:95:96:0e:e7:6b:54:09:80:77:a0:3e:cf root@hostname creating ssh2 RSA host key Generating public/private rsa key pair. Your identification has been saved in /etc/ssh/ssh_host_rsa_key. Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 4b:cf:7e:af:f1:a8:01:08:64:1b:c0:79:e3:a6:58:78 root@hostname creating ssh2 DSA host key Generating public/private dsa key pair. Your identification has been saved in /etc/ssh/ssh_host_dsa_key. Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: 66:69:d7:05:63:c6:db:d9:55:6a:60:a3:34:bd:f4:ef root@hostname

*******************************************************************************

Type in:

# service -e | grep "ssh"

You should see:

/etc/rc.d/sshd

If nothing is shown after the command, the SSH daemon is not running. Type:

# service sshd onestart

to attempt to "kick-start" it.

After the SSH daemon is (re)started, it will enable Port 22 to allow connections.

To connect to another system, type in:

# ssh @

For example:

# ssh tdrss@titan.home.org

The first attempt at connecting to a remote system will render a LOT of text. This is placing the system's SSH "fingerprint" in memory. This comes in handy later on, if the fingerprint changes you'll know something is not quite right (e.g. man-in-the-middle attack)

**********

ssh tdrss@titan.home.org
The authenticity of host 'titan.home.org (192.168.1.99)' can't be established. DSA key fingerprint is 22:69:d7:05:23:c6:db:d9:55:2a:20:a3:34:bd:f4:ef. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.99' (DSA) to the list of known hosts.

If problems occur (e.g. SSH fingerprint keeps on changing), check your configuration files and look on the web for a solution. Many other FreeBSD users have had errors and misconfigurations. Type in the exact error in your favorite search engine and a solution should appear.

Since SSH and its encryption is considered the foundation for computer connection security, do NOT take any displayed SSH errors lightly!