Hardening SSH connections on pfSense

FreeBSD, PFsense, Security 2 Minutes

This is a quick entry to explain how to use a low privileged user just to create a SSH tunnel (port forwarding) to access remotely to some internal service in your infrastructure.

Considering these settings, let’s create the user from command line on Pfsense (which is based on FreeBSD):

[2.4.2-RELEASE][root@pf.acme.local]/root: adduser
 Username: dude
 Full name: Mr. Dude
 Uid (Leave empty for default):
 Login group [dude]:
 Login group is dude. Invite dude into other groups? []:
 Login class [default]:
 Shell (sh csh tcsh ssh_tunnel_shell scponly scponlyc nologin) [sh]: ssh_tunnel_shell
 Home directory [/home/dude]:
 Home directory permissions (Leave empty for default):
 Use password-based authentication? [yes]: no
 Lock out the account after creation? [no]:
 Username   : dude
 Password   :
 Full Name  : Mr. Dude
 Uid        : 1004
 Class      :
 Groups     : dude
 Home       : /home/dude
 Home Mode  :
 Shell      : /usr/local/sbin/ssh_tunnel_shell
 Locked     : no
 OK? (yes/no):
 OK? (yes/no): yes
 adduser: INFO: Successfully added (dude) to the user database.
 Add another user? (yes/no): no
 Goodbye!
 [2.4.2-RELEASE][root@pf.acme.local]/root: cp -rp /root/.ssh /home/dude/
 [2.4.2-RELEASE][root@pf.acme.local]/home/dude: chown -R dude:dude .ssh

Now you can check to access with this new account:

$ ssh -p NON_PRIVILEGED_PORT -l dude -L LOCAL_PORT:iLO_INTERNAL_IP_ADDRESS:443 DYNAMIC_HOSTNAME
 ...
 Edit /etc/motd to change this login announcement.
 This login only supports SSH tunneling.
 You are logged in for 0 hours 0 minute(s)

If you don’t want to enter this long command you can edit your profile settings file and add the following:

 $ vim .profile
 ...
 home() {
     ssh -p NON_PRIVILEGED_PORT -l dude -L LOCAL_PORT:iLO_INTERNAL_IP_ADDRESS:443 your.public.domain
 }
 $ . .profile
 $ home

With this new user created and CHECKED we could remove SSH access using root account if we want:

[2.4.2-RELEASE][root@pf.acme.local]/home/dude: mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys.OLD.`date +%Y%m%d`

You can check the new user information from passwd file:

$ grep dude /etc/passwd
 dude:*:1004:1004:Mr. Dude:/home/dude:/usr/local/sbin/ssh_tunnel_shell

I have to say that as a GNU/Linux user that I’ve found this shell option very useful: 

/usr/local/sbin/ssh_tunnel_shell

As a hint you could want to change the default /etc/motd file to prevent exposing information about your system, and here is an option from here:
/etc/motd

Reference links:

That’s all Folks!


“The greatest mistake is to imagine that we never err.”
— Thomas Carlyle

Published by neklaf

Proud dad • husband • motorcyclist • diver • Spaniard • ethically curious • Sun Microsystems alumni

Published

6 thoughts on “Hardening SSH connections on pfSense

  1. Pingback: Hardening SSH connections in pfSense (part II) – Neklaf's Hodgepodge
  3. Pingback: Installing private Git server on pfSense – Neklaf's Jumble

  4. I like the valuable info you supply on your articles. I will bookmark your weblog and check once more here frequently.
    I am reasonably sure I’ll be informed many new stuff proper here!
    Best of luck for the following!

    Reply

Leave a Reply to neklaf Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s