FreeNAS is a powerful tools for archive data and other long-term storage requirements. Recently I have started backing up this and other off-site servers to one of my local FreeNAS boxes. Since these systems are only connected via the insecure internet (no VPN), I decided to transmit the backup files via SSH using SCP. In order to do this without having to enter my password in for each and every backup (most of which happen while I’m hopeful sleeping), I needed to implement SSH Key Authorization on the receiving FreeNAS box.
To do this first I needed to create a DSA key pair on a different system. On my Fedora 12 laptop I ran
ssh-keygen -t dsa
The trick here is to not create your new key pair in the default directory of “~/.ssh/” but in a temporary directory instead. So when it asks you.
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter a different file in witch to save the key in. Note this is asking for the name of a file, not the name of the directory, it will also create a .pub file, this is the public key for the above private key.
Now that you have a public/private key for the FreeNAS box, if you don’t already you need to create one for the user that you plan on sending the file from. Just follow the above command, but this time, you may just hit enter all the way threw leaving all options as default.
Next, go to your FreeNAS web-page control panel, If you don’t already have one, you will need to create a user on your FreeNAS box for you to connect to. You may do this via “Access -> User and Groups” from the black bar on the top of the page.
Now from the top (black) bar go to “Services -> SSH”
On your Services|SSH page, first make sure the service is enabled (top right hand corner). Once it is you will be able to change the below options.
- TCP Port: The default (port 22) is fine in most cases, but note if you change it, you must use the new port for all connections.
- Permit root login: My option is that the root account should never be allowed to log in via a remote process. You should set your system up correctly where this is not needed.
- Password authentication: For now this must be enabled (checked), once you have set “Key Authorization” up, you may disable this option.
- TCP forwarding: Disabled (unchecked)
- Compression: Enabled (checked)
- Private Key: This will be were we put the private key created above. All you need to do is copy and paste.
- Extra options: Blank
After you have made your changes, “Save and Restart” the service.
On your local system, you need to copy the content of the local users public (~/.ssh/username.pub) key file to a new file named “authorized_keys” (Note: this is not the file we created for FreeNAS but the file we created for your local account). This is the file that will need to be copied to your FreeNAS box.
Now that you have all the needed bits, we need to log into your FreeNAS server and create a “.ssh” directory to store the “authorized_keys” file. To log in to the FreeNAS box interactively run a command similar too.
Or if you changed the “TCP Port” above, your command will look like this:
ssh -P freenasport freenasuser@freenasaddress
Once your logged in, you need to create the directory, by doing.
After you have successfully created your directory, you may exit out of your FreeNAS box for the next step.
Back on your local system you need to copy the “authorized_keys” file created before to the FreeNAS box. Using SCP you can do this by running a command like:
scp -P freenasport authorized_keys freenasuser@freenasaddress:~/.ssh/
This will copy the file to the FreeNAS box. Next, reconnect to the FreeNAS box as you did before and run.
chmod 600 authorized_keys
Once your done, you should be able to connect to your FreeNAS box using the private key in the authorized_keys with out a password.