Last Updated on August 14, 2022 by Thiago Crepaldi
For future posts, we will need to have SSH enabled on the pfSense device, so let’s get this out of the way.
Configuring SSH user
I highly recommend not to use admin user for accessing pfSense through SSH. If you do it, you will face several constrains which will probably cost you hours to go through it.
Create a new user instead through System >> User Manager >> Users and click on Add. Make sure Disabled is unchecked, fill in Username and Password fields and at the Group membership box, select admins and click Move to “Member of” list button and click Save to finalize.
You can add your SSH key through the user management page. Paste your SSH public key at Authorized SSH Keys text box and click Save one more time. If you don’t have one SSH key, you can generate one.
Now that you have a viable user, you have to enable SSH on your device. Go to System >> Advanced >> Admin Access. Scroll down and at Secure Shell section, check Enable Secure Shell and select SSH Key Only accordingly, and optionally set SSH port and finish the process by clicking Save.
From another machine, test your connection.
Installing private/public keys for your SSH user
After going through the steps from the previous section, you will be able to SSH into your pfSense. However, we will also need to SSH from your pfSense into other devices for automation.
To accomplish this, you have to either generate a new SSH key or copy your existing into your pfSense. If you generated your keys after login in to your pfSense, you are done. In order to copy your keys to your pfSense, use scp ~/.ssh/id_rsa* <pfsense_username>@<pfsense_ip>:~/.ssh. From now on, not only you can connect into your pfSense without password, but also connecting from your pfSense to other devices without typing passwords too.
Sometimes scp does not preserve file permissions and SSH’ing from pfSense might ask you for password. To fix this, run chmod 644 ~/.ssh/id_rsa.pub and chmod 700 ~/.ssh/id_rsa.