Setting Up SSH Key-Based Authentication on FreeBSD

How to set up SSH key-based authentication on FreeBSD.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

SSH key-based authentication provides a more secure and convenient alternative to traditional password-based authentication when connecting to remote FreeBSD systems. This authentication method uses cryptographic key pairs to establish secure connections, eliminating the security vulnerabilities associated with passwords while streamlining the login process.

Benefits of SSH Key-Based Authentication

  • Enhanced Security: Eliminates password-based attacks like brute force and dictionary attacks
  • Convenience: No need to type passwords for each connection
  • Automation Support: Facilitates secure automated processes and scripts
  • Access Control: Fine-grained control over who can access your system

Prerequisites

Before setting up SSH key-based authentication on FreeBSD, ensure:

  • You have administrative access to the FreeBSD system
  • SSH server (OpenSSH) is installed and running
  • Basic familiarity with command-line operations
  • A terminal client that supports SSH (built into most operating systems)

Step 1: Check SSH Service Status

First, verify that the SSH service is running on your FreeBSD system:

service sshd status

If the service isn’t running, start it with:

service sshd start

To ensure SSH starts automatically at boot:

sysrc sshd_enable="YES"

Step 2: Generate SSH Key Pair

SSH key pairs consist of a private key (kept secret on your client machine) and a public key (placed on the FreeBSD server). You’ll generate these on your client machine (the computer you’ll use to connect to the FreeBSD server).

On Linux/macOS/FreeBSD Client

ssh-keygen -t ed25519 -C "your_email@example.com"

For legacy systems that don’t support Ed25519, use RSA:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

On Windows Client

If using Windows with OpenSSH:

  • Open PowerShell or Command Prompt
  • Run the same command as above

If using PuTTY:

  • Open PuTTYgen
  • Select key type (RSA or Ed25519) and set bits to 4096 for RSA
  • Click “Generate” and move your mouse to create randomness
  • Add a comment (typically your email)
  • Set a passphrase (optional but recommended)
  • Save both private and public keys

During Key Generation

You’ll be prompted to:

  1. Choose a location to save the key (default is fine for most users)
  2. Enter a passphrase (highly recommended for additional security)

The command creates two files:

  • ~/.ssh/id_ed25519 (or id_rsa): Your private key (never share this)
  • ~/.ssh/id_ed25519.pub (or id_rsa.pub): Your public key (to be placed on the server)

Step 3: Transfer Public Key to FreeBSD Server

There are several methods to transfer your public key to the FreeBSD server:

Method 1: Using ssh-copy-id (Easiest)

If your client system has the ssh-copy-id utility:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@freebsd-server

Replace username with your user account and freebsd-server with your server’s hostname or IP address.

Method 2: Manual Transfer

If ssh-copy-id isn’t available:

cat ~/.ssh/id_ed25519.pub | ssh username@freebsd-server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Method 3: Manual Copy-Paste

  1. Display your public key:

    cat ~/.ssh/id_ed25519.pub

  2. Copy the output

  3. SSH into your FreeBSD server with password authentication

  4. Create or open the authorized_keys file:

    mkdir -p ~/.ssh
vi ~/.ssh/authorized_keys

  5. Paste your public key on a new line

  6. Save and exit

Step 4: Set Proper Permissions on the Server

SSH is security-sensitive and requires strict file permissions. On the FreeBSD server:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

These commands ensure:

  • Only you can access your .ssh directory
  • Only you can read or write to your authorized_keys file

Step 5: Configure SSH Server for Key Authentication

Edit the SSH server configuration on your FreeBSD system:

sudo ee /etc/ssh/sshd_config

Ensure these settings are correctly configured (uncomment if necessary):

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

To enhance security, once key-based authentication is working, consider disabling password authentication:

PasswordAuthentication no
ChallengeResponseAuthentication no

Advanced Security Settings

For improved security, consider these additional settings:

PermitRootLogin prohibit-password
MaxAuthTries 3
LoginGraceTime 30

These settings:

  • Allow root login only with key authentication (not passwords)
  • Limit authentication attempts to prevent brute force attacks
  • Reduce the login grace period

Step 6: Restart SSH Service

After making configuration changes, restart the SSH service:

sudo service sshd restart

Step 7: Test Key-Based Authentication

Test the connection from your client machine:

ssh username@freebsd-server

If you set a passphrase for your key, you’ll be prompted to enter it. This passphrase encrypts your private key on your local machine and isn’t transmitted to the server.

Step 8: Set Up an SSH Agent (Optional)

If you don’t want to enter your passphrase every time, use an SSH agent:

On Linux/macOS/FreeBSD

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

On Windows with OpenSSH

In PowerShell:

# Start the ssh-agent
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

# Add your key
ssh-add ~/.ssh/id_ed25519

Troubleshooting Common Issues

Connection Refused

If you receive “Connection refused” errors:

  • Verify the SSH service is running on the server
  • Check firewall settings (both system and network)
  • Confirm the correct port is being used (default is 22)

Permission Denied

If you see “Permission denied” messages:

  • Verify permissions on .ssh directory and authorized_keys file

  • Check SSH server logs: sudo tail -f /var/log/auth.log

  • Temporarily enable password authentication and verbose logging:

    ssh -v username@freebsd-server

Key Issues

If the server doesn’t accept your key:

  • Verify the public key was correctly added to authorized_keys
  • Check key format (no extra line breaks or truncation)
  • Ensure the SSH server configuration allows key authentication

Advanced Configuration

Multiple Keys for Different Servers

Create a configuration file on your client:

vi ~/.ssh/config

Add host-specific configurations:

Host freebsd-server1
    HostName 192.168.1.10
    User admin
    IdentityFile ~/.ssh/id_ed25519_server1

Host freebsd-server2
    HostName 192.168.1.11
    User operator
    IdentityFile ~/.ssh/id_rsa_server2
    Port 2222

Then connect using the short name:

ssh freebsd-server1

Agent Forwarding

To use your local SSH keys when connecting from the server to another host:

ssh -A username@freebsd-server

Or configure in ~/.ssh/config:

Host freebsd-server
    ForwardAgent yes

Note: Only enable agent forwarding with trusted servers.

Security Best Practices

  1. Use Strong Key Types: Ed25519 is preferred, or RSA with at least 4096 bits
  2. Always Use Passphrases: Protect your private keys with strong passphrases
  3. Disable Password Authentication: Once key authentication works reliably
  4. Regular Key Rotation: Generate new keys periodically (every 6-12 months)
  5. Limit Access: Use AllowUsers or AllowGroups in sshd_config
  6. Use Modern Ciphers: Configure strong ciphers and MAC algorithms

Conclusion

SSH key-based authentication provides significant security and convenience benefits over traditional password authentication on FreeBSD systems. By following this guide, you’ve established a more secure and efficient method for remote access to your FreeBSD servers.

Remember to maintain good security practices by protecting your private keys, using strong passphrases, regularly rotating keys, and keeping your SSH server configuration updated with current security recommendations.

For FreeBSD-specific SSH configuration options or more advanced setups, consult the FreeBSD Handbook and OpenSSH documentation.


< How to Bridge Two Network Interfaces on FreeBSDHow to Configure VLAN Tagging >