How to set up ssh public key password-less on FreeBSD

freebsd ssh public key authication

See all UNIX related articles/faq
SSH is an essential tool for login into the FreeBSD Unix box. Without SSH, you cannot manage a remote server easily. Furthermore, SSH means secure shell, and it is a replacement for insecure protocols such as telnet. This page explains how to configure and set up ssh key-based password-less authentication on a FreeBSD server or workstation.

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements FreeBSD
Category Terminal/ssh
OS compatibility FreeBSD Jails Linux macOS Unix WSL
Est. reading time 5 minutes

Setting up public key password-less ssh access

It would be best to have private and public keys on your macOS, Linux or Unix desktop. However, fear not; you can generate those keys easily using the ssh-keygen command. When you create ssh keys, you have options to protect with a passphrase and 2FA hardware token. I would strongly urge you to consider using at least a passphrase. In other words, type the following command:

You need to type the following command on your desktop client.

ssh-keygen 
ssh-keygen -t rsa
ssh-keygen -t rsa -b 4096 -f ~/.ssh/macbook-pro.key -C "macOS key for Linux and FreeBSD servers"
How To Configure SSH Key-Based Authentication on a FreeBSD Server

Your private key is saved in /home/vivek/.ssh/macbook-pro.key and do not share this file with anyone. Keep it secret. Your public key is saved in /home/vivek/.ssh/macbook-pro.key.pub.

The -t option specifies the type of key to create. Avoid using the DSA key. The RSA is most compatible with all sorts of devices. On the other hand, the key ed25519 is intended to provide attack antagonism comparable to quality. The -b option specifies the number of bits in the key to create. For RSA keys, the default size is 3072 bits. Generally, 3072 bits is considered sufficient. But, it is possible to use other values such as 4096 for RSA as per your needs. The -C adds a comment for your SSH key. And, the -f option is used to set the filename of the key file as per project needs instead of the default.

Creating an SSH key pair protected by Yubico

For higher security requirements, do enable 2FA hardware tokens such as Yubico. For instance, to enable FIDO authenticator algorithms for ssh keys, run:

First, insert a 2FA USB key into a USB slot and type the following on your client.

ssh-keygen -t ecdsa-sk # Older YubiKey firmware
#
# YubiKey firmware version 5.2.3+ needed for the following key type
#
ssh-keygen -t ed25519-sk 
ssh-keygen -t ed25519-sk -f ~/.ssh/2fa.macbook-pro.key -C "macOS key for Linux and FreeBSD servers"

Howto Setting up public key password-less ssh access on FreeBSD with 2FA
The ecdsa-sk and ed25519-sk ssh keys only work when the user touches the authenticator USB key. The 2FA topic covered in detail here includes tips on logging in when Yubico is lost or damaged.
You will now have two files as follows in the ~/.ssh/ directory:

  • Private key: /home/vivek/.ssh/2fa.macbook-pro.key (DO NOT SHARE THIS FILE WITH ANYONE)
  • Public key: /home/vivek/.ssh/2fa.macbook-pro.key.pub

How to configure SSH key-based authentication on a FreeBSD Server

The procedure is as follows to set up password-less ssh key authentication for your FreeBSD server:

  1. Create an ssh key using the ssh-keygen command on your desktop (see above):
    $ ssh-keygen -t ed25519
  2. Note down the path to your public key file from the ssh-keygen outputs.
  3. Copy your public key to the FreeBSD server using the ssh-copy-id command:
    $ ssh-copy-id -i ~/.ssh/your.ssh.file.pub user@server-name-here
    $ ssh-copy-id -i ~/.ssh/your.ssh.file.pub user@server-IP
    $ ssh-copy-id \
    -i ~/.ssh/2fa.macbook-pro.key.pub \
    vivek@192.168.2.20
    $ ssh-copy-id \
    -i ~/.ssh/macbook-pro.key.pub \
    vivek@192.168.2.20

    When promoted enter the password for your FreeBSD machine:

    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/vivek/.ssh/macbook-pro.key.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    Password for vivek@nixcraft-f13-nuc:
     
    Number of key(s) added: 1
     
    Now try logging into the machine, with:   "ssh 'vivek@192.168.2.20'"
    and check to make sure that only the key(s) you wanted were added.
  4. That is all. Now you can authenticate and log in to your FreeBSD server using the ssh key:
    $ ssh vivek@192.168.2.20
    # Set path to ssh private key using the `-i` option
    $ ssh -i ~/.ssh/macbook-pro.key vivek@192.168.2.20
    $ ssh -i ~/.ssh/2fa.macbook-pro.key vivek@192.168.2.20

    How to set up ssh public key password-less on FreeBSD
  5. Please note that passphrase protected keys will prompt for a passphrase as follows:
    Enter passphrase for /home/vivek/.ssh/id_ed25519: 
    Identity added: /home/vivek/.ssh/id_ed25519 (vivek@nixcraft)
  6. To avoid such prompt for each login use the ssh-agent for authentication on Linux / Unix as follows:
    $ eval $(ssh-agent)
    $ ssh-add
    # set path to private key
    $ ssh-add ~/.ssh/macbook-pro.key
    $ ssh-add ~/.ssh/2fa.macbook-pro.key
    # Now login multiple time without a passphrase
    $ ssh -i ~/.ssh/macbook-pro.key vivek@192.168.2.20

    FreeBSD SSH Secure Shell Key Authentication With SSH-AGENT and SSH-ADD

    ssh-agent and ssh-add for managing ssh keys (click to enlarge)

  7. Finally disable the password based login on a FreeBSD server. But, please make sure you add yourself to sudoers files. Otherwise, you will not able to login as root later on. See “How To Add, Delete, and Grant Sudo Privileges to Users on a FreeBSD Server” for more info. Edit the /etc/ssh/sshd_config on your FreeBSD server and set following two directives:
    ChallengeResponseAuthentication no
    PermitRootLogin no

    Then restart the sshd service on FreeBSD:
    $ sudo service sshd restart

Summing up

This page explained how to set up ssh keys for FreeBSD server authentication purposes. Read the following man pages using the man command:
$ man ssh
$ man ssh-agent
$ man ssh-keygen

Do see the following resources too:

And, there you have it, ssh set up with public key-based authentication for FreeBSD, including 2FA keys when you have one.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.