3 minute read.Last Modified 2023-11-17 11:50 EST
Secure Socket Shell (SSH) is a network communication protocol. It provides encryption to secure data. Use the SSH services screen to configure SSH File Transfer Protocol (SFTP). SFTP is available by enabling SSH remote access to the TrueNAS system.
Allowing external connections to TrueNAS is a security vulnerability! Enable SSH only when there is a need for external connections. See Security Recommendations for more security considerations when using SSH.
|TCP Port||Open a port for SSH connection requests. Enter the port number.|
|Log in as Root with Password||Select to allow root logins. It is not recommended to allow root logins! A password must be set for the root user account.|
|Allow Password Authentication||Select to allow password authentication. Enabling allows SSH login authentication using a password. Warning: Determine if directory services are enabled. If so, this setting grants access to all users imported by directory service. When disabled, authentication requires keys for all users. Involves extra SSH client and server setup.|
|Allow Kerberos Authentication||Select to allow Kerberos authentication. Before enabling this option, valid entries must exist in:|
Directory Services > Kerberos Realms
Directory Services > Kerberos Keytabs
The system must be able to communicate with the Kerberos domain controller.
|Allow TCP Port Forwarding||Select to allow users to bypass firewall restrictions using SSH port forwarding. For best security, leave disabled and deny shell access to users.|
ADVANCED OPTIONS displays additional configuration fields to set up SSH for specific uses cases.
|Bind Interfaces||Select interfaces on your system from the dropdown list for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.|
|Compress Connections||Select to attempt to reduce latency over slow networks.|
|SFTP Log Level||Select the syslog(3) facility of the SFTP server option from the dropdown list. Options are Quiet, Fatal, Error, Info, Verbose, Debug, Debug2 or Debug3.|
|SFTP Log Facility||Select the syslog(3) facility of the SFTP server option from the dropdown list. Options are Daemon, User, Auth and Local 0 through Local7.|
|Weak Ciphers||Select a cipher from the dropdown list. Options are None or AES128-CBC. To allow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). Use None to allow unencrypted SSH connections. Use AES128-CBC to allow the 128-bit Advanced Encryption Standard.|
WARNING: these ciphers are security vulnerabilities. Only allow them in a secure network environment.
|Auxiliary Parameters||Add any more sshd_config(5) options not covered in this screen. Enter one option per line. Options added are case-sensitive. Misspellings can prevent the SSH service from starting.|