Merge pull request #2522 from truenas/PD-868-review-permissions-scena…

…rios-for-ssh-public-keys

Pd 868 review permissions scenarios for ssh public keys

content/SCALE/SCALETutorials/Credentials/BackupCredentials/AddSSHConnectionKeyPair.md

@@ -12,11 +12,18 @@ tags:
 The **SSH Connections** and **SSH Keypairs** widgets on the **Backup Credentials** screen display a list of SSH connections and keypairs configured on the system.
 Using these widgets, users can establish Secure Socket Shell (SSH) connections.
 
-![BackupCredentialsAllCloudSSH](/images/SCALE/Credentials/BackupCredentialsAllCloudSSH.png "SSH Connections and Keypairs Widgets")
-
-To begin setting up an SSH connection, go to **Credentials > Backup Credentials** and click the **Add** button on the **SSH Connections** widget.
+You must also configure and activate the [SSH Service]({{< relref "sshservicescale.md" >}}) to allow SSH access.
 
 ## Creating an SSH Connection
+
+To begin setting up an SSH connection, go to **Credentials > Backup Credentials**.
+
+{{< trueimage src="/images/SCALE/Credentials/BackupCredentialsAllCloudSSH.png" alt="Backup Credentials Screen" id="Backup Credentials Screen" >}}
+
+Click **Add** on the **SSH Connections** widget.
+
+### Configuring a Semi-Automatic SSH Connection
+
 This procedure uses the semi-automatic setup method for creating an SSH connection with other TrueNAS or FreeNAS systems.
 {{< expand "Click here for more information" "v" >}}
 **Semi-automatic** simplifies setting up an SSH connection with another FreeNAS or TrueNAS system without logging in to that system to transfer SSH keys.
@@ -29,11 +36,11 @@ Using the **SSH Connections** configuration screen:
 1. Enter a name and select the **Setup Method**. If establishing an SSH connection to another TrueNAS server use the default **Semi-automatic (TrueNAS only)** option.
    If connecting to a non-TrueNAS server select **Manual** from the dropdown list.
 
-   ![NewSSHConnectNameMethodAuto](/images/SCALE/Credentials/NewSSHConnectNameMethodAuto.png "SSH Connections Name and Method Settings")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectNameMethodAuto.png" alt="Name and Method Settings" id="Name and Method Settings" >}}
 
 2. Enter the authentication settings.
 
-   ![NewSSHConnectAuthentication](/images/SCALE/Credentials/NewSSHConnectAuthentication.png "SSH Connections Authentication Settings")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectAuthentication.png" alt="Authentication Settings" id="Authentication Settings" >}}
 
    a. Enter a valid URL scheme for the remote TrueNAS URL in **TrueNAS URL**.
       This is a required field.
@@ -48,27 +55,30 @@ Using the **SSH Connections** configuration screen:
    e. Enter or import the private key from a previously created SSH keypair, or create a new one using the **SSH Keypair** widget.
 
 4. (Optional) Enter the number of seconds you want to have SCALE wait for the remote TrueNAS/FreeNAS system to connect in **Connect Timeout**.
-   ![NewSSHConnectMoreOptions](/images/SCALE/Credentials/NewSSHConnectMoreOptions.png "SSH Connections More Options Settings")
+
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectMoreOptions.png" alt="More Options Settings" id="More Options Settings" >}}
 
 5. Click **Save**. Saving a new connection automatically opens a connection to the remote TrueNAS and exchanges SSH keys.
    The new SSH connection displays on the **SSH Connection** widget.
    To edit it, click on the name to open the **SSH Connections** configuration screen populated with the saved settings.
 {{< /expand >}}
-## Manually Configuring an SSH Connection
+
+### Configuring a Manual SSH Connection
+
 Follow these instructions to set up an SSH connection to a non-TrueNAS or non-FreeNAS system.
 To manually set up an SSH connection, you must copy a public encryption key from the local system to the remote system.
 A manual setup allows a secure connection without a password prompt.
-{{< expand "Manual" "v" >}}
+{{< expand "Click here for more information" "v" >}}
 
 Using the **SSH Connections** configuration screen:
 
 1. Enter a name and select **Manual** from the **Setup Method** dropdown list.
 
-   ![NewSSHConnectNameMethodManual](/images/SCALE/Credentials/NewSSHConnectNameMethodManual.png "SSH Connections Manual Method")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectNameMethodManual.png" alt="Manual Name and Method" id="Manual Name and Method" >}}
 
 2. Enter the authentication settings.
 
-   ![NewSSHConnectAuthenticationManual](/images/SCALE/Credentials/NewSSHConnectAuthenticationManual.png "SSH Connections Manual Authentication Settings")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectAuthenticationManual.png" alt="Manual Authentication Settings" id="Manual Authentication Settings" >}}
 
    a. Enter a host name or host IP address for the remote non-TrueNAS/FreeNAS system as a valid URL.
    An IP address example is *https://10.231.3.76*.
@@ -83,14 +93,17 @@ Using the **SSH Connections** configuration screen:
    d. Click **Discover Remote Host Key** after properly configuring all other fields to query the remote system and automatically populate thr **Remote Host Key** field.
 
 4. (Optional) Enter the number of seconds you want SCALE wait for the remote TrueNAS/FreeNAS system to connect in **Connect Timeout**.
-   ![NewSSHConnectMoreOptions](/images/SCALE/Credentials/NewSSHConnectMoreOptions.png "SSH Connections More Options Settings")
+
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectMoreOptions.png" alt="Manual More Options" id="Manual More Options" >}}
 
 5. Click **Save**. Saving a new connection automatically opens a connection to the remote TrueNAS and exchanges SSH keys.
    The new SSH connection displays on the **SSH Connection** widget.
    To edit it, click on the name to open the **SSH Connections** configuration screen populated with the saved settings.
 
 {{< /expand >}}
-### Adding a Public SSH Key to the TrueNAS Admin User Account
+
+### Adding a Public SSH Key to an Admin User Account
+
 This procedure covers adding a public SSH key to the admin account on the TrueNAS SCALE system and generating a new SSH Keypair to add to the remote system (TrueNAS or other).
 {{< expand "Click here for more information" "v" >}}
 1. Copy the SSH public key text or download it to a text file:
@@ -108,15 +121,17 @@ This procedure covers adding a public SSH key to the admin account on the TrueNA
    Edit the admin account.
    Click on the <span class="material-icons">expand_more</span> icon and then click **Edit** to open the **Edit User** screen.
 
+   {{< trueimage src="/images/SCALE/Credentials/SSHEditUserAuthenticationSettings.png" alt="Add SSH Key" id="Add SSH Key" >}}
+
    Paste the SSH public key text into the **Authorized Keys** field on the **Edit User** configuration screen in the **Authentication** settings.
 
-{{< hint type=important >}}
-Do not paste the SSH private key.
-{{< /hint >}}
+   Alternately, click **Choose File** to select and upload the SSH key.
 
-3. Click **Save**.
+   {{< hint type=important >}}
+   Do not paste the SSH private key.
+   {{< /hint >}}
 
-   ![SSHEditUserAuthenticationSettings](/images/SCALE/Credentials/SSHEditUserAuthenticationSettings.png "Edit Root Users SSH Key")
+3. Click **Save**.
 
 If you need to generate a new SSH keypair:
 
@@ -127,6 +142,7 @@ If you need to generate a new SSH keypair:
 
 If the remote NAS is not a TrueNAS system, refer to the documentation for that system, and find their instructions on adding a public SSH key.
 {{< /expand >}}
+
 ## Generating SSH Keypairs
 
 TrueNAS generates and stores [RSA-encrypted](https://tools.ietf.org/html/rfc8017) SSH public and private keypairs on the **SSH Keypairs** widget found on the **Credentials > Backup Credentials** screen.
@@ -141,6 +157,6 @@ To manually create a new keypair:
 3. Give the new keypair a unique name and click **Save**.
    The keypair displays on the **SSH Keypairs** widget.
 
-![BackupCredentialsSSHKeypairsAdd](/images/SCALE/Credentials/BackupCredentialsSSHKeypairsAdd.png "SSH Keypairs Form")
+{{< trueimage src="/images/SCALE/Credentials/BackupCredentialsSSHKeypairsAdd.png" alt="SSH Keypairs Form" id="SSH Keypairs Form" >}}
 
 Click the vertical ellipsis <span class="material-icons">more_vert</span> at the bottom of the **SSH Keypairs** configuration screen to download these strings as text files for later use.

content/SCALE/SCALETutorials/SystemSettings/Services/SSHServiceSCALE.md

@@ -22,7 +22,7 @@ See [Security Recommendations](https://www.truenas.com/docs/solutions/optimizati
 
 To configure SSH go to **System Settings > Services**, find **SSH**, and click <i class="material-icons" aria-hidden="true" title="Configure">edit</i> to open the basic settings **General Options** configuration screen.
 
-![ServicesSSHBasicSettingsGenOptionsSCALE](/images/SCALE/SystemSettings/ServicesSSHBasicSettingsGenOptionsSCALE.png "SSH Basic Settings General Options")
+{{< trueimage src="/images/SCALE/SystemSettings/ServicesSSHBasicSettingsGenOptionsSCALE.png" alt="SSH General Options" id="SSH General Options" >}}
 
 Use the **Password Login Groups** and **Allow Password Authentication** settings to allow specific TrueNAS account groups the ability to use password authentication for SSH logins.
 
@@ -33,15 +33,16 @@ If your configuration requires more advanced settings, click **Advanced Settings
 The basic options continue to display above the **Advanced Settings** screen.
 Configure the options as needed to match your network environment.
 
-![SSHServicesAdvancedSettings](/images/SCALE/SystemSettings/SSHServicesAdvancedSettings.png "SSH Settings Advanced Options")
+{{< trueimage src="/images/SCALE/SystemSettings/SSHServicesAdvancedSettings.png" alt="SSH Advanced Options" id="SSH Advanced Options" >}}
 
 These **Auxiliary Parameters** can be useful when troubleshooting SSH connectivity issues:
 
 * Increase the `ClientAliveInterval` if SSH connections tend to drop.
 * Increase the `MaxStartups` value (**10** is default) when you need more concurrent SSH connections.
 
 Remember to enable the SSH service in **System Settings > Services** after making changes.
-To create and store specific [SSH connections and keypairs]({{< relref "AddSSHConnectionKeyPair.md" >}}), go to **Credentials > Backup Credentials**.
+
+Create and store SSH connections and keypairs to allow SSH access in **Credentials > Backup Credentials** or by editing an administrative user account. See [Adding SSH Credentials]({{< relref "AddSSHConnectionKeyPair.md" >}}) for more information.
 
 ## Using SSH File Transfer Protocol (SFTP)
 
@@ -50,14 +51,24 @@ SFTP is more secure than standard FTP as it applies SSL encryption on all transf
 
 Go to **System Settings > Services**, find the **SSH** entry, and click the <i class="material-icons" aria-hidden="true" title="Configure">edit</i> to open the **Services > SSH** basic settings configuration screen.
 
-![ServicesSSHBasicSettingsGenOptionsSCALE](/images/SCALE/SystemSettings/ServicesSSHBasicSettingsGenOptionsSCALE.png "SSH Basic Settings General Options")
+{{< trueimage src="/images/SCALE/SystemSettings/ServicesSSHBasicSettingsGenOptionsSCALE.png" alt="SSH General Options" id="SSH General Options" >}}
 
-Select **Allow Password Authentication** and decide if you need **Log in as Root with Password** and **Log in as Admin with Password**.
-{{< hint type=important >}}
+Select **Allow Password Authentication**.
+
+Go to **Credentials > Local Users**. Click anywhere on the row of the user you want to access SSH to expand the user entry, then click **Edit** to open the **Edit User** configuration screen. Make sure that **SSH password login enabled** is selected. See [Managing Users]({{< relref "managelocalusersscale.md" >}}) for more information.
+
+{{< hint type=danger title="Security Concern" >}}
 SSH with root is a security vulnerability. It allows users to fully control the NAS remotely with a terminal instead of providing SFTP transfer access.
+
+Choose a non-root administrative user to allow SSH access.
 {{< /hint >}}
+
 Review the remaining options and configure them according to your environment or security needs.
 
+Remember to enable the SSH service in **System Settings > Services** after making changes.
+
+Create and store SSH connections and keypairs to allow SSH access in **Credentials > Backup Credentials** or by editing an administrative user account. See [Adding SSH Credentials]({{< relref "AddSSHConnectionKeyPair.md" >}}) for more information.
+
 ### Using SFTP Connections
 
 Open an FTP client (like FileZilla) or command line.

content/SCALE/SCALEUIReference/Credentials/BackupCredentials/SSHCredentialScreens.md

@@ -10,10 +10,13 @@ tags:
 
 The **Backup Credentials** screen displays the **SSH Connections** and **SSH Keypairs** widgets.
 
+You must also configure and activate the [SSH Service]({{< relref "sshservicescreenscale.md" >}}) to allow SSH access.
+
 ## SSH Connection and Keypairs Widgets
+
 The **SSH Connections** and **SSH Keypairs** widgets display a list of SSH connections and keypairs configured on the system.
 
-![BackupCredentialsAllCloudSSH](/images/SCALE/Credentials/BackupCredentialsAllCloudSSH.png "SSH Connections and Keypairs Widgets")
+{{< trueimage src="/images/SCALE/Credentials/BackupCredentialsAllCloudSSH.png" alt="Backup Credentials Screen" id="Backup Credentials Screen" >}}
 
 The **SSH Connections** widget allows users to establish Secure Socket Shell (SSH) connections.
 The **SSH Keypairs** widget allows users to generate SSH keypairs required to authenticate the identity of a user or process that wants to access the system using SSH protocol.
@@ -22,11 +25,12 @@ The **SSH Keypairs** widget allows users to generate SSH keypairs required to au
 The connection name on the widget is a link that opens the **SSH Connections** configuration screen already populated with the saved settings for the selected connection.
 
 ### SSH Connections Screens
+
 The settings displayed on the **SSH Connections** configuration screens are the same whether you add a new connection or edit an existing connection.
 
 #### Name and Method Settings
 
-![NewSSHConnectNameMethodAuto](/images/SCALE/Credentials/NewSSHConnectNameMethodAuto.png "SSH Connections Name and Method Settings")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectNameMethodAuto.png" alt="Name and Method" id="Name and Method" >}}
 
 {{< truetable >}}
 | Name | Description |
@@ -36,9 +40,10 @@ The settings displayed on the **SSH Connections** configuration screens are the
 {{< /truetable >}}
 
 #### Authentication Settings - Semi-Automatic Method
+
 These authentication settings display when **Setup Method** is **Semi-automatic (TrueNAS only)**.
 
-![NewSSHConnectAuthentication](/images/SCALE/Credentials/NewSSHConnectAuthentication.png "SSH Connections Authentication Settings") 
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectAuthentication.png" alt="Authentication Settings" id="Authentication Settings" >}}
 
 {{< truetable >}}
 | Name | Description |
@@ -52,10 +57,11 @@ These authentication settings display when **Setup Method** is **Semi-automatic
 {{< /truetable >}}
 
 #### Authentication Settings - Manual Method
+
 These authentication settings display when **Setup Method** is **Manual**. You must copy a public encryption key from the local system to the remote system.
 A manual setup allows a secure connection without a password prompt.
 
-![NewSSHConnectAuthenticationManual](/images/SCALE/Credentials/NewSSHConnectAuthenticationManual.png "SSH Connections Manual Authentication Settings")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectAuthenticationManual.png" alt="Manual Authentication Settings" id="Manual Authentication Settings" >}}
 
 {{< truetable >}}
 | Name | Description |
@@ -70,7 +76,7 @@ A manual setup allows a secure connection without a password prompt.
 
 #### More Options Settings
 
-![NewSSHConnectMoreOptions](/images/SCALE/Credentials/NewSSHConnectMoreOptions.png "SSH Connections More Options Settings")
+{{< trueimage src="/images/SCALE/Credentials/NewSSHConnectMoreOptions.png" alt="More Options Settings" id="More Options Settings" >}}
 
 {{< truetable >}}
 | Name | Description |
@@ -81,9 +87,10 @@ A manual setup allows a secure connection without a password prompt.
 **Save** automatically opens a connection to the remote TrueNAS and exchanges SSH keys.
 
 ### SSH Keypairs Widget
+
 The **SSH Keypairs** widget on the **Backup Credentials** screen lists SSH keypairs added to the TrueNAS SCALE system.
 
-![BackupCredentialsSSHKeypairsWidget](/images/SCALE/Credentials/BackupCredentialsSSHKeypairsWidget.png "SSH Keypairs Widget")
+{{< trueimage src="/images/SCALE/Credentials/BackupCredentialsSSHKeypairsWidget.png" alt="SSH Keypairs Widgit" id="SSH Keypairs Widgit" >}}
 
 The name of the keypair listed on the widget is a link that opens the **[SSH Keypairs](#ssh-keypairs-screen)** configuration screen.
 
@@ -92,9 +99,10 @@ The <iconify-icon icon="icon-park-outline:download"></iconify-icon> download ico
 The <span class="material-icons">delete</span> delete icon opens the a delete dialog. Click **Confirm** and then **Delete** to remove the stored keypairs from the system.
 
 #### SSH Keypairs Screen
+
 The **SSH Keypairs** configuration screen displays the same settings for both add and edit options. Click **Add** to open a new configuration form, or click on an existing keypair to open the configuration screen populated with the settings for the selected keypair.
 
-![BackupCredentialsSSHKeypairsAdd](/images/SCALE/Credentials/BackupCredentialsSSHKeypairsAdd.png "SSH Keypairs Settings")
+{{< trueimage src="/images/SCALE/Credentials/BackupCredentialsSSHKeypairsAdd.png" alt="SSH Keypairs Settings" id="SSH Keypairs Settings" >}}
 
 {{< truetable >}}
 | Name | Description |