Sophos UTM 9.6 settings - shell access

Secure Shell (SSH) is a network protocol that can be used to log on to the UTM via an encrypted network connection. It is typically used for maintenance work and troubleshooting. For access, you need an SSH client, which is included in most Linux distributions. For Windows, you can download an SSH client for free. For example PuTTY or DameWare.

Shell user passwords

Enter passwords for the default access rights root and loginuser. To change the password for only one of these two accounts, simply leave the two input fields for the other account blank.

Note - To enable SSH shell access, the passwords must first be set. In addition, you can only assign passwords that match the security settings you have configured on the Definitions & Users > Authentication Services > Advanced tab. In other words, if you have selected the use of complex passwords, you can only enter passwords here that meet these security requirements.

Accessing UTM via SSH

To access UTM via SSH, connect via SSH port (TCP 22 by default) using your normal SSH utility (e.g. PuTTY).

You can log in as

• loginuser by entering loginuser and the corresponding password (as set above) in SSH or
• root after logging in as loginuser by entering su - and the associated password (as set above).

Note - Any changes made with root will remove support. Even users who are not logged in as root have access to a lot of information on the UTM and should be considered users worthy of protection. Therefore, we strongly advise only granting SSH access to WebAdmin administrators. Instead, use the WebAdmin for configuration changes.

Approved Networks

Use the Allowed Networks field to restrict SSH access to specific networks. Networks listed here can log on to the SSH service.

Authentication

In this section, you can specify an authentication method for SSH access and the corresponding security level. The following authentication methods are available:

• Password (default)
• Public key
• Password and Public Key

To use these options, select the appropriate check boxes. To use the Allow Public Key Authentication feature, you must upload the corresponding public key to the Authorised Keys for loginuser field for each user who is allowed to authenticate using their public key.

Allow Root Login: You can allow SSH access for the root user. This option is disabled by default as it leads to an increased security risk. If this option is enabled, the root user can log in using their public key. Upload the public key(s) for the root user to the Authorised Keys for Root field.

Click Apply to save your settings.

Listen Port for SSH Daemon

This option allows you to change the TCP port for the SSH protocol. The default SSH port is 22. To change the port, enter a suitable value between 1024 and 65535 in the Port number field and click Apply.