#120 FreeBSD, KeyBox: Web-Based Bastion Host and SSH Key Management

In this post I’ll describe how to use a web-based SSH client that you can access from the Internet. For example, you want to access your SSH server from anywhere without installing any plug-ins or SSH clients (putty). Mind that if the access to port 22 (SSH) is blocked from your Internet/home/work provider, you won’t be able to access the SSH terminal. The official web site for this solution is here. It was developed under Linux, but it works under FreeBSD as well.


I used a fresh install of FreeBSD 11.1. KeyBox uses Java (OpenJDK) and Apache Maven.
Let’s install wget, bash, OpenJDK and Apache

pkg install wget openjdk8 bash maven33

Go to /usr/local/bin where the program will reside, download the archive and unzip it.

cd /usr/local/bin
wget --no-check-certificate

bash requires some configuration.

mount -t fdescfs fdesc /dev/fd
mount -t procfs proc /proc
echo "fdesc   /dev/fd         fdescfs         rw      0       0" >> /etc/fstab
echo "proc    /proc           procfs          rw      0       0" >> /etc/fstab

Let’s create the user that will run KeyBox. Specify the password for the user when asked.

pw useradd -n keybox -s /usr/local/bin/bash -c "KeyBox User"
passwd keybox
mkdir /home/keybox
chown keybox:keybox /home/keybox
chown keybox:keybox /usr/local/bin/KeyBox-master

Once the user has been created, log as that user.

su - keybox

Adjust the profile for the user so it knows where to find Java.

echo "export JAVA_HOME=/usr/local/openjdk8" >> .bash_profile
echo "export M2_HOME=/usr/local/share/java/maven33" >> .bash_profile
echo "export PATH=$JAVA_HOME/bin:$M2_HOME/bin:$PATH" >> .bash_profile

Execute the profile so you don’t have to log off, log back on.

source ~/.bash_profile

Go to the program folder and start it.

cd /usr/local/bin/KeyBox-master
mvn package jetty:run

The first run will take some time and you’ll be asked to provide a password for the database.
Once you see this, you are ok.

[INFO] Started ServerConnector@6b88af71{SSL,[ssl, http/1.1]}{}
[INFO] Started @52127ms
[INFO] Started Jetty Server

As you can see from the above lines, KeyBox listens on port 8443. Go to https://your_ip:8443 and log as user admin and password changeme.


It would be nice if we can access KeyBox on 443, so the easiest way is to redirect 443 to 8443 using pf firewall. Let’s enable pf.

echo 'pf_enable="YES"' >> /etc/rc.conf
echo 'pflog_enable="YES"' >> /etc/rc.conf

Do ifconfig | grep flags and see what’s the name of your NIC. In my case it’s xn0, lo0 is the loopback interface.

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

Create a file called /etc/pf.conf and paste this.

ext_if = "xn0"
set loginterface $ext_if
set skip on lo
tcp_pass = "{ 22 443 8443}"
udp_pass = "{ 53 }"
rdr on $ext_if proto tcp from any to any port 443 -> port 8443
block all
pass log on $ext_if proto tcp to any port $tcp_pass keep state
pass out on $ext_if proto udp to any port $udp_pass keep state
pass inet proto icmp from any to any

You’ll have to reboot. Once the server comes back, log as keybox user and start KeyBox.

cd /usr/local/bin/KeyBox-master
mvn package jetty:run

Now, you can go to https://your_ip.

SSL certificates (optional)

If you have SSL certificates you can provide them to Java cert store. KeyBox comes with self-signed certificates and Java cert store is password protected, so the easiest way without changing any config is just to replace the keystore, but we need the password for that. The config file for Keybox is /usr/local/bin/KeyBox-master/src/test/resources/jetty-ssl.xml and the keystore is located under /usr/local/bin/KeyBox-master/src/test/resources. Open up the jetty-ssl.xml file and search for OBF string. This is your obfuscated password. OBF:1ini1l4t1mfb1x8616dq20zj16cw1x8o1mbb1l8h1ikw. You can decrypt the password with the following line.

cd /usr/home/keybox/.m2
java -cp ./repository/org/eclipse/jetty/jetty-util/9.4.8.v20171121/jetty-util-9.4.8.v20171121.jar "OBF:1ini1l4t1mfb1x8616dq20zj16cw1x8o1mbb1l8h1ikw"

The output should be like this.

2018-01-19 23:40:55.148:INFO::main: Logging initialized @140ms to org.eclipse.jetty.util.log.StdErrLog

Look at line 2. That’s your password. b0xk3y$t0r3.
Delete the keystore or better rename it.

cd /usr/local/bin/KeyBox-master/src/test/resources
mv keystore keystore.BAK

Go to /tmp directory and put your private key and the certificate there. Usually, .key and .crt extensions. If you have the certificate in PKCS12, you can skip this step and go to Step 2. In my case, the private key is and the certificate is Make sure you have them under /tmp.
Step 1. Convert the cert in PKCS12 format.

cd /tmp
openssl pkcs12 -export -in /tmp/ -inkey /tmp/ -name -out /tmp/

This will create a file called You’ll be asked for a password. Use b0xk3y$t0r3 otherwise you’ll have to modify jetty-ssl.xml.
Step 2. Import the certificate in the keystore.

cd /usr/local/bin/KeyBox-master/src/test/resources
keytool -importkeystore -deststorepass 'b0xk3y$t0r3' -destkeystore keystore -srckeystore /tmp/ -srcstoretype PKCS12

If you are prompted for a password, enter b0xk3y$t0r3 again.
At this point, stop KeyBox and start it again. You’ll see the correct certificate in the output (line #1).

[INFO] x509=X509@52ca0ad4(,h=[],w=[]) for SslContextFactory@4536a715[provider=null,keyStore=file:///usr/local/bin/KeyBox-master/src/test/resources/keystore,trustStore=null]
[INFO] Started ServerConnector@6496894{SSL,[ssl, http/1.1]}{}
[INFO] Started @21102ms
[INFO] Started Jetty Server
#106 FreeBSD: Install BitBucket
#61 FreeBSD 10: icecast & ices
#93 FreeBSD: Setup Samba as an AD Domain Member
There are currently no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.