Secure your SSH connection to OpenHAB

To maintain a secure SSH connection to your openHAB is very important to protect against cyber risks. Secure your SSH connection to OpenHAB shares an option for securing SSH on your OpenHAB.

Secure your SSH connection to OpenHAB

Secure your SSH connection to OpenHAB

Index:

Background

To have administrative access to your OpenHAB, you would like to leverage on SSH. There are different layers of security that you can achieve for securing the connection between your computer and OpenHAB. This how to leverages on the so called “key based SSH login”, whilst disabling remote login by password. SSH key based login is leveraging on certificates which is for a number of good reasons seen by cyber security experts as far more secure than allowing login by password. 

Additionally, if you leverage on login by SSH key, the user experience is in my opinion far better.

Finally, you like to leverage on a strong cryptographic standard. This Hardening of OpenHAB Guide leverages on Ed25519. 

How To Secure your SSH connection to OpenHAB

 

Step 1, generate certificates on OpenHABian:

ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"

The input/output should look similar like the below. Please note, not setting a passphrase allows an easier user experience for logging in, but is however also more risky as it potentially allows anyone to login that is able to steel your private key

openhabian@openHAB:~$ ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/openhabian/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/openhabian/.ssh/id_ed25519
Your public key has been saved in /home/openhabian/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:iic0RyBXlhKNmvr7OxS8z95dcdRi8EmQRpsXG1J3zeE OpenHAB3
The key's randomart image is:
+--[ED25519 256]--+
|  . +=o.   .=+=o=|
|   oooo     oB.B+|
|   + ..    .o OE.|
|  o o.       + . |
| .  oo. S   . .  |
|.  .o+ .     o   |
| . .ooo     .    |
|  . .oo. . .     |
|  .oo+. . .      |
+----[SHA256]-----+

Step 2, generate certificates on your computer

In this Hardening of OpenHAB Guide we leverage on a Mac computer and we leverage on the Mac’s command line. If you run a Windows system you like to leverage on your favourite software.

Mike@Mac-Mini ~ % ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/Mike/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /users/Mike/id_ed25519
Your public key has been saved in /users/Mike/id_ed25519.pub
The key fingerprint is:
SHA256:D38BRm81OT5jE5AtD+eCHXG77tNNQUhnC1jGk7Bsw3g test
The key's randomart image is:
+--[ED25519 256]--+
|          ..OX*+ |
|         .+oBBX+.|
|         .oEoO++ |
|         .+o+ Oo |
|        S   .o.+.|
|         +   o  .|
|          o . .o.|
|           . .. o|
|              .. |
+----[SHA256]-----+

Step 3, copy your public certificate to the OpenHAB OpenHABian system

This step is now a simple copy and paste activity. You copy the content of your in step 2 generated id_ed25519.pub file into the authorized_key file on OpenHAB.

nano /home/openhabian/.ssh/authorized_keys

 Try to login by leveraging on SSH. For example, if your OpenHAB IP address is 192.168.1.100, than by typing the below

ssh openhabian@192.168.1.100

If all runs well, than you should be able to login without typing a password as SSH will be leveraging on your keys.

Step 4, Hardening of ssh.conf

A important step in this hardening process is to ensure the right configuration of SSH. SSH stores its configuration in ssh.conf. In this step 4 we now will be updating ssh.conf in a way in which your OpenHAB will allow login by SSH key only, but not anymore by passwords. With this you mitigate the high risks related to passwords (Password guessing, brute force attacks, etc.)

sudo vi /etc/ssh/sshd_config

Allow Only ed25519 Key Login

To activate login by the above created ed25519 key only change the following lines from

#HostKey /etc/ssh/ssh_host_ed25519_key
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

to

HostKey /etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile     .ssh/authorized_keys 

Allow Only Key Login (no password login anymore)

To activate login by key only (no password anymore) set Password Authentication to no. Additionally, disallow login with empty passwords. Therefore, change the following lines from

#PasswordAuthentication yes 
#PermitEmptyPasswords no

to
PasswordAuthentication no
PermitEmptyPasswords no

Disable Root Login

You do not like that anyone logs into your OpenHAB remotely by leveraging on Root. Therefore, disallow root login. This you do by changing the below line from:

#PermitRootLogin prohibit-password

to:

PermitRootLogin no

Only Allow The More Secure Protocol 2

There are tow protocol versions of SSH, Protocol 1 and Protocol 2. Protocol 1 is legacy and Protocol 2 is more secure. Most likely, your sshd_config does not consist of a setting. You however can simply add the below line at the end of your sshd_config file:

Protocol 2

Protect Against Unattended Sessions

Leaving your OpenHAB unattended for a long time period carries security risks. Therefore you like to address the issue by setting a limit for keeping a session open if not used. In this example we set the limit to 180 second. SSH will close the session once idle for 180 seconds. Change from:

#ClientAliveInterval 6

to:

ClientAliveInterval 180

Allow Only Selected Users To Login By SSH

Allow only users you know to login into your OpenHAB system. By default the user is openhabian. In this example we allow only the “openhabian” user to login leveraging on SSH. Add the below line to the end of your sshd_config:

AllowUsers openhabian

Maximum Number Of Trying The Password

Even though we have allowed in the above only login by key, we still like to limit the number of passwords attempts to 3 tries. Change from:

#MaxAuthTries 6

to:
MaxAuthTries 3

Make The New Configuration Effective And Test It

Last step is to test your updated configuration. To do so, you keep your existing terminal open. Do not close it, because you will need it if your configuration does not work. We try the configuration in 2 steps. First, in the existing window we type and execute:

sudo systemctl restart sshd

2nd, in a new additional terminal window (open a new terminal window and keep the existing open) you type:

ssh openhabian@

“IP ADDRESS OF YOUR OPENHAB”

If you able to login, great. Your configuration works. If not, double check in the other Terminal window that you have not closed your configuration for potential mistakes.

Finally, you can test some of your configurations whether they work properly. Open a Terminal window and test whether login with Protocol 1 is possible (it should not be possible) and it should look like this:

testuser@Mac-mini ~ % ssh -1 openhabian@”IP ADDRESS OF YOUR OPENHAB”
SSH protocol v.1 is no longer supported
testuser@Mac-mini ~ %

Test whether you can login as root and if the root user as configured in the above is not allowed to login, than it should look like this:

testuser@Mac-mini ~ %  ssh root@"IP ADDRESS OF YOUR OPENHAB"
root@"IP ADDRESS OF YOUR OPENHAB": Permission denied (publickey).
testuser@Mac-mini ~ % 

Additional Information

Some additional information that might help you or are of your interests

Its highly appreciated if you have feedback to this how to or if you share this link. Furthermore, I would love to see if you link to this how to in another website.