This How To SSH Key Authentication for OpenHAB helps you to increase security for OpenHAB and also to have an easier life with login. The how to further consists of additional system hardening options for your consideration.
Index of How To SSH Key Authentication for OpenHAB
- How To SSH Key Authentication for OpenHAB
- Additional Information
If you would like to leverage on SSH for remote access to your OpenHAB, then I think this is a good option. There are different layers of security that can achieve a secure connection. The so called “key based SSH login”, whilst disabling remote login by password, is something that many cybersecurity experts recommend.
SSH key based login is leveraging on certificates which is for a number of good reasons seen by cybersecurity experts as far more secure than allowing login by password. It certainly avoids attacks based on password guessing. Additionally, if you leverage on login by SSH key, the user experience is far better.
There is one more point, you like to leverage on a strong cryptographic standard. Therefore, this How To leverages on Ed25519.
Step 1: Generate Ed25519 Certificates
On your OpenHAB “openhabian” run
ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
This will generate a new set of keys (private and public key). The output would look like the below. During the process, decide whether you like to set a passphrase for your private key.
ssh-keygen -t ed25519 -C "Your@E-MailAddress.com" Generating public/private ed25519 key pair. Enter file in which to save the key (/home/openhabian/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/openhabian/.ssh/id_ed25519 Your public key has been saved in /home/openhabian/.ssh/id_ed25519.pub The key fingerprint is: SHA256:iic0RyBXlhKNmvr7OxS8z95dcdRi8EmQRpsXG1J3zeE OpenHAB3 The key's randomart image is: +--[ED25519 256]--+ | . +=o. .=+=o=| | oooo oB.B+| | + .. .o OE.| | o o. + . | | . oo. S . . | |. .o+ . o | | . .ooo . | | . .oo. . . | | .oo+. . . | +----[SHA256]-----+
Step 2, generate certificates on your computer
If you have on your computer (not OpenHAB for which you created the certificates by the above) already a set of Ed25519 keys, then you can skip step 2. If you don’t have keys, please run step 2.
To create the keys on your “home” computer, run
ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
This will generate a new set of keys (private and public key). The output would look like the below. During the process, decide whether you like to set a passphrase for your private key. Since the private key in this case is the key that is required to login remotely, but also the key that you might like to use for login into other systems, it is recommended to set a passphrase to increase security.
ssh-keygen -t ed25519 -C "Your@E-MailAddress.com" Generating public/private ed25519 key pair. Enter file in which to save the key (/Users/Mike/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/Mike/id_ed25519 Your public key has been saved in /users/Mike/id_ed25519.pub The key fingerprint is: SHA256:D38BRm81OT5jE5AtD+eCHXG77tNNQUhnC1jGk7Bsw3g test The key's randomart image is: +--[ED25519 256]--+ | ..OX*+ | | .+oBBX+.| | .oEoO++ | | .+o+ Oo | | S .o.+.| | + o .| | o . .o.| | . .. o| | .. | +----[SHA256]-----+
Step 3, Copy Your Public Certificate To OpenHAB
You have now on your let’s call it “home” PC as well as on your OpenHAB a new set of Ed25519 keys. Each set consists of a public and a private key. The public key typically ends with “.pub”. In order to allow key based login, you need to let OpenHAB know what is your public key. For this reason we copy now the public key of your “home” system to the OpenHAB.
Therefore, run on OpenHAB the below command (if the file does not exist, than you create it):
Into this file you copy the public key of your home system (which most likely is stored in the file called “id_ed25519.pub”).
Step 4, Test
Let’s test this now. Open on the home system another terminal window and run:
ssh -i .ssh/id_ed25519 openhabian@OpenHABIPAddress
- openhabian: should be the user name of the OpenHAB system. In a standard OpenHAB installation it is for example “openhabian”. In many Linux installations it is for example “root” or on a Raspberry Pi standard installation its often “pi”
- OpenHABIPAddress: should be the IP Address of your OpenHAB
- .ssh/id_ed25519 -> Should be the directory on your home computer in which you have the private key file (which in this case ist simply called id_ed25519)
If you have run Step 1-3 well, then the login after execution of the command in step 4 should look like this:
.ssh % ssh -i id_ed25519 openhabian@OpenHABIPAddress Linux raspberrypi 5.15.76-v7+ #1597 SMP Fri Nov 4 12:13:17 GMT 2022 armv7l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jan 3 17:25:19 2023 from YOUR IP ADDRESS
Done & Enjoy!
I however recommend to consider a couple of Hardening steps that you can find in the next chapter, Additional System Hardening.
An important step in the system hardening process is to ensure the right configuration of SSH. SSH stores its configuration typically in a file called ssh.conf. Since we leverage on key based authentication, we would like to allow login by SSH key only, but not anymore by passwords. With this you mitigate the high risks related to passwords (Password guessing, brute force attacks, etc.).
Lets run on the OpenHAB system:
sudo nano /etc/ssh/sshd_config
- /etc/ssh/sshd_config is where in this system the sshd configuration is stored. If this configuration is stored in a different directory in your system, then you need to adjust the path
Within this file we activate ed25519 login only, whilst we deactivate password login. To do so, search for the below lines and adjust them as of the below:
HostKey /etc/ssh/ssh_host_ed25519_key AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no
It’s further a good idea to disable root login. However, ensure you have created another user first and you did run steps 1-4 with this other user first and before changing the below setting like the below:
Finally, its a good idea to disable protocol 1 (that is not considered secure anymore) and also to
- Protect Against Unattended Sessions (ClientAliveInterval)
- Allow Only Selected Users To Login By SSH (in this example its the user “pi”)
- Maximum Number Of Trying The Password (MaxAuthTries)
ClientAliveInterval 180 MaxAuthTries 3 AllowUsers pi Protocol 2
Now we make the new configuration effective. Note: Keep one terminal window connected to your remote system open. This will ensure access if the configuration does not work.
Run a Test
Open a new terminal window and login into the OpenHAB, whilst keeping one logged in connection to OpenHAB open. You now should have in a minimum 2 terminal windows which both are logged into OpenHAB. This is good and you keep both of them open. In one of them you run:
sudo systemctl restart sshd
Once done, you open a 3rd terminal window and you try to login as described in step 4. If this works, you are fine and you can close the terminal windows. If it does not work, you should still have 1-2 terminal windows open that allow you to review the configuration and fix potential issues.
It would be amazing if you follow myHowTo.blog. To follow leverage on
- Click to follow me on Twitter
- Bookmark this page and comeback from time to time
I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to this how to. Simply click this link to touch base with me.
I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!