Table of contents
This small tutorial will go over connecting to the board via SSH. Among other things, connecting via SSH is primarily used to obtain access to a command line over a network.
Prerequisites:
- openssh-server package on server (this package is already installed on your Buildroot file system, however if you are running Ubuntu you need to install it)
- openssh-client package installed on client (check out install instructions for your Linux distribution)
Creating a new user
Connect to the ESPRESSObin via serial connection. We will first create a new user (we will name it "espresso" in this tutorial):
root@localhost:~# adduser espresso # Answer the prompted questions and enter a strong password
and then we will grant root privileges by adding the user to the sudo group:
root@localhost:~# usermod -aG sudo espresso # and lastly switch to the newly created user root@localhost:~# su espresso
Installing OpenSSH server on ESPRESSObin
For Ubuntu, the openssh-server package is installed with:
espresso@localhost:~# sudo apt-get install openssh-server
SSH server configuration is located in /etc/ssh/sshd_config file, and there you can change numerous settings to better secure your SSH connection. You can find out more here.
Public key authentication
Key-based authentication is the most secure of several modes of authentication usable with OpenSSH. Key-based authentication implies two keys, one public key that anyone is allowed to see, and another private key that only the owner is allowed to see. To securely communicate through such a method, one needs to create a key pair, securely store the private key on the computer one wants to log in from, and store the public key on the computer one wants to log in to. Additionally, SSH keys allow authentication betwen two hosts without the need of a password.
The next step in securing the connection is to generate and configure a public key authentication for the newly created user. So, generate the SSH key pair on your local machine using the ssh-keygen command:
$ ssh-keygen -t ed25519 -C espresso -f /home/localuser/.ssh/espresso
In the command above we specify the file name (espresso) and path (/home/localuser/.ssh) in which to save the key. When prompted for a passphrase, you can either enter a passphrase or leave it blank. Note that entering a passphrase is a more secure method and will require both the private key and the passphrase to log in.
This command will generate a private key (espresso) and a public key (espresso.pub) in the /home/localuser/.ssh directory.
To copy the generated public key to the ESPRESSObin server, we can manually install the key by copying it to the server and concatenating it onto the ~/.ssh/authorized_keys file:
$ cat ~/.ssh/espresso.pub | ssh espresso@espressobin_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Now your public key should be installed on the ESPRESSObin board.
To further secure your connection, you can disable password-only authentication to restrict SSH access to public key authentication only. To do so, on the ESPRESSObin console open the OpenSSH server configuration file:
espresso@localhost:~# sudo vim /etc/ssh/sshd_config
and there uncomment the PasswordAuthentication option and change its value to "no":
PasswordAuthentication no
Also check that the AuthorizedKeysFile option is uncommented and that the path to the authorized_keys file is correct:
AuthorizedKeysFile /home/espresso/.ssh/authorized_keys
Save and exit the file, and reload the SSH daemon for the configuration changes to take effect:
espresso@localhost:~# sudo service ssh restart
Finally, you can test the connection from a terminal on your local machine:
# substitute the username and IP address to your setup $ ssh espresso@espressobin_ip # you can also use ssh -v (or -vv) for more verbosity