[Ovmsdev] Real authentication for SSH server
Stephen Casner
casner at acm.org
Tue Nov 28 11:09:33 HKT 2017
I have updated the SSH server code in OVMS to remove temporary
built-in passwords for jack and jill and public keys for hansel and
gretel. Instead there is now real authentication code that fetches
passwords and public keys from the config:
- We keep the host key for the server in ssh.server:key. If none
exists when the server is started then a background task is forked
to create one, using the key generator in WolfSSL with entropy from
esp_random(), and install it into the config.
- The key generation also calculates the SHA256 fingerprint of the
host key and stores it in ssh.info:fingerprint so that users can
verify the key when connecting from a new client. The fingerprint
is displayed when the generation is complete and can be viewed any
time with "config list ssh.info".
- Passwords may be stored under param password with the instance being
the associated username. Alternatively, if there is no password
configured for a username then the password stored under instance
"module" is used.
- RSA public keys may be stored under param ssh.keys with the instance
being the associated username. The key format is as generated on a
Linux or Mac system by the command "ssh-keygen -b 2048 -t rsa".
This could be a key you already have or a new one made for this
purpose. Only the one long string of the base64-encoded key should
be stored, not including the "ssh-rsa" at the beginning or the user
ID at the end. The key is stored with a command like this:
config set ssh.keys casner AAAAB3NzaC1yc2EAAAADAQAB...C6p5jcbf4NCnX
Public key authentication is really convenient because most client
systems allow authenticating the private key once per login on the
client and storing the decrypted private key in a key server. Then
each session to the OVMS is authenticated automatically without
requiring a password to be entered.
WARNING: If the config does not contain any passwords (including for
"module") nor any public keys, then authentication is considered
disabled and any user can log in with no password or a random
password.
-- Steve
More information about the OvmsDev
mailing list