[Ovmsdev] Real authentication for SSH server

Stephen Casner casner at acm.org
Tue Nov 28 11:09:33 HKT 2017

I have updated the SSH server code in OVMS to remove temporary
built-in passwords for jack and jill and public keys for hansel and
gretel.  Instead there is now real authentication code that fetches
passwords and public keys from the config:

- We keep the host key for the server in ssh.server:key.  If none
  exists when the server is started then a background task is forked
  to create one, using the key generator in WolfSSL with entropy from
  esp_random(), and install it into the config.

- The key generation also calculates the SHA256 fingerprint of the
  host key and stores it in ssh.info:fingerprint so that users can
  verify the key when connecting from a new client.  The fingerprint
  is displayed when the generation is complete and can be viewed any
  time with "config list ssh.info".

- Passwords may be stored under param password with the instance being
  the associated username.  Alternatively, if there is no password
  configured for a username then the password stored under instance
  "module" is used.

- RSA public keys may be stored under param ssh.keys with the instance
  being the associated username.  The key format is as generated on a
  Linux or Mac system by the command "ssh-keygen -b 2048 -t rsa".
  This could be a key you already have or a new one made for this
  purpose.  Only the one long string of the base64-encoded key should
  be stored, not including the "ssh-rsa" at the beginning or the user
  ID at the end.  The key is stored with a command like this:

  config set ssh.keys casner AAAAB3NzaC1yc2EAAAADAQAB...C6p5jcbf4NCnX

  Public key authentication is really convenient because most client
  systems allow authenticating the private key once per login on the
  client and storing the decrypted private key in a key server.  Then
  each session to the OVMS is authenticated automatically without
  requiring a password to be entered.

WARNING: If the config does not contain any passwords (including for
"module") nor any public keys, then authentication is considered
disabled and any user can log in with no password or a random

                                                        -- Steve

More information about the OvmsDev mailing list