Tuesday, 5 March 2013

RPi Remote Access Using SSH

Secure Shell (SSH) is a remote communication tool that uses cryptographic methods to create a secure connection between two computers. Your local computer needs to have a client which supports the SSH protocol and the remote host, the computer you want to control needs to have a server that also supports the protocol. This security protocol uses a public and private key pair in order to encrypt information before sending it between the client and the server.

From now on I will refer to the local host (my desktop) as the client, and the remote host (the RPi) as the server. The pair of encryption keys is composed of a public key and a private key; the client keeps copies of both and exposes only the public key, which is sent to the server. Some further authentication is used when the client and server devices first communicate through the use of a hash code. You can also protect the keys on your client through the use of a password that is set when the keys are first created; but this would be overkill in my case.

The client I am using for all of my secure connection needs is called Bitvise, it works very well and is free to use; you can obtain a copy here. The Raspberry Pi (RPi) 'Wheezy' OS comes with an SSH server installed.

We need to generate a key-pair for our use, and this can be done directly within Bitvise using the key-pair manager. On the Login tab click on the User keypair manager link and hit the Generate new button. I created a key-pair using the ssh-rsa format with a 2048 bit length and no pass-phrase.

We are also going to need the IP address of the server, this can be accomplished by using the command ifconfig at the command prompt. This same command provides a number of functions for the ethernet adapter settings, if you ever want additional instructions for a particular command you can often use the --help parameter (for example ifconfig --help).

Now we can connect to the server by setting up the Bitvise login tab with these parameters:

host: <serversipaddress>
port: 22
Username: pi
Initial method: password
Password: <yourpassword>

The server will then provide a key in order to verify that you are communicating with the correct server, since I highly doubt someone has hacked through my firewall this morning I'll just Accept for this session without checking the signature (hash). When the connection is established it opens both a terminal window and a secure file transfer protocol (SFTP) window .

Now we can remove the default ssh keys that came with the OS and then regenerate them (this improves our security). In order to remove all the keys at once we run the rm command using a partial file name (using the elements that the file names have in common) and a 'wild card' as seen in the image below. To regenerate the servers keys we then run dpkg-reconfigure on the openssh-server.

Note: all of these commands must be run as a super user (using the sudo command), it's equivalent in windows is to Run as administrator.

Next we need to add our public key to a file containing our user's authorized keys (in this case the user is pi and the home directory is  /home/pi). There are a number of steps involved in doing this:
  1. hit the Export button within the key-pair manager and save the file locally in OpenSSH format.
  2. copy the public key over to the users home folder using SFTP
  3. make a directory to house the ssh keys for user pi as shown below (mkdir).
  4. modify the file permissions (chmod) so that the owner has read/write and execute permissions (700)
  5. add the text from the key file to the end of the authorized_keys file (cat).
  6. modify permissions of the authorized_keys file so that only the owner can read and write to the file (600).
  7. and finally move (mv) the new key into the .ssh folder. 
Note: the ~ symbol denotes the current users home directory so ~/ can be taken as /home/pi/

This procedure can be repeated as the root user. For both safety and security reasons, it is best to always install and modify things using a non-root account. However, sometimes a program or service will need to be installed and configured while logged in as root.

Now that everything is configured correctly we can log out of our session on Bitvise and log back in by selecting Initial method publickey and choosing the slot where your key resides. You can also re-save your profile in Bitvise and from now on all you need to do is load that profile and hit the login button.

I find security a fascinating topic and I'm interested in learning more about this type of security in the future, but for now I'm satisfied with learning how to use it.
If you would like to learn more about it, in the guise of pure entertainment, there is a great teen novel by Cory Doctorow called Little Brother. In the novel he offers a simplified explanation of some authentication and encryption techniques, and weaves it into the story.

Here is a great Wikipedia article on the topic http://en.wikipedia.org/wiki/Public-key_cryptography

There are a number of simple configuration changes we can make to improve security, but we'll save those for a follow up post.

No comments:

Post a Comment