To maintain a secure SSH connection to your openHAB is very important to protect against cyber risks. Secure your SSH connection to OpenHAB shares an option for securing SSH on your OpenHAB.
Secure your SSH connection to OpenHAB
Index:
Background
To have administrative access to your OpenHAB, you would like to leverage on SSH. There are different layers of security that you can achieve for securing the connection between your computer and OpenHAB. This how to leverages on the so called “key based SSH login”, whilst disabling remote login by password. SSH key based login is leveraging on certificates which is for a number of good reasons seen by cyber security experts as far more secure than allowing login by password.
Additionally, if you leverage on login by SSH key, the user experience is in my opinion far better.
Finally, you like to leverage on a strong cryptographic standard. This Hardening of OpenHAB Guide leverages on Ed25519.
How To Secure your SSH connection to OpenHAB
Step 1, generate certificates on OpenHABian:
ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
The input/output should look similar like the below. Please note, not setting a passphrase allows an easier user experience for logging in, but is however also more risky as it potentially allows anyone to login that is able to steel your private key
openhabian@openHAB:~$ ssh-keygen -t ed25519 -C "Your@E-MailAddress.com" Generating public/private ed25519 key pair. Enter file in which to save the key (/home/openhabian/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/openhabian/.ssh/id_ed25519 Your public key has been saved in /home/openhabian/.ssh/id_ed25519.pub The key fingerprint is: SHA256:iic0RyBXlhKNmvr7OxS8z95dcdRi8EmQRpsXG1J3zeE OpenHAB3 The key's randomart image is: +--[ED25519 256]--+ | . +=o. .=+=o=| | oooo oB.B+| | + .. .o OE.| | o o. + . | | . oo. S . . | |. .o+ . o | | . .ooo . | | . .oo. . . | | .oo+. . . | +----[SHA256]-----+
Step 2, generate certificates on your computer
In this Hardening of OpenHAB Guide we leverage on a Mac computer and we leverage on the Mac’s command line. If you run a Windows system you like to leverage on your favourite software.
Mike@Mac-Mini ~ % ssh-keygen -t ed25519 -C "Your@E-MailAddress.com" Generating public/private ed25519 key pair. Enter file in which to save the key (/Users/Mike/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/Mike/id_ed25519 Your public key has been saved in /users/Mike/id_ed25519.pub The key fingerprint is: SHA256:D38BRm81OT5jE5AtD+eCHXG77tNNQUhnC1jGk7Bsw3g test The key's randomart image is: +--[ED25519 256]--+ | ..OX*+ | | .+oBBX+.| | .oEoO++ | | .+o+ Oo | | S .o.+.| | + o .| | o . .o.| | . .. o| | .. | +----[SHA256]-----+
Step 3, copy your public certificate to the OpenHAB OpenHABian system
This step is now a simple copy and paste activity. You copy the content of your in step 2 generated id_ed25519.pub file into the authorized_key file on OpenHAB.
nano /home/openhabian/.ssh/authorized_keys
Try to login by leveraging on SSH. For example, if your OpenHAB IP address is 192.168.1.100, than by typing the below
ssh openhabian@192.168.1.100
If all runs well, than you should be able to login without typing a password as SSH will be leveraging on your keys.
Step 4, Hardening of ssh.conf
A important step in this hardening process is to ensure the right configuration of SSH. SSH stores its configuration in ssh.conf. In this step 4 we now will be updating ssh.conf in a way in which your OpenHAB will allow login by SSH key only, but not anymore by passwords. With this you mitigate the high risks related to passwords (Password guessing, brute force attacks, etc.)
sudo vi /etc/ssh/sshd_config
Allow Only ed25519 Key Login
To activate login by the above created ed25519 key only change the following lines from
#HostKey /etc/ssh/ssh_host_ed25519_key #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
to
HostKey /etc/ssh/ssh_host_ed25519_key AuthorizedKeysFile .ssh/authorized_keys
Allow Only Key Login (no password login anymore)
To activate login by key only (no password anymore) set Password Authentication to no. Additionally, disallow login with empty passwords. Therefore, change the following lines from
#PasswordAuthentication yes #PermitEmptyPasswords no
to
PasswordAuthentication no PermitEmptyPasswords no
Disable Root Login
You do not like that anyone logs into your OpenHAB remotely by leveraging on Root. Therefore, disallow root login. This you do by changing the below line from:
#PermitRootLogin prohibit-password
to:
PermitRootLogin no
Only Allow The More Secure Protocol 2
There are tow protocol versions of SSH, Protocol 1 and Protocol 2. Protocol 1 is legacy and Protocol 2 is more secure. Most likely, your sshd_config does not consist of a setting. You however can simply add the below line at the end of your sshd_config file:
Protocol 2
Protect Against Unattended Sessions
Leaving your OpenHAB unattended for a long time period carries security risks. Therefore you like to address the issue by setting a limit for keeping a session open if not used. In this example we set the limit to 180 second. SSH will close the session once idle for 180 seconds. Change from:
#ClientAliveInterval 6
to:
ClientAliveInterval 180
Allow Only Selected Users To Login By SSH
Allow only users you know to login into your OpenHAB system. By default the user is openhabian. In this example we allow only the “openhabian” user to login leveraging on SSH. Add the below line to the end of your sshd_config:
AllowUsers openhabian
Maximum Number Of Trying The Password
Even though we have allowed in the above only login by key, we still like to limit the number of passwords attempts to 3 tries. Change from:
#MaxAuthTries 6
to:
MaxAuthTries 3
Make The New Configuration Effective And Test It
Last step is to test your updated configuration. To do so, you keep your existing terminal open. Do not close it, because you will need it if your configuration does not work. We try the configuration in 2 steps. First, in the existing window we type and execute:
sudo systemctl restart sshd
2nd, in a new additional terminal window (open a new terminal window and keep the existing open) you type:
ssh openhabian@
“IP ADDRESS OF YOUR OPENHAB”
If you able to login, great. Your configuration works. If not, double check in the other Terminal window that you have not closed your configuration for potential mistakes.
Finally, you can test some of your configurations whether they work properly. Open a Terminal window and test whether login with Protocol 1 is possible (it should not be possible) and it should look like this:
testuser@Mac-mini ~ % ssh -1 openhabian@”IP ADDRESS OF YOUR OPENHAB”
SSH protocol v.1 is no longer supported
testuser@Mac-mini ~ %
Test whether you can login as root and if the root user as configured in the above is not allowed to login, than it should look like this:
testuser@Mac-mini ~ % ssh root@"IP ADDRESS OF YOUR OPENHAB" root@"IP ADDRESS OF YOUR OPENHAB": Permission denied (publickey). testuser@Mac-mini ~ %
Additional Information
Some additional information that might help you or are of your interests
- SSH: OpenSSH Man Pages
- ED25519: Wikipedia about DE25519
- How to Setup a New OpenHAB
- Start, Restart & Stop OpenHAB (openhabian)
- Hardening of OpenHAB Guide
Its highly appreciated if you have feedback to this how to or if you share this link. Furthermore, I would love to see if you link to this how to in another website.
