Categories :

MaxAir – Configure Key-Based Authentication SSH

Last Updated on 09/10/2024 by Kevin Agar

When trying to login to MaxAir by SSH, you need to remember the Username, Password and IP address. This can be a pain as well as a fairly insecure method of access, especially if you’ve allowed internet access to the MaxAir controller.

An easier, and safer method, is to use Authorized_keys. This is where there is a public and a private key to access the system. No key, then no access. This means that you can only log into MaxAir with ssh from a computer that has the private key. Here are the steps to achieve this, 1st for a Windows Desktop, then a phone, using JuiceSSH for the ssh terminal

1. Create a public and private rsa key pair

On a Windows system, open a Windows Powershell (or a console window) and enter

ssh-keygen -t rsa

It asked, in which file (or where) to save the key, go with the default option

C:\Users\<username>/.ssh/id_rsa

Note: you need to enter the complete location, eg C:\Users\<username>/.ssh/id_rsa, otherwise it will generate the files in the directory the Windows Powershell or console window directory is in eg C:\WINDOWS\system32>

press enter

It then asks to enter a passphrase. This is an optional step. If multiple users access the computer, it’s nice to do this, but if only one is accessing it, there’s no need. For only one user, hit the Enter key twice.

This generated 2 files in the folder C:\Users\<username>\.ssh

id_rsa – the private file

and

id_rsa.pub – the public file

2. Copy the public file to the MaxAir Controller

Using Windows Powershell (Command Prompt doesn’t work), copy the public file to the MaxAir controller, with the following command

cat ~/.ssh/id_rsa.pub | ssh user@REMOTE-IP-ADDRESS-OR-FQDN "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"

for example

cat ~/.ssh/id_rsa.pub | ssh maxair@192.168.0.100 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"

After executing the above command it asks for the user password for maxair. Enter the password and it copies the public key into the MaxAir controller.

Now, when you want to access MaxAir by ssh all you need to do is open a console window or Windows Powershell and enter

ssh maxair@<ip address>

eg ssh maxair@192.168.0.100

and it logs you in automatically without the need for a password

BUT

It still requires you to remember the Username and IP address. So to get around this create a config file in C:\Users\<Your username>\.ssh

eg C:\Users\Kevin\.ssh

3. Configure SSH for MaxAir Controller for easy access (optional)

Using Notepad++ (or your preferred editor) open a new file and enter the following, in this format

Host pi pi-ip-address
    HostName pi-ip-address
    Port 22  #this isn't require if using the default port, but can be used if the port has been changed
    IdentityFile ~/.ssh/raspberrypi_rsa
    User pi-username

eg

Host maxair 192.168.0.100
    HostName 192.168.0.100
    Port 22
    IdentityFile ~/.ssh/id_rsa
    User maxair

Save the file as config without any extension

C:\Users\<Your username>\.ssh\config

eg C:\Users\Kevin\.ssh\config

Now, you can open a console window or Windows Powershell and enter

ssh maxair

and it will automatically log you in

4. Disable the SSH password-based authentication

All of the above is great, but useless as improved security if password authentication isn’t disabled. So to do this edit the file /etc/ssh/sshd_config in the MaxAir Controller

sudo nano /etc/ssh/sshd_config

Find the following lines and changed them as follows,

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

If those lines are commented, uncomment them and set the above values. If they don’t exist, add them at the end of the file.

Finally, reload the SSH daemon so changes can take effect.

sudo systemctl reload sshd

5. Ensure password-based authentication is disabled

To do this try to access the MaxAir Controller via password-based ssh.

ssh pi-username@pi-ip-address -o PubKeyAuthentication=no

You should get the Permission denied (publickey) error

Also check Root ssh is disabled

ssh root@pi-ip-address

You should also get the Permission denied (publickey) error

The next steps are to enable logins from phone using JuiceSSH

In JuiceSSH create a new Identity and call it MaxAir with username maxair

Then select Private Key: SET (OPTIONAL)

From here select GENERATE, Key Format: ed25519, Key Strength: 256bit, and OK (set the Optional Passphrase if so desired)

Having done that click the Tick in the top right corner of the screen to save it and go back to the list of Identities

Long press the MaxAir Identity and select Export Private Key and Export Public Key, then send them to your email address or somewhere else accessible

(you can also store these on your pc as a backup and for future reference)

You then have to copy the public file into the ~/.ssh/authorized_keys file on the MaxAir Controller

To do this log into the MaxAir Controller with

ssh maxair

Then edit the file using nano, by copying the text from the JuiceSSH: Public Key email into a new line of the /home/maxair/.ssh/authorized_keys file and saving the file.

Note: If you go to /home/maxair and do ls to see the files and directories, .ssh doesn’t show up, as it’s a hidden directory.

sudo nano /home/maxair/.ssh/authorized_keys

Set up a new connection to MaxAir using the Identity MaxAir and check it works OK

By: Kevin AgarPosted on Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *