Categories :

MaxAir – Configure Key-Based Authentication SSH

Last Updated on 30/12/2022 by Kevin Agar

When trying to login to MaxAir by SSH, you need to remember the Username, Password and IP address. This can be a pain as well as a fairly insecure method of access, especially if you’ve allowed internet access to the MaxAir controller.

An easier, and safer method, is to use Authorized_keys. This is where there is a public and a private key to access the system. No key, then no access. This means that you can only log into MaxAir with ssh from a computer that has the private key. Here are the steps that I used to achieve this, 1st for my Windows Desktop, then my phone, using JuiceSSH for my ssh terminal

1. Create a public and private rsa key pair

On my Windows system, I opened a Windows Powershell (I could have used a console window) and entered 

ssh-keygen -t rsa

It asked, in which file (or where) to save the key. I went with the default option

C:\Users\<username>/.ssh/id_rsa

and pressed enter

It then asks to enter a passphrase. This is an optional step, if multiple users accessed my computer then it’s a nice thing to do but, I’m the only one accessing, so there’s no need. As I’m the only user I just hit the Enter key twice.

This generated 2 files in the folder C:\Users\Kevin\.ssh

id_rsa – the private file

and

id_rsa.pub – the public file

2. Copy the public file to the MaxAir Controller

Using Windows Powershell (Command Prompt didn’t work), copy the public file to the MaxAir controller, with the following command

cat ~/.ssh/id_rsa.pub | ssh user@REMOTE-IP-ADDRESS-OR-FQDN "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"

Which, in my case was

cat ~/.ssh/id_rsa.pub | ssh maxair@192.168.0.100 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"

After executing the above command it asks for the user password for maxair. Enter the password and it copies the public key into the MaxAir controller.

Now, when you want to access MaxAir by ssh all you need to do is open a console window or Windows Powershell and enter

ssh maxair@<ip address>

in my case it was ssh maxair@192.168.0.100

and it logs you in automatically without the need for a password

BUT

It still requires you to remember the Username and IP address. So to get around this create a config file in C:\Users\<Your username>\.ssh

in my case it was C:\Users\Kevin\.ssh

3. Configure SSH for MaxAir Controller for easy access (optional)

Using Notepad++ (or your preferred editor) open a new file and enter the following, in this format

Host pi pi-ip-address
    HostName pi-ip-address
    IdentityFile ~/.ssh/raspberrypi_rsa
    User pi-username

Which, in my case was

Host maxair 192.168.0.100
    HostName 192.168.0.100
    IdentityFile ~/.ssh/id_rsa
    User maxair

Save the file as config without any extension

C:\Users\<Your username>\.ssh\config

in my case it was C:\Users\Kevin\.ssh\config

Now, you can open a console window or Windows Powershell and enter

ssh maxair

and it will automatically log you in

4. Disable the SSH password-based authentication

All of the above is great, but useless as improved security if password authentication isn’t disabled. So to do this edit the file /etc/ssh/sshd_config in the MaxAir Controller

sudo nano /etc/ssh/sshd_config

Find the following lines and changed them as follows,

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

If those lines are commented, uncomment them and set the above values. If they don’t exist, add them at the end of the file.

Finally, reload the SSH daemon so changes can take effect.

sudo systemctl reload sshd

5. Ensure password-based authentication is disabled

To do this try to access the MaxAir Controller via password-based ssh.

ssh pi-username@pi-ip-address -o PubKeyAuthentication=no

You should get the Permission denied (publickey) error

Also check Root ssh is disabled

ssh root@pi-ip-address

You should also get the Permission denied (publickey) error

My next steps were to enable logins from my phone using JuiceSSH

In JuiceSSH create a new Identity and call it MaxAir with username maxair

Then select Private Key: SET (OPTIONAL)

From here select GENERATE, Key Format: ed25519, Key Strength: 256bit, and OK (I didn’t set the Optional Passphrase, but you could, if so desired)

Having done that click the Tick in the top right corner of the screen to save it and go back to the list of Identities

Long press the MaxAir Identity and select Export Private Key and Export Public Key, then send them to your email address or somewhere else accessible

(I stored these on my pc as a backup and for future reference)

You then have to copy the public file into the ~/.ssh/authorized_keys file on the MaxAir Controller

To do this log into the MaxAir Controller with

ssh maxair

Then edit the file using nano, by copying the text from the JuiceSSH: Public Key email into a new line of the /home/maxair/.ssh/authorized_keys file and saving the file.

Note: If you go to /home/maxair and do ls to see the files and directories, .ssh doesn’t show up, as it’s a hidden directory.

sudo nano /home/maxair/.ssh/authorized_keys

Set up a new connection to MaxAir using the Identity MaxAir and check it works OK

By: Kevin AgarPosted on Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *