Last Updated on 30/12/2022 by Kevin Agar
When trying to login to MaxAir by SSH, you need to remember the Username, Password and IP address. This can be a pain as well as a fairly insecure method of access, especially if you’ve allowed internet access to the MaxAir controller.
An easier, and safer method, is to use Authorized_keys. This is where there is a public and a private key to access the system. No key, then no access. This means that you can only log into MaxAir with ssh from a computer that has the private key. Here are the steps that I used to achieve this, 1st for my Windows Desktop, then my phone, using JuiceSSH for my ssh terminal
1. Create a public and private rsa key pair
On my Windows system, I opened a Windows Powershell (I could have used a console window) and entered
ssh-keygen -t rsa
It asked, in which file (or where) to save the key. I went with the default option
C:\Users\<username>/.ssh/id_rsa
and pressed enter
It then asks to enter a passphrase. This is an optional step, if multiple users accessed my computer then it’s a nice thing to do but, I’m the only one accessing, so there’s no need. As I’m the only user I just hit the Enter key twice.
This generated 2 files in the folder C:\Users\Kevin\.ssh
id_rsa – the private file
and
id_rsa.pub – the public file
2. Copy the public file to the MaxAir Controller
Using Windows Powershell (Command Prompt didn’t work), copy the public file to the MaxAir controller, with the following command
cat ~/.ssh/id_rsa.pub | ssh user@REMOTE-IP-ADDRESS-OR-FQDN "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"
Which, in my case was
cat ~/.ssh/id_rsa.pub | ssh maxair@192.168.0.100 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys"
After executing the above command it asks for the user password for maxair. Enter the password and it copies the public key into the MaxAir controller.
Now, when you want to access MaxAir by ssh all you need to do is open a console window or Windows Powershell and enter
ssh maxair@<ip address>
in my case it was ssh maxair@192.168.0.100
and it logs you in automatically without the need for a password
BUT
It still requires you to remember the Username and IP address. So to get around this create a config file in C:\Users\<Your username>\.ssh
in my case it was C:\Users\Kevin\.ssh
3. Configure SSH for MaxAir Controller for easy access (optional)
Using Notepad++ (or your preferred editor) open a new file and enter the following, in this format
Host pi pi-ip-address HostName pi-ip-address IdentityFile ~/.ssh/raspberrypi_rsa User pi-username
Which, in my case was
Host maxair 192.168.0.100 HostName 192.168.0.100 IdentityFile ~/.ssh/id_rsa User maxair
Save the file as config without any extension
C:\Users\<Your username>\.ssh\config
in my case it was C:\Users\Kevin\.ssh\config
Now, you can open a console window or Windows Powershell and enter
ssh maxair
and it will automatically log you in
4. Disable the SSH password-based authentication
All of the above is great, but useless as improved security if password authentication isn’t disabled. So to do this edit the file /etc/ssh/sshd_config in the MaxAir Controller
sudo nano /etc/ssh/sshd_config
Find the following lines and changed them as follows,
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
If those lines are commented, uncomment them and set the above values. If they don’t exist, add them at the end of the file.
Finally, reload the SSH daemon so changes can take effect.
sudo systemctl reload sshd
5. Ensure password-based authentication is disabled
To do this try to access the MaxAir Controller via password-based ssh.
ssh pi-username@pi-ip-address -o PubKeyAuthentication=no
You should get the Permission denied (publickey)
error
Also check Root ssh is disabled
ssh root@pi-ip-address
You should also get the Permission denied (publickey)
error
My next steps were to enable logins from my phone using JuiceSSH
In JuiceSSH create a new Identity and call it MaxAir with username maxair
Then select Private Key: SET (OPTIONAL)
From here select GENERATE, Key Format: ed25519, Key Strength: 256bit, and OK (I didn’t set the Optional Passphrase, but you could, if so desired)
Having done that click the Tick in the top right corner of the screen to save it and go back to the list of Identities
Long press the MaxAir Identity and select Export Private Key and Export Public Key, then send them to your email address or somewhere else accessible
(I stored these on my pc as a backup and for future reference)
You then have to copy the public file into the ~/.ssh/authorized_keys file on the MaxAir Controller
To do this log into the MaxAir Controller with
ssh maxair
Then edit the file using nano, by copying the text from the JuiceSSH: Public Key email into a new line of the /home/maxair/.ssh/authorized_keys file and saving the file.
Note: If you go to /home/maxair and do ls to see the files and directories, .ssh doesn’t show up, as it’s a hidden directory.
sudo nano /home/maxair/.ssh/authorized_keys
Set up a new connection to MaxAir using the Identity MaxAir and check it works OK