Device Access Control

For Octave edge devices running firmware 3.4.0 or higher, you can control their SSH access via Octave's security Resource. This is known as Octave's Device Access Control feature.

This topic describes how to set up Device Access Control.

Configuring Security

  1. Open the Octave Dashboard and ensure your device is selected.
  2. Navigate to Build > Device > Resources and expand the security Resource.
  3. Enable the security/config Resource and edit its value.
  4. Enter the following for the Resource's JSON. Replace the value for pubKey with your public key, adjust the security settings as required (see below for descriptions), and click Set.
{
    "login": {
        "root": {
            "pwdEnabled": false,
            "pubKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR+Yw4yreiWDpX/JMYXBSywiCOdMCABLfI+bt8V5ywbyDR7YoWFx1QVw+RO/pNZ9CjU1thKBvVWvjPK8TQZd8gqui/296cMe/l0GuLFAvWkM1ab4Hah7gYQKLZ2T1iGa8bUTZ5XvIy/nYGIQdwndgCGrmy7XflB1s+QHCJzS9fkefJrOw57bq/sfkbt5Z7QW9pkD2zXPB3LaQ+jqeXgPmpZM2webVykY4fdQ4VhSSnlHTaAvwaEJaPzH+8XF/Wnd4dCHzWEB5Yopsd9EbUPJcbveSkiX0kXEZns3+9jiDXCrHZIsy9nXMAtH6LeQjXfH2/aeEIo9iz [email protected]"
        }
    },
    "ssh": {
        "usb": true,
        "eth": false
    }
}

Security Configuration Settings

The following table describes the security configuration settings for the security/config Resource:

Field

Type

Description

login/root/pwdEnabled

Boolean

Set to true to enable password authentication access for the root user, or false to disable it.

login/root/pubKey

String

The public SSH key for your device. An empty string is equivalent to disabling key authentication access.

ssh/usb

Boolean

Set to true to enable SSH access over USB or false to disable it.

ssh/eth

Boolean

Applicable to FX30 only.
Set to true to enable SSH access over Ethernet or false to disable it.

SSH Key Authentication

Password authentication is the default method most SSH clients use to authenticate with devices, but it suffers from potential security vulnerabilities like brute-force login attempts. An alternative to password authentication, is to use public key authentication with SSH, in which you generate and store on your computer, a pair of cryptographic keys and then configure the device to recognize and accept your keys. Using key-based authentication offers a range of benefits:

  • Key-based login is not a major target for brute-force hacking attacks.
  • If a device that uses SSH keys is compromised by a hacker, no authorization credentials are at risk of being exposed.
  • Because a password isn’t required at login, you can log into devices from within scripts or automation tools that you need to run unattended.

Generate an SSH Key Pair on Linux and macOS

Create a new key pair using ssh-keygen with following syntax:

ssh-keygen -f ~/.ssh/id_rsa_octave_device

When creating the key pair, you are given the option to encrypt the private key with a passphrase. This means that the key pair cannot be used without entering the passphrase.

We suggest that you use the key pair with a passphrase, but you can leave this field blank if you don’t want to use one.

Finally, copy the content of ~/.ssh/id_rsa_octave_device.pub into login/root/pubKey.

Generate an SSH Key Pair on Windows

One convenient solution is to use PuTTYgen and to follow this online Guide.

Finally, copy the content of the public key into login/root/pubKey.