Securing Device Local Access

Configuring the SSH password

It is fundamental to lock local access to your devices. The first key action in that regard is to define and set the SSH password (and or enable/disable SSH access)

Before Firmware 3.4.0

The root password can be set

  • The first time you connect to the device via SSH ([email protected]). You are then prompted to change your Linux root password.
  • Anytime later with usual Linux built-in passwd command.

From Firmware 3.4.0

The root password can be set

  • The first time you connect to the device via SSH ([email protected]). You are then prompted to change your Linux root password.
  • Anytime later with following commands (FX30/FX30S only):
[email protected]:~# passwd -p /mnt/flash/rootfs
[email protected]:~# umount /etc/shadow ; mount --bind /mnt/flash/rootfs/etc/shadow /etc/shadow
  • For other Device types (mangOH boards and modules), use the Linux built-in passwd command.

Using the Device Access Control feature (Octave 3.4.0 and above)

For Octave edge devices running firmware 3.4.0 or higher, you can control their SSH access via Octave's security Resource. This is known as Octave's Device Access Control feature.

This allows locking SSH access to all devices without having to run through the local password/SSH configuration on each device.

Configuring Security

  1. Open the Octave Dashboard and ensure your device is selected.
  2. Navigate to Build > Device > Resources and expand the security Resource.
  3. Enable the security/config Resource and edit its value.
  4. Enter the following for the Resource's JSON. Replace the value for pubKey with your public key, adjust the security settings as required (see below for descriptions), and click Set.
{
    "login": {
        "root": {
            "pwdEnabled": false,
            "pubKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR+Yw4yreiWDpX/JMYXBSywiCOdMCABLfI+bt8V5ywbyDR7YoWFx1QVw+RO/pNZ9CjU1thKBvVWvjPK8TQZd8gqui/296cMe/l0GuLFAvWkM1ab4Hah7gYQKLZ2T1iGa8bUTZ5XvIy/nYGIQdwndgCGrmy7XflB1s+QHCJzS9fkefJrOw57bq/sfkbt5Z7QW9pkD2zXPB3LaQ+jqeXgPmpZM2webVykY4fdQ4VhSSnlHTaAvwaEJaPzH+8XF/Wnd4dCHzWEB5Yopsd9EbUPJcbveSkiX0kXEZns3+9jiDXCrHZIsy9nXMAtH6LeQjXfH2/aeEIo9iz [email protected]"
        }
    },
    "ssh": {
        "usb": true,
        "eth": false
    }
}

Security Configuration Settings

The following table describes the security configuration settings for the security/config Resource:

Field

Type

Description

login/root/pwdEnabled

Boolean

Set to true to enable password authentication access for the root user, or false to disable it.

login/root/pubKey

String

The public SSH key for your device. An empty string is equivalent to disabling key authentication access.

ssh/usb

Boolean

Set to true to enable SSH access over USB or false to disable it.

ssh/eth

Boolean

Applicable to FX30 only.
Set to true to enable SSH access over Ethernet or false to disable it.

SSH Key Authentication

Password authentication is the default method most SSH clients use to authenticate with devices, but it suffers from potential security vulnerabilities like brute-force login attempts. An alternative to password authentication, is to use public key authentication with SSH, in which you generate and store on your computer, a pair of cryptographic keys and then configure the device to recognize and accept your keys. Using key-based authentication offers a range of benefits:

  • Key-based login is not a major target for brute-force hacking attacks.
  • If a device that uses SSH keys is compromised by a hacker, no authorization credentials are at risk of being exposed.
  • Because a password isn’t required at login, you can log into devices from within scripts or automation tools that you need to run unattended.

Generate an SSH Key Pair on Linux and macOS

Create a new key pair using ssh-keygen with following syntax:

ssh-keygen -f ~/.ssh/id_rsa_octave_device

When creating the key pair, you are given the option to encrypt the private key with a passphrase. This means that the key pair cannot be used without entering the passphrase.

We suggest that you use the key pair with a passphrase, but you can leave this field blank if you don’t want to use one.

Finally, copy the content of ~/.ssh/id_rsa_octave_device.pub into login/root/pubKey.

Generate an SSH Key Pair on Windows

One convenient solution is to use PuTTYgen and to follow this online Guide.

Finally, copy the content of the public key into login/root/pubKey.