Key based automated Secure Shell Calls with Key Pairs
A drawback of the explained method is that a password is needed for authentication and it must be entered in order to log in to the remote system.
ssh user@remote ./LucidIoCtrl –d/dev/ttyACM0 –i
This SSH command is running on the client and is executing the LucidIoCtrl command on the remote computer. But for authentication the password must be entered and the attention of the user is needed every time the command is executed what prevents automation of SSH calls.
Automated calls to remote systems can be achieved by using a key pair which consists of a public key which can be published to any remote system the computer needs to connect to. The private key remains securely stored on the client computer.
A key pair can be created on the client system by:
ssh-keygen –t rsa –C user@remote
The command asks for a directory and a passphrase which are both optional. The passphrase is a password that protects access to the private key. The explained method is also secure if the passphrase is skipped. The generated key pair is stored in ~/.ssh where id_rsa and id_rsa.pub can be found.
Note: When a passphrase was entered it protects accessing the private key what makes it necessary to enter the passphrase at least once when the private key is accessed the first time. Using the ssh-agent can do this for you. The ssh-agent service sends the passphrase to the SSH on request.
Once the public key (id_rsa.pub) and the private key (id_rsa) have been generated, the public key can be distributed to the remote system.
ssh-copy-id –i ~/.sha/id_rsa.pub user@remote
The program ssh-copy-id copies the key to a remote system. The distribution of the key needs the password of the user before the key can be copied to the remote system.
SSH connection with automated login
In this example the LucidIoCtrl application is executed on the remote computer RPI-AZ-1. The LucidIoCtrl command queries the device information from the USB IO module connected to /dev/ttyACM0 and returns that a USB analog input module with the voltage range 0-10V is connected to the port.
Using SSH with a Windows Client Computer
Linux provides SSH as a set of standard tools which are not available on Windows computers. PuTTY is an open source tool that extends Windows with several useful programs in order to interact with Linux systems. A download can be found here.
PuTTY Configuration Window
The screenshot shows the main window of the PuTTY application. PuTTY is a client application for several protocols like Telnet and Rlogin and also SSH. In the main window of PuTTY settings for a connection can be made and saved as a session name. Session names are names that relates to the remote computer connection and bring more explanation to the user. The session names are used by the command line tool plink.
Clicking on the open button connects to the remote system and asks for a user password.
The procedure shown here is the same as we saw earlier with the Linux SSH client. After entering the password for the specified user name, access is granted by the SSH server and e.g. applications can be started on the remote server system.
As you can see we opened now with PuTTY a SSH connection to RPI-AZ-1 and queried the device information of the USB analog input module.
In the next steps I will explain how to automate SSH calls with the PuTTY client. The principle is the same as we did earlier with the Linux SSH client and is based on a public and private key pair.
Note: During the first SSH connection a security breach message appears. The reason for this is that the client does not know the host key of the server. This message can be confirmed the very first time but if it appears again it is possible that a security breach occurred.
PuTTY comes with the PuTTY Key Generator which is able to create SSH key pairs. The keys generated by ssh-keygen cannot be used with PuTTY or at least I found no easy way to reuse the previously generated key pair with PuTTY.
PuTTY Key Generator
It is useful to specify a comment related to the key as well as a passphrase protecting the private key, but both is optional and can be skipped for a test. Especially when automated calls without user interaction are what you want to do, keys without passphrase should be considered. Otherwise, the system will ask for the passphrase at least once in order to give access to the private key.
In our case we work with the default settings and generate a SSH-2 RSA 2048 bit key. It is up to you to decide if this is sufficient for your application.
Clicking onto the Generate button starts the creation of the key pair. During the generation of the keys it is necessary to move the mouse what creates some kind of randomness.
The generated keys are stored in separate files by the save key buttons. You should save both keys securely. Especially the private key should not be made accessible to others and must not be distributed to any other system.
The stored public key must now be appended to the authorized_keys file of the SSH server. Using a Linux client ssh-copy-id takes care on this and distributes the public key to the remote system. For Windows such a tool is not available and it must be done manually.
Login with PuTTY to your SSH server with the account for that you intend to copy the public key.
Check if the ~/.ssh directory is present in your home directory. If not create it and grant read/write access to the user.
chmod 700 .ssh
Change into the ~/.ssh directory and create the file authorized_keys by opening it with e.g. nano
Select the public key in the PuTTY key generator windows edit control and copy it to the clipboard. Select the PuTTY Window with the authorized_keys file opened and insert the public key to the file by a right mouse click. Save the authorized_keys file when leaving nano with CTRL+X.
chmod 600 authorized_keys
Finally, the permissions of the authorized_keys file must be set.
PuTTY SSH Private Key Configuration
In the last step the private key must be linked to the PuTTY session and the changes have to be saved for the current session name.
SSH Login with PuTTY using Key Pairs
When you connect to the remote server the next time you will get a command prompt immediately without the need of a password.
Now we want to realize automated calls. PuTTY comes with the Plink application which is the actual replacement of the SSH command under Linux. For automatic calls it is not necessary to start the graphical user interface but Plink in the command line instead.
Executing LucidIoCtrl on a remote System with plink
In the example above we connected to RPI-AZ-1 and executed the LucidIoCtrl command which requests device information form the analog input module connected to /dev/ttyACM0.