Creating an SSH Key Pair for the openHAB exec Binding

The exec binding in openHAB is a brilliant way of controlling and running scripts on other computers, however it is unable to send a username and password to log in to the remote computer. This requires SSH to be able to connect without the use of a password which can be achieved through the use of Key-Based authentication.

SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.

The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.

The associated public key can be shared freely without any negative consequences. The public key can be used to encrypt messages that only the private key can decrypt. This property is employed as a way of authenticating using the key pair.

The public key is uploaded to a remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called ~/.ssh/authorized_keys.

When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.

Source: How To Configure SSH Key-Based Authentication on a Linux Server | DigitalOcean

 

Generate Key Pair

SSH into the account that openHAB normally runs as.

Note: By default the user that openHAB creates has no shell, so you may need to log into another account with root privileges and change this:

Type in 

sudo nano /etc/passwd

 to edit the file containing user account information

Find the line that starts with openhab; it should look similar to this:

openhab:x:112:119:openHAB runtime user,,,:/var/lib/openhab:/usr/sbin/nologin 

Now change the final part of the line, which is the shell that the account has access to, from 

/usr/sbin/nologin

 to 

/bin/bash 

 and save the file.

Use 

ssh-keygen -t rsa

to create a new public / private key pair. It will prompt to enter the file, hit enter to use the default location. It will then request a passphrase, again hit enter to skip and confirm this by hitting enter a third time.

Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/openhab/.ssh/id_rsa):
Created directory '/var/lib/openhab/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/openhab/.ssh/id_rsa.
Your public key has been saved in /var/lib/openhab/.ssh/id_rsa.pub.

 

Send Public Key to Remote Box

We now need to send this public key to the remote box that openHAB will use the exec binding to connect to. This can easily be done using scp, substitute your details as appropriate:

openhab@raspberrypi:~$ scp -P 22 ~/.ssh/id_rsa.pub [email protected]:~/.ssh/id_rsa_openhab.pub
The authenticity of host '192.168.1.79 (192.168.1.79)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.79' (ECDSA) to the list of known hosts.
[email protected]'s password:
id_rsa.pub                                                                       100%  401     0.4KB/s   00:00

 

Add Key to Authorized Keys File

On the remote box move to the .ssh folder and check that the key for openHAB has appeared.

Now append the key to the authorized keys file and once finished delete the key file.

LibreELEC:~ # cd .ssh
LibreELEC:~/.ssh # cat id_rsa_openhab.pub >> authorized_keys
LibreELEC:~/.ssh # rm id_rsa_openhab.pub

 

Testing It All Works

Back on the openHAB box you should now be able to SSH into the remote box without being prompted for a password.

openhab@raspberrypi:~$ ssh [email protected]
##############################################
# LibreELEC                                  #
# http://libreelec.tv                        #
##############################################

LibreELEC (official) Version: 7.0.2
LibreELEC:~ #

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *