Skip to content

Security Recommendations

It is important for better security to avoid typing passwords when login to the eManager console. Preferably, only a small list of PC's should be authorized to access the eManager via SSH without the use of passwords. This can be achieved via asymmetric keys.

In this tutorial we explain how to generate and use asymmetric keys by means of standard OpenSSH tools. This should work on any GNU/Linux operating system.

Step 1. Install OpenSSH client

Install openssh-client package. This step may vary depending on your package manager. The following commands should work on any Debian-based distros such as Ubuntu, MX Linux or Deepin. 

sudo apt update && sudo apt install openssh-client

Step 2. Generate a SSH key pair

Generate your first key pair with the command 

ssh-keygen -t ed25519 -f ~/.ssh/my_first_key
You will be asked to fill out a form. For the purpose of our tutorial, it's okay to press Enter on every field: a new key pair my_first_key my_first_key.pub will we placed in the default directory ~/.ssh with no passphrase.

Check the content of ~/.ssh

Run 

ls ~/.ssh
to check the key pair has been created.

Step 3. Copy the public key to the server

Now boot the eManager and transfer the public key my_first_key.pub to the eManager with 

ssh-copy-id -i my_first_key.pub root@10.1.10.10

Step 4. Use the SSH key to log in

Now log in as usual. 

ssh root@10.1.10.10

No password was asked.

If everything worked well, you will be able to log in without a password. From now on this PC will be able to access the eManager without need of password.

A password was asked.

OpenSSH version 8.4p1 introduced a bug that makes ssh-copy-id place public keys into an non-standard path /etc/dropbear/authorized_keys. If 

ssh root@10.1.10.10 cat /etc/dropbear/authorized_keys
raises no error you are probably experiencing the bug.

This is a working snippet of the official ssh-copy-id tool. Just copy and paste it in your PC terminal. 

SSH_COMMAND="exec sh -c 'cd; umask 077; mkdir -p ".ssh" && { [ -z `tail -1c .ssh/authorized_keys 2>/dev/null` ] || echo >> ".ssh/authorized_keys" || exit 1; } && cat >> ".ssh/authorized_keys" || exit 1;'"
PUB_KEY=$(cat ~/.ssh/my_first_key.pub)
printf '%s\n' "${PUB_KEY}" | { ssh -a -x root@10.1.10.10 "${SSH_COMMAND}"; } || echo "Ups! Something went wrong."
Then, repeat Step 4.

Step 5. Disable eManager password-based authentication

Before you continue make sure that no password is asked when login the eManager via ssh.

Repeat Steps 1 to 4 for every PC you want to give free password connection. Once you are done, we can disable password authentication. This will prevent other computers to connect the eManager console. In order to disable password authentication edit the /etc/default/dropbear file on the eManager with 

nano /etc/default/dropbear

Then replace its content with 

DROPBEAR_EXTRA_ARGS=" -s -b /etc/issue.net"

The -s flag will disable password logins.