@@ -813,6 +813,87 @@ The default values can then be overridden at
813813 "wlan0_password" : " room_23pwd!321654"
814814 }
815815
816+
817+ -----------------------------
818+
819+ Follow the procedure described below to enable secure SSH access from OpenWISP to your
820+ devices, this is required to enable push updates (whenever the configuration is changed,
821+ OpenWISP will trigger the update in the background) and/or
822+ `firmware upgrades (via the additional module openwisp-firmware-upgrader)
823+ <https://github.com/openwisp/openwisp-firmware-upgrader> `_.
824+
825+ 1. Generate SSH key
826+ ~~~~~~~~~~~~~~~~~~~
827+
828+ First of all, we need to generate the SSH key which will be
829+ used by OpenWISP to access the devices, to do so, you can use the following command:
830+
831+ .. code-block :: shell
832+
833+ echo ' ./sshkey' | ssh-keygen -t rsa -b 4096 -C " openwisp"
834+
835+ sshkey `` (the private key) and one called
836+ ``sshkey.pub `` (the public key).
837+
838+ Store the content of these files in a secure location.
839+
840+ 2. Save SSH private key in OpenWISP (access credentials)
841+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
842+
843+ .. image :: https://raw.githubusercontent.com/openwisp/openwisp-controller/master/docs/add-ssh-credentials-private-key.png
844+ :alt: add SSH private key as access credential in OpenWISP
845+
846+ From the first page of OpenWISP click on "Access credentials", then click
847+ on the **"ADD ACCESS CREDENTIALS" ** button in the upper right corner
848+ (alternatively, go to the following URL: ``/admin/connection/credentials/add/ ``).
849+
850+ Select SSH as ``type ``, enable the **Auto add ** checkbox, then at the field
851+ "Credentials type" select "SSH (private key)", now type "root" in the ``username `` field,
852+ while in the ``key `` field you have to paste the contents of the private key just created.
853+
854+ Now hit save.
855+
856+ The credentials just created will be automatically enabled for all the devices in the system
857+ (both existing devices and devices which will be added in the future).
858+
859+ 3. Add the public key to your devices
860+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
861+
862+ .. image :: https://raw.githubusercontent.com/openwisp/openwisp-controller/master/docs/add-authorized-ssh-keys-template.png
863+ :alt: Add authorized SSH public keys template to OpenWISP (OpenWRT)
864+
865+ Now we need to instruct your devices to allow OpenWISP accessing via SSH,
866+ in order to do this we need to add the contents of the public key file created in step 1
867+ (``sshkey.pub ``) in the file ``/etc/dropbear/authorized_keys `` on the devices, the
868+ recommended way to do this is to create a configuration template in OpenWISP:
869+ from the first page of OpenWISP, click on "Templates", then and click on the
870+ **"ADD TEMPLATE" ** button in the upper right corner (alternatively, go to the following URL:
871+ ``/admin/config/template/add/ ``).
872+
873+ Check **enabled by default **, then scroll down the configuration section,
874+ click on "Configuration Menu", scroll down, click on "Files" then close the menu
875+ by clicking again on "Configuration Menu". Now type ``/etc/dropbear/authorized_keys ``
876+ in the ``path `` field of the file, then paste the contents of ``sshkey.pub `` in ``contents ``.
877+
878+ Now hit save.
879+
880+ **There's a catch **: you will need to assign the template to any existing device.
881+
882+ 4. Test it
883+ ~~~~~~~~~~
884+
885+ Once you have performed the 3 steps above, you can test it as follows:
886+
887+ 1. Ensure there's at least one device turned on and connected to OpenWISP, ensure
888+ this device has the "SSH Authorized Keys" assigned to it.
889+ 2. Ensure the celery worker of OpenWISP Controller is running (eg: ``ps aux | grep celery ``)
890+ 3. SSH into the device and wait (maximum 2 minutes) until ``/etc/dropbear/authorized_keys ``
891+ appears as specified in the template.
892+ 4. While connected via SSH to the device run the following command in the console:
893+ ``logread -f ``, now try changing the device name in OpenWISP
894+ 5. Shortly after you change the name in OpenWISP, you should see some output in the
895+ SSH console indicating another SSH access and the configuration update being performed.
896+
816897Signals
817898-------
818899
0 commit comments