IoT remote SSH access is key to monitoring, controlling and debugging industrial machineries, automobile fleet and home automation devices from far away remote locations when human access to such devices is not possible at a particular moment.
What you’ll learn from this article:
- A brief introduction to IoT devices
- Why traditional methods of IoT remote SSH access is not secure and prone for errors.
- What is SocketXP solution to IoT remote SSH access
- How to install, configure and run SocketXP IoT agent to remote SSH into your IoT device.
- How to Install SSH server on your IoT device
- How to generate SSH public/private keys, install them and use them for secure remote SSH login
What is IoT
IoT means Internet of Things. The term IoT refers to the devices that are connected to the internet. Today, almost all electrical and electronic gadgets at home such as your air conditioner, refrigerator, washing machine, light bulbs, fans, and security video cameras can be connected to the internet using home automation devices or IoT devices.
Automobiles such as cars, trucks, trains, aeroplanes and ships are connected to the internet through IoT devices to track the movement and operation of these vehicles.
Even industrial heavy machineries are connected to the internet via the IoT devices. Sensors are added to the machineries or placed at various locations in a plant to monitor the performance and operation of these machineries.
A simple Raspberry Pi based IoT device can be used to monitor, control and operate smart electronic gadgets and electrical appliances in your home or factory.
What is the need for remote SSH access to IoT devices
When you want to monitor, control, and operate your industrial IoT device or home IoT device away from the location at which the IoT device is installed, you need remote access to your IoT device through SSH.
The primary reason why you deployed the IoT device and connected it to the internet was to monitor, track and operate the devices while you are away from the location at which it is installed.
Sometimes you need a way to gain access to those IoT devices for troubleshooting, configuration updates, and other operational tasks. For example, a sensor device deployed at a factory that is hundreds of miles away is having trouble measuring the factory temperature. You can use secure remote access tunnels to open and quickly start a session to that sensor device. After you have identified the problem (for example, a misconfiguration or disk full error), you can reset the configuration, delete unwanted files or logs history and restart the sensor device through the same session.
In the traditional methods of troubleshooting you would typically wait until the next day to send a technician to the factory to investigate the sensor device. But remote access using secure tunneling (using SocketXP) decreases incident response and recovery time and operational costs.
But gaining remote access to IoT devices is no simple task.
Why remote SSH into IoT device is difficult
IoT devices in industries, factories, offices and homes are placed behind a firewall and NAT(Wifi Router or Gateway Router). IoT devices are always assigned a Local IP address using mechanisms such as DHCP. The local IP addresses are usually assigned in the 10.X.X.X or 192.X.X.X range. IoT devices do not have publicly reachable IP addresses assigned to them.
The IoT devices behind the firewall can talk to servers on the internet (via the gateway router) but not the other way around. This is because you want to prevent your IoT devices from being accessed from the internet by unwanted people or hackers.
So to gain remote access from the internet to IoT devices in your home or factory is not easy and straightforward.
Many people open up ports (SSH port 22 or HTTP/HTTPS ports 80/443) in their firewall settings(ACL rules) or gateway router NAT configuration to allow a particular traffic to sneak into the local network. Then they would use Dynamic DNS (DDNS) solutions to track the non-static public IP address of the gateway router. This method is prone for errors and would create a security risk for your IoT installation. Online hackers could scan such open ports and try sneaking into your local network and servers.
What is the solution for IoT device Remote SSH Access
Secure reverse proxy tunneling to your remote IoT devices is the best solution for IoT remote access. Secure tunneling helps establish bidirectional communication channels to remote IoT devices over the internet. Secure tunneling does not require updates to your existing inbound firewall rule or gateway router, so you can keep the same security level provided by firewall rules at a remote site.
What is SocketXP
SocketXP is a cloud based secure reverse proxy tunneling service that provides remote SSH to your IoT devices using secure TCP tunnels. SocketXP solution does not require any changes to your firewall or gateway router configuration. SocketXP creates a secure tunnel through your firewall and NAT and over the internet for remote SSH access.
How SocketXP IoT Remote SSH solution works
Install a simple, secure and lightweight SocketXP IoT agent on your IoT device (or Rasperry Pi). The SocketXP agent will securely connect (using a SSL/TLS tunnel) to the SocketXP IoT Cloud Gateway using an authentication token. The SocketXP IoT Cloud Gateway will create a unique public TCP endpoint (eg: tunnel.socketxp.com : 22002) for remote SSH access to the IoT device. SocketXP is a highly scalable solution. It can connect more than 10K devices for a single user account.
Step 1: Download and Install
Download and install the SocketXP IoT agent on your IoT device or Raspberry Pi device from here
Step 2: Get your Authentication Token
Sign up at https://portal.socketxp.com and get your authentication token.
Use the following command to login to the SocketXP IoT Cloud Gateway using the auth token.
$ socketxp login <your-auth-token-goes-here>
Step 3: Create SocketXP Public Endpoint for Remote SSH
Use the following command to create a public endpoint at the SocketXP IoT Cloud Gateway.
$ socketxp connect tcp://localhost:22 Public Tunnel Endpoint -> tunnel.socketxp.com:23224
Where localhost is the default network interface on your IoT device and 22 is the TCP port on which the SSH server installed in your IoT device is listening for any incoming SSH connections.
Step4: Accessing the Public Endpoint
Now use the SocketXP public endpoint (Server Name: tunnel.socketxp.com and TCP port: 23224), uniquely assigned to your IoT device, for remote SSH access. Use the following command to remote SSH to your IoT device.
$ ssh firstname.lastname@example.org -p 23224
Where “john” is a valid login user account that exists in your IoT device SSH server.
If you have a valid SSH public/private key setup in your SSH server then use the following command to login to your remote IoT device SSH server.
$ ssh -i /home/john/.ssh/john-ssh-private.key tunnel.socketxp.com -p 23224
It is highly recommended that you setup a SSH public/private key for remote SSH to your IoT device, as it is the highly secure method for remote access. It is impossible for anyone without knowing your private key to gain access to your IoT device from the internet. Do not use passwords for remote SSH login.
To know more about how to configure and setup SocketXP TCP tunnels refer our documentation here
How to install OpenSSH server on your IoT device
OpenSSH is a free open source software that uses SSH protocol to create secure and encrypted communication channels over computer networks. Open SSH is developed by the Open BSD community and it is released under a Simplified BSD License
OpenSSH comes with additional features such as SFTP and SCP to perform secure file transfer and secure copy over a computer network.
To install and run SSH server on your IoT device, execute the following commands:
First update your linux and then install the openssh server
$ sudo apt-get update $ sudo apt-get install openssh-server
The following commands will enable and run SSH server as a daemon in the background.
$ sudo systemctl enable ssh $ sudo systemctl start ssh
$ sudo yum update $ sudo yum -y install openssh-server
Then enable SSH server and start it.
$ sudo chkconfig sshd on $ sudo service sshd start
SSH uses port 22 for communication. If it is not enabled already, execute the following command to open up the SSH port on your linux system.
$ sudo /sbin/iptable -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT $ sudo service iptables save
How to install SSH client on your client machines
Use the following command to install SSH client on your laptops or any device from where you would remote SSH into your IoT device.
$ sudo apt-get update $ sudo apt-get install openssh-client
$ sudo yum update $ sudo yum -y install openssh-client
How to create and setup SSH Keys
SSH uses a public/private key based encryption algorithm for encrypting the communication channel. Use the ssh-keygen command to generate SSH keys for those clients that need to SSH into your IoT devices.
Go to your client machine (Laptop, for eg.) and open up a terminal and execute the following command. Follow the instructions on the screen to create a public/private key pair.
$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/your_home/.ssh/id_rsa):
The keys will be saved usually in your home directory under the “.ssh” folder. Leave the private key in your client machine. Copy just the contents of /home/your_)home/.ssh/id_rsa.pub file and paste it (actually append it) to the “~/.ssh/authorized_keys” file in your IoT device where the SSH server runs.
From now on, you can login to your IoT device remotely using the SSH private key in your client machine using the following command
$ ssh -i ~/.ssh/id_rsa.key email@example.com -p 23224
The solution discussed in this article is a secure method to remote SSH into your home or office computer because the data is encrypted using SSL.
SSH uses the same cryptography technology used by banks and governments to exchange highly confidential data over the internet.
The data transferred gets encrypted end-to-end between the SSH client and the SSH server.
SocketXP has no way to decrypt or eavesdrop your encrypted data without knowing your SSH private keys. SocketXP merely acts as an online TCP reverse proxy server for your encrypted data traffic transmitted through the SSH connection.