FanPico incorporates SSH Server starting from firmware version v1.7.6 (earlier versions only had Telnet server available).

Currently SSH Server only supports ECC (elliptic curve cryptography) algorithms (as RSA uses lot of memory and runs rather slow on Pico). Thus relatively new SSH client is needed to connect to FanPico using SSH.

Enabling SSH Server

To be able to use SSH server functionality, server must be enabled to start during boot and server (private) key(s) must also be generated.

First enable server (to start during next boot):

SYS:SSH:SERVER ON

Next generate private keys for the server:

SYS:SSH:KEY:CREATE all
Generating ecdsa private key...OK
Generating ed25519 private key...OK

(To only create one key specify its type, for example SYS:SSH:KEY:CREATE ed25519)

Optionally, you can check server keys (along with SHA256 checksums of the keys):

SYS:SSH:KEY?
ecdsa                     121 SHA256:8yFIKIddbl8MzrPmpq14EmL/pbLElM9Bb8Pfq3wI8PA
ed25519                    82 SHA256:Kg+S0vUReNKuzIWUihW+X+4bs48U55evVG2PGY05Onw

NOTE, private keys stored separate from configuration on the built-in flash memory and are not part of the configuration. To erase private keys command SYS:SSH:KEY:DEL can be used).

Configure Password and/or Public Key Authentication

FanPico supports both password and public key authentication. For password authentication one user (login & password) can be defined. While for public key authentication up to 4 public keys can be added.

Configure Password Authentication

To enable password based authentication, username and password must be set:

SYS:SSH:USER jack
SYS:SSH:PASS jackspassword

(password is hashed using Linux SHA-512-Crypt algorithm and resulting hash is stored in the system configuration)

Configure Publickey Authentication

To use public key authentication, first generate a (ED25519 or ECDSA) key-pair. Probably easiest way is to use ssh-keygen command included with OpenSSH.

Generate secret and public key pair

Generating ED25519 key-pair

To generate ED25519 key-pair pass "ed25519" to -t parameter when invoking ssh-keygen command:

$ ssh-keygen -t ed25519

Generating ECDSA key-pair

To generate ECDSA key-pair pass "ecdsa" to -t parameter when invoking ssh-keygen command:

$ ssh-keygen -t ecdsa

Add public key to FanPico

To configure public-key authentication username and (ssh) public-key must be added into fanpico configuration.

Public key must be in "OpenSSH" format and can be found in the .pub file that ssh-keygen command generates. Typically ED25519 public key is found in id_ed25519.pub file and ECDSA key in id_ecdsa.pub file.

Here is example what ED25519 public key looks like:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2ahc7wk+D85nvKoeIWxMzU0pfNlerHiF0Ri04smvwZ bilbo@shire

To enable user "bilbo" to login with the private key that matches above public key, following command could be used:

SYS:SSH:PUBKEY:ADD bilbo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2ahc7wk+D85nvKoeIWxMzU0pfNlerHiF0Ri04smvwZ tjko@pidesk
CONF:SAVE

Viewing Configured Public-Keys

To view currently configured "users" and their public keys, following command can be used:

SYS:SSH:PUBKEY?
1: admin, ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+E8WDRmrU2fKizKDyQXdLj3YGh7w5Wl7F2clpzHvGWIoBAJ/nsyUpMCqujzG7eD0EOKukBcb6vqyf2IQ96GLU= bofh
2: bilbo, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2ahc7wk+D85nvKoeIWxMzU0pfNlerHiF0Ri04smvwZ bilbo@shire

(to remove public keys SYS:SSH:PUBKEY:DEL command can be used)

Save Configuration

After SSH Server is configured, don't forget to save the new configuration before rebooting unit to enable SSH server.

To save configuration and reboot unit:

CONF:SAVE
*RST