diff --git a/README.md b/README.md index c64fffc..73981d3 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,24 @@ # NervesSSH -[![CircleCI](https://circleci.com/gh/nerves-project/nerves_ssh.svg?style=svg)](https://circleci.com/gh/nerves-project/nerves_ssh) +[![CircleCI](https://circleci.com/gh/nerves-project/nerves_ssh/tree/main.svg?style=svg)](https://circleci.com/gh/nerves-project/nerves_ssh/tree/main) [![Hex version](https://img.shields.io/hexpm/v/nerves_ssh.svg "Hex version")](https://hex.pm/packages/nerves_ssh) -Manage a SSH daemon and subsystems on Nerves devices. +Manage an SSH daemon and its subsystems on Nerves devices -## Installation +## Usage + +This library wraps Erlang/OTP's [SSH +daemon](http://erlang.org/doc/man/ssh.html#daemon-1) to make it easier to use +reliably with Nerves devices. + +Most importantly, it makes it possible to segment failures in other OTP +applications from terminating the daemon and it recovers from rare scenarios +where the daemon terminates without automatically restarting. -To use, add the dependency to your `mix.exs`: +If you're using [`:nerves_pack`](https://hex.pm/packages/nerves_pack) v0.4.0 or +later, you don't need to do anything except, perhaps, modify the `:nerves_ssh`'s +configuration in your `config.exs`. If you are not using `:nerves_pack`, add +`:nerves_ssh` to your `mix` dependency list: ```elixir def deps do @@ -17,30 +28,17 @@ def deps do end ``` -## Goals - -* [X] Support public key authentication -* [X] Support username/password authentication -* [ ] Device generated Server certificate and key -* [ ] Device generated username/password - -## Usage - -A wrapper around SSH daemon focused purely on the context of Nerves devices. - -It keeps `sshd` under supervision and monitored so that daemon failures can be -recovered. - -While this will be started with your application, it is generally a good idea to -separate connection level processes from your main application via `shoehorn`. -Then the event of your application failure, the separated `nerves_ssh` -application will continue to work instead of crashing with your app: +And then include it in `:shoehorn`'s `:init` list: ```elixir config :shoehorn, init: [:nerves_runtime, :vintage_net, :nerves_ssh] ``` +`:nerves_ssh` will work if you do not add it to the `:init` list. However, if +your main OTP application stops, OTP may stop `:nerves_ssh`, and that would make +your device inaccessible via SSH. + ## Configuration NervesSSH supports a few pieces of configuration via the application config: @@ -58,7 +56,42 @@ NervesSSH supports a few pieces of configuration via the application config: ## Authentication -FILL IN... +It's possible to set up a number of authentication strategies with the Erlang +SSH daemon. Currently, only simple public key and username/password +authentication setups are supported by `:nerves_ssh`. Both of them work fine for +getting started. As needs become more sophisticated, you can pass options to +`:daemon_option_overrides`. + +### Public key authentication + +Public ssh keys can be included in the `config.exs` so that matching clients can +connect. These come from files like your `~/.ssh/id_rsa.pub` or +`~/.ssh/id_ecdsa.pub` that were created when you created your `ssh` keys. If you +haven't done this, the following +[article](https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/) +may be helpful. Here's an example: + +```elixir +config :nerves_ssh, + authorized_keys: [ + "ssh-rsa +AAAAB3NzaC1yc2EAAAADAQABAAAAgQDBCdMwNo0xOE86il0DB2Tq4RCv07XvnV7W1uQBlOOE0ZZVjxmTIOiu8XcSLy0mHj11qX5pQH3Th6Jmyqdj", + "ssh-rsa +AAAAB3NzaC1yc2EAAAADAQABAAACAQCaf37TM8GfNKcoDjoewa6021zln4GvmOiXqW6SRpF61uNWZXurPte1u8frrJX1P/hGxCL7YN3cV6eZqRiF" + ] +``` + +Here's another way that may work well for you that avoids needing to commit your +keys: + +```elixir +config :nerves_ssh, + authorized_keys: [ + File.read!(Path.join(System.user_home!, ".ssh/id_rsa.pub")) + ] +``` + +### Username/password authentication The SSH console uses public key authentication by default, but it can be configured for usernames and passwords via the `:user_passwords` key. This @@ -72,3 +105,9 @@ config :nerves_ssh, ] ``` +## Goals + +* [X] Support public key authentication +* [X] Support username/password authentication +* [ ] Device generated server certificate and key +* [ ] Device generated username/password