TL;DR
This guide shows you how to check a device is who it says it is before letting it send data to your system. We’ll cover using SSH keys, API tokens and mutual TLS (mTLS) for secure authentication.
1. Understanding the Problem
Without checking a device’s identity, anyone could pretend to be a legitimate source and send malicious or incorrect data. Authentication verifies that devices are authorised before they can access your system.
2. Method 1: SSH Key Authentication (for command-line devices)
- Generate a key pair on the device: Use the
ssh-keygencommand.ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "your_passphrase"This creates a private key (
~/.ssh/id_rsa) and a public key (~/.ssh/id_rsa.pub). Keep the private key secret on the device. - Copy the public key to your server: Use
ssh-copy-id or manually append the contents of~/.ssh/id_rsa.pubto the~/.ssh/authorized_keysfile on your server for the relevant user.ssh-copy-id user@yourserver - Configure your server to require key authentication: Edit the
/etc/ssh/sshd_configfile. Set these options:PubkeyAuthentication yesPasswordAuthentication no(strongly recommended)ChallengeResponseAuthentication no
- Restart the SSH service:
sudo systemctl restart sshd
Now, only devices with the correct private key can connect.
3. Method 2: API Tokens (for applications)
- Generate unique tokens: Create a system to generate long, random strings for each device.
openssl rand -base64 32Store these tokens securely in your database.
- Distribute tokens to devices: Provide the token to the application on each device during setup or registration.
- Require tokens with every API request: The device must include the token in the
Authorizationheader of its requests.Authorization: Bearer YOUR_API_TOKEN - Validate tokens on your server: Before processing any request, check if the provided token exists and is valid.
4. Method 3: Mutual TLS (mTLS) (for high security)
- Create a Certificate Authority (CA): This acts as a trusted root for your device certificates.
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 - Generate Device Certificates: Create a certificate for each device, signed by your CA.
openssl req -newkey rsa:4096 -nodes -keyout device1.key -out device1.csr -days 365openssl x509 -req -in device1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device1.crt -days 365 -sha256 - Install CA Certificate on your Server: Configure your web server (e.g., Nginx, Apache) to trust the CA certificate.
- Configure Devices with Certificates: Install the device certificate and private key on each device.
- Enable mTLS on your Server: Configure your server to require client certificates for all connections.
mTLS provides strong authentication because both the server and client verify each other’s identities using certificates.
5. Important Considerations
- Secure Storage: Always store private keys, tokens, and certificates securely.
- Token Expiration: Implement token expiration to limit the impact of compromised credentials.
- Revocation: Have a mechanism to revoke access for devices if they are lost or compromised.
- Regular Audits: Regularly review your authentication system and security practices.