Securely accessing your Internet of Things (IoT) device

You can create a secure connection from your Internet of Things (IoT) board to the Intel® XDK using ssh. This secure connection encrypts the communication between your development system and the IoT board. Furthermore, you can prevent anyone who does not have ssh access to your IoT board from gaining access to the app daemon. For steps to update your app daemon software and take advantage of this security feature, see Updating the daemon. The updated daemon supports only secure connections.

The Intel XDK is distributed with the Intel® IoT Developer Kit. It provides a complete solution to create and test applications for Intel IoT platforms, like the Intel® Galileo board and Intel® Edison board. This page assumes you are already familiar with the setup instructions in Getting started with the Intel® XDK.

Connecting to your IoT device securely with a user name and password

  1. In the bottom-left corner of the Intel XDK, click the IoT Device drop-down list and select Add Manual Connection. The "Connect to IoT Device" dialog box opens.

  2. Type your board's IP address and port in the Address and Port fields.
  3. Type your user name and password in the User Name and Password fields.

    Note: You can set up your own user name on the IoT board, or use root as the user name. If you do set up your own user name (using the adduser command on the board, for example), you can use that name to log in to the board, but your applications will still run as root.
  4. Click Connect to log in to the board with ssh and start a connection to the daemon using ssh tunneling.

Connecting to your IoT device securely using a user name and secure keys

Rather than typing your password when logging in to your board, you can log in using a private/public ssh key pair. To generate new keys, see Generating the ssh keys.

  1. In the bottom-left corner of the Intel XDK, click the IoT Device drop-down list and choose Add Manual Connection. The "Connect to IoT Device" dialog box opens.
  2. Type your board's IP address and port in the Address and Port fields.
  3. Select the Use ssh keys check box.

  4. Type your user name in the User Name field.
  5. Type or browse to the Private Key Path.
  6. Type your pass phrase in the Pass Phrase field.
  7. Click Connect to log in to the board with ssh and start a connection to the daemon using ssh tunneling.

Intel XDK will remember your user name and the path to your private key file, but it will not store your password or your pass phrase. As a result, you always have to enter one of these to connect securely. While it is possible to connect using ssh keys with an empty pass phrase, this is only as secure as your private key. For this reason, using a pass phrase as well as a private key is strongly recommended.

Reconnecting to your device

Intel XDK remembers the attributes of a connection while it is running. It will retain the user name, the path to the private key file, and the method used for connection. It will never retain your password or your pass phrase.

When started, the Intel XDK may find a device and place it on the list of known devices in the device list, but the Intel XDK will not show devices that need a password or pass phrase. You must connect to this type of device manually.

If you change devices without restarting the Intel XDK, the application remembers the settings from your previous device. If your device did not need a password or pass phrase previously, but now requires them, from the IoT Device drop-down list, select Add Manual Connection and select the appropriate options to create a manual connection.

Updating the daemon

You can now update the Intel XDK daemon automatically from the application itself, without having to do any system administration tasks on the board.

First, connect to the board using a secure connection. This feature only works over a secure (ssh) connection.

If your daemon is not up-to-date, a dialog box notifies you that you have an old daemon. You can follow the onscreen instructions to update the daemon immediately. If the update fails, or if you suspect that your daemon has become corrupted and wish to refresh it manually, click the IoT Settings icon in the bottom-right corner of the screen, then select Upgrade xdk-daemon on IoT device. This updates the daemon even if the Intel XDK believes the daemon is already up-to-date.

The update process starts by downloading the appropriate daemon package from or to the home directory of the account with which you are logged in to the board (for example, /home/root). The version number changes from release to release.

The file is uncompressed and untarred, and the script included with the tarball is executed. If the update is successful, the connection to your board drops and you are asked whether to reconnect. Click Yes.

Examining the update log

The update process is logged to your terminal window. The information scrolls by rather quickly, but you can also examine the process information in the log file for the Intel XDK.

If the update fails, the most likely problem is running out of disk space during the update. If this happens, one location where you can often save some disk space is /var/log/journal.

The updater does not currently remove the files from the home directory since if the automatic process fails, you may find it convenient to retry the script by hand. If you do this, make certain you run the script as ./ and not . ./ You can, of course, remove the files by hand by logging into the board and entering the command rm –rf xdk-daemon* in your home directory. This will not affect the running of the daemon.

Generating the ssh keys

The software used to generate the ssh keys is available on the board. If you already have a pair of keys, you can use the old ones instead of generating new ones. To generate new ssh keys:

  1. Log into the board using ssh. For example, enter the command:

    ssh –l root

  2. Enter the following command to run ssh_keygen and generate the keys:

    ssh-keygen –t rsa .

  3. Answer the prompts. You will typically generate the keys into /home/root/.ssh/id_rsa.
  4. Add the contents of the file into the authorized_keys file in /home/root/.ssh.
  5. Check the permissions of the files in the .ssh directory. They should be listed as –rw-------. If they are not, change them by entering the command:

    chmod 600 *

    Only the .ssh directory itself and your private key files need to have these special permissions. Your public keys can be freely distributed.
  6. Exit from the board and use the scp command to copy the private key file to your development computer:

    scp root@ ~/.ssh/iot_rsa

You may already have an id_rsa file on your host machine. If so, you will probably not want to overwrite it. There is nothing special about the name iot_rsa; you can call the file anything you like, since you will specify the name in the connection dialog. However, it is a good idea to keep it in the .ssh directory, since that directory is the usual place for ssh keys.

It is worth making sure that nobody else can read this file or directory. Some implementations of ssh will refuse to use keys that have loose permissions. You can use the chmod command as described above to modify permissions.

For more complete information about compiler optimizations, see our Optimization Notice.