EMCSSH - PKI on the Emercoin blockchain

It is possible to create a bridge between OpenSSH and the Emercoin cryptocurrency's blockchain. The result is a comfortable, safe and very flexible way to log in to multiple servers using the SSH protocol. More information about the benefits of EMCSSH can be found here in the blog of the developers. Below are instructions for installing and configuring the example Emercoin SSH VPS on Debian 7.

We assume that your server is already running the Emercoin wallet. If not, instructions can be found for installing it here.

Installing the necessary packages

First upgrade the existing software:

apt-get update
apt-get dist-upgrade

Now install curl and jansson:

apt-get install libcurl4-openssl-dev libjansson-dev

Next, you need to download and install emcssh:

wget http://emercoin.com/content/emcssh/emcssh-0.0.2.tar.gz
tar xfz emcssh-0.0.2.tar.gz
cd emcssh-0.0.2
make install

Setting up EMCSSH

Now you need to edit the config file /usr/local/etc/emcssh_config and change the setting for emcurl. Settings need to match those in emercoin.conf, which can be found in /home/emc/.emercoin/emercoin.conf

nano /usr/local/etc/emcssh_config

Change the value for emcurl

emcurl http://emccoinrpc:[email protected]:8775/

emccoinrpc and rpcpassword should be taken from emercoin.conf, other parameters can be left as is.

Important: the emcssh_config file should have permissions set to read and write only by root. Do not change the permissions on this file as it contains the rpcpassword.

Next, you need to edit the sshd config file, but Debian has a small problem in that the sshd version may be too old and first needs to be updated. Users of other operating systems can skip the next step.

Update OpenSSH on Debian

For starters find out what version of OpenSSH is installed:

sshd -v

In response, we get the following message:

unknown option -- v
OpenSSH_6.1p1 Debian

If the version is 6.2 or above, the next step can be skipped. Otherwise, update:

nano /etc/apt/sources.list

Add to the end of the line and save the file:

deb http://ftp.debian.org/debian/ wheezy-backports main non-free contrib

Update the system:

apt-get update

and install sshd

apt-get -t wheezy-backports install openssh-server

The installation script asks whether to disable password authentication. The best response is not to be able to log in the traditional way.

In addition, users of Debian will need to change the file location emcssh:

mv /usr/local/sbin/emcssh /usr/sbin/emcssh

Configure OpenSSH

Now we need to edit the configuration file sshd_config:

nano /etc/ssh/sshd_config

It is necessary to add the line:

For Debian:

AuthorizedKeysCommand /usr/sbin/emcssh
AuthorizedKeysCommandUser root

For other operating systems:

AuthorizedKeysCommand /usr/local/sbin/emcssh
AuthorizedKeysCommandUser root

Restart sshd with the new configuration:

kill -HUP `cat /var/run/sshd.pid`

Generating a key pair

Now we need to come up with a user name and generate a key pair for them. If you are running Windows, I recommend using PuTTYgen. Download it here.

Run PuTTYgen, change the number of bits to 4096 and click Generate.


Wave the mouse cursor on the screen during key generation. After which you should see something like this:


Click Save Private Key and store the key on your computer. Password protection is not needed, therefore, you can agree to save without a password.

Next, we need to add the public key (highlighted in the picture above) to the Emercoin blockchain. Do this in your Emercoin wallet on your PC. In the name field, specify:


In the value field paste your public key from PuTTYgen. The new address field can be left blank. Specify the number of days, and click Submit.

Emercoin Wallet

Now we need to wait for confirmation of our transaction. To save time while waiting for confirmation, you can now go back to your server, and add a new user to the file emcssh_keys:

cd $HOME/.ssh/
nano emcssh_keys

In the document, simply add your user via @. In my case it is:


Save and close the document.

It should be noted that Emercoin's EMCSSH technology allows not only individual users, but also entire groups. Let's say you want to give three other people access to my servers. You could individually add all users to the emcssh_keys file, but it is inconvenient, because every time you add or remove a user you will need to edit this file on all servers. There's a more versatile and easy way. Simply create an entry in the Emercoin blockchain, for example kamilloFriends and list all your friends. The fields for such an entry are as follows:

Name: ssh:kamilloFriends
Value: @[email protected][email protected][email protected]

If you need to add or remove someone from the group, it will be enough to make a Name_Update on this entry in the Emercoin wallet.
Thus, if in the file emcssh_keys I specify the group @kamilloFriends, the system can authorize any of my friends.

Operability test

To make sure that everything works as expected, run the following command:

emcssh username

On my test server I work from the root user, so the command for my username would be:

emcssh root

In response, we get the following message:

#INFO: verbose=2; maxkeys=4096 recursion=30 emcssh_keys=/root/.ssh/emcssh_keys; [email protected]:8775/

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAgmzL............

Perfectly as expected. Everything works.
Now try to log in. Without closing the current session, authorize PuTTY to log in without a password. To do this, open a new PuTTY window, enter the IP address of your server and go to SSH-> Auth:


Click Browse ... and specify the path to your private key.

On the tab Connection -> Data we can specify the user under which we want to connect. If not specified, don't worry - in this case the server will ask for the user name when you connect.


Click Open and connect to the server. If it connects then you have succeeded! If the connection fails for some reason, open the window of the previous session and enter the following command:

cat /var/log/auth.log

Look carefully for any error messages there and seek solutions to the problem. And if you can't fix it, please ask for help.

Finally, here's another useful command, which shows when visitors log in:

grep "Accepted publickey" /var/log/auth.log

Supplement: Authorization key for MacOS X

To be able to log in to an EMCSSH enabled server via the terminal in OS X, you first need to convert your private key to the desired format. I did the conversion in Windows through the program PuTTYgen. It is better to set a password for your key since OS X will complain about it (in the future you will need to enter your password only once).

Run PuTTYgen, click Load and choose our key *.ppk. Next, set a password in Key passphrase and Confirm passphrase. Go to the tab Conversions and export key in the format of OpenSSH:


Now we want to add the key to the OS X system.
Open a terminal and navigate to the folder where you exported the key. I have a folder named Keys:

cd Keys

Set the key as read-only, otherwise the system will complain:

chmod 0400 your_key_file

Add the key:

ssh-add your_key_file

In response, we receive a message that an identifier was added. Check the connection with the command:

ssh [email protected]_server_ip

If the server does not ask for a password, then all is well.

That's all. If you have questions, be sure to ask.