For machines with newer Heidenhain controllers (from TNC 320 up to TNC 7) Heidenhain supports and may require secure shell (SSH) communication between remote PCs and the device. Enabling SSH has the benefits that data travels encrypted between your PC and the machine. In addition you can get rid of the ‘None-secure connection detected’ messages at the control. This document describes setup of password and public / private key based SSH communication for CNCnetPDM and TNC Remo.
Access the HEROS menu by pressing the left DIADUR key (1).
FIG 1: DIADUR key location (Heidenhain TNC 640)
ENABLE SSH PASSWORD AUTHENTICATION
To allow authentication by username and password navigate to Settings -> Current User and click [CERTIFICATE AND KEYS]. Next click [ALLOW SSH PASSWORD LOGIN] (2) followed by [STORE AND RESTART SERVER NOW] (3) and [END] (4).
If your controller is set to ‘legacy config’ which should be default in most cases username and password are both set to ‘user’.
ENABLE SSH KEY AUTHENTICATION
To enable secure communication by private / public key authentication with CNCnetPDM you have to import the public key file user@cncnetpdm.pub at the controller. The file is either located in subfolder \cert of CNCnetPDM (device driver heidenhain.dll) or \.ssh of one of the GUI programs.
Connect to the controller with TNC Remo, navigate (upper window) to the directory where user@cncnetpdm.pub is located and transmit it to a folder at the controller. If the controller only allows secure communication perform the steps for TNC Remo SSH setup first.
At the controller again access the HEROS menu, select Settings -> Current User and click [CERTIFICATE AND KEYS]. Next click [IMPORT SSH KEY] (5), select the TNC: drive, navigate to the folder with user@cncnetpdm.pub, select it (6) and click [Open] (7). The imported public key then shows up in the parent dialog (8).
FIG 3: Certificate and keys dialog (Heidenhain TNC 640)
FIG 4: Import public key file (Heidenhain TNC 640)
Your controller now supports secure SSH key authentication from CNCnetPDM.
TNC REMO SSH SETUP
Newer Heidenhain controllers and even programming stations can only be accessed by secure SSH communication with TNC Remo. To enable SSH access first make sure that password authentication is enabled at the controller.
In TNC Remo select Connection -> New configuration. In field Save as enter a name for the connection e.g. Test_SSH (9). In section Connection select Network connection to control (TCP/IP Secure) (10)
FIG 5: TNC Remo SSH setup (TCP/IP secure)
In Section Settings enter IP Address/Host of your control (11) and User name (default: user) (12) followed by [Apply] (13)
FIG 6: TNC Remo SSH setup (user name)
On connect TNC Remo now automatically opens a command line window where you have to type in the password (default: user) twice.
You should now be able to access your controller by secure communication with TNC Remo.
TECHNICAL NOTES (TNC REMO)
TNC Remo itself is not able to perform secure communication. To do so it uses a set of hidden helper programs.
On SSH setup these programs create a private / public key pair in subfolder \.ssh of your user profile and transmit the public key to the controller. These keys must not be used for other programs than TNC Remo.
If you establish a secure connection with TNC Remo it does not directly communicate with your controller. Instead it starts a hidden program that creates a new random(!) IP address.
By using the random address the helper program connects to your controller on TCP port 22. TNC Remo then only communicates with the helper program.
If you use a firewall you have to add an exception that allows connections from any program and any IP address of your PC to TCP port 22 of your controller to be able to use TNC Remo secure communication!
For CNCnetPDM you only have to allow communication from the program itself to TCP port 22 of the controller.
Privacy notice
This website uses cookies. By continuing to use it you agree to our privacy policy.