1
Summary
- Network: validated that the remote host is reachable (ping OK).
- SSH: stable SSH access to a Raspberry Pi.
- Dedicated automation key:
ed25519key without passphrase for non-interactive execution. - SSH alias:
raspoutinedefined in~/.ssh/configto stabilize commands. - VS Code: shell tool inside an extension allowing the agent to execute
ssh raspoutine "..."with user confirmation. - Security: reduced attack surface via dedicated key, aliasing, identity pinning, and confirmation dialogs. Recommended: Pi-side dispatcher (
obbctl).
Note
All commands use placeholders. No private keys, no secrets, no proprietary code.
Illustration – VS Code Extension Generator
Example screenshot of the VS Code Extension Generator (Yeoman). Full-width display.
2
Architecture Diagrams
Execution Chain
```mermaid flowchart LR A[VS Code Agent (Full Access)] -->|Tool call| B[Shell Tool (VS Code Extension)] B -->|Local exec| C[Windows Shell] C -->|ssh <alias> <cmd>| D[Raspberry Pi (sshd)] D -->|stdout / stderr| C --> B --> A ```
Minimum Viable Steps
```mermaid sequenceDiagram participant W as Windows participant P as Raspberry Pi W->>P: ping <PI_IP> W->>P: ssh <USER>@<PI_IP> "uname -a" W->>W: ssh-keygen (dedicated key, no passphrase) W->>P: append public key to authorized_keys W->>P: ssh <ALIAS> "uname -a" (non-interactive) ```
3
SSH Setup (Windows ↔ Raspberry Pi)
3.1 Prerequisites
- Windows with OpenSSH client enabled.
- Raspberry Pi reachable on the LAN:
<PI_IP>. - Remote user:
<PI_USER>.
3.2 Network check
ping <PI_IP>
3.3 SSH sanity check
ssh <PI_USER>@<PI_IP> "uname -a"
3.4 Create a dedicated automation key (no passphrase)
ssh-keygen -t ed25519 -f "%USERPROFILE%\.ssh\<PROJECT_KEY>" -N ""
3.5 Install the public key on the Pi
type "%USERPROFILE%\.ssh\<PROJECT_KEY>.pub" | ssh <PI_USER>@<PI_IP> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
3.6 Permissions (mandatory)
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
3.7 Non-interactive test
ssh -i "%USERPROFILE%\.ssh\<PROJECT_KEY>" <PI_USER>@<PI_IP> "uname -a"
3.8 SSH alias
Host raspoutine HostName <PI_IP> User <PI_USER> IdentityFile C:\Users\<WIN_USER>\.ssh\<PROJECT_KEY> IdentitiesOnly yes
ssh raspoutine "uname -a"
4
VS Code Agent – Full Access via Shell Tool
Principle
- The agent cannot execute OS commands by default.
- A dedicated shell tool is registered by the extension.
- User confirmation is required before execution.
- The tool executes local commands such as
ssh raspoutine ....
End-to-end validation
ssh raspoutine "uname -a"
Validated
The agent receives the SSH output inside the tool response.
5
Security & Applied Restrictions
Applied safeguards
- Dedicated automation SSH key (ed25519, no passphrase).
- SSH alias with pinned identity (
IdentitiesOnly yes). - User confirmation in VS Code before execution.
Strong recommendation: Pi-side dispatcher (obbctl)
sudo tee /usr/local/bin/obbctl >/dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
case "${1:-}" in
info) uname -a ;;
uptime) uptime ;;
*) echo "Usage: obbctl {info|uptime}" ; exit 2 ;;
esac
EOF
sudo chmod +x /usr/local/bin/obbctl
ssh raspoutine obbctl info
Optional hardening
// Pseudo-code (shell tool)
if (!cmd.startsWith("ssh raspoutine obbctl ")) {
throw new Error("Rejected: only ssh raspoutine obbctl commands are allowed.");
}
Key hygiene
Never publish private keys. Rotate immediately if a private key is exposed.
6
Operational Checklist
ping <PI_IP> ssh <PI_USER>@<PI_IP> "uname -a" ssh-keygen -t ed25519 -f "%USERPROFILE%\.ssh\<PROJECT_KEY>" -N "" ssh raspoutine "uname -a" ssh raspoutine obbctl info