This article deals with making SSH access more secure on your SFOS phone, after initial SSH setup.
Please read the chapter SSH on SFOS first.
All Linux users & admins highly recommend using an SSH key instead of a password for improved security against attacks. The procedure is exactly the same as on any other GNU/Linux system, see e.g. here for a tutorial.
Remember to restrict access to ~/.ssh/ and the files in it, otherwise ssh won’t let you use the keys and you might lock yourself out!
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
One should also disable password and root login completely. To avoid system updates overwriting our edits, we will use this roundabout way to add this to our configuration:
As root (devel-su), create the new file /etc/ssh/sshd_my_config with these lines:
## Override some values
## This is necessary because the SFOS config file
## sets AllowUsers, which is cumulative, and cant
## be unset. From man sshd_config:
## Unless noted otherwise, for each keyword,
## the first obtained value will be used...
DenyGroups !defaultuser
DenyUsers !defaultuser
PermitRootLogin no
# Port XXX # your choice here
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
AllowUsers defaultuser
## ...therefore the Include is at the end
Include /etc/ssh/sshd_config
Now, create the new file /etc/ssh/ssh-env.conf with this line:
SSHD_PARAMETERS="-f /etc/ssh/sshd_my_config"
To understand what is happening here take a look at sshd@.service:
$ systemctl cat sshd@.service
# /usr/lib/systemd/system/sshd@.service
[Unit]
Description=OpenSSH per-connection server daemon
Wants=sshd-keys.service
After=sshd-keys.service
[Service]
EnvironmentFile=-/etc/ssh/ssh-env.conf
ExecStart=-/usr/sbin/sshd -i $SSHD_PARAMETERS
ExecReload=/bin/kill -HUP $MAINPID
StandardInput=socket
StandardOutput=socket
Since sshd is socket-activated on SFOS, it is enough to log out of all ssh sessions.
Now try to ssh in again and you won’t be allowed to use your password anymore. You should of course be able to connect with your key file.
Consider changing the default port 22 to something else by uncommenting the line in ssh_my_config, and also adding an identical line to the stanza for your Hostname alias in your local (i.e. not the phone) config file.
The phone’s shell and the URxvt terminal emulator have difficulties communicating. I installed xterm on my computer and am using this to connect to the phone.
Works perfectly.
Adding SetEnv TERM=linux to the top of the local (non-phone) ~/.ssh/config might also help.
Of course one can always use the terminal app directly on the phone. It gives full access to the system just like SSH.
To allow login only from a specific user on a specific IP range (e.g. when your phone is connected to the local network by e.g. WLan),
add something like this to /etc/ssh/sshd_my_config:
Match Address 10.0.0.*
PubkeyAuthentication yes
AllowUsers defaultuser
The line Match Address 10.0.0.* is the crucial bit which you’ll likely have to adapt to your specific situation (e.g. router address). It’s possible to specify more than one pattern, see man sshd_config.
No reboot or unit restart is required for testing the changed configuration, just try a new ssh login.
The systemd socket’s port is hardcoded to 22, but it’s easy to change it:
devel-su
mkdir /etc/systemd/system/sshd.socket.d
nano /etc/systemd/system/sshd.socket.d/override_port.conf
Add this:
[Socket]
ListenStream=<your_new_prefered_port>
And then
systemctl daemon-reload && systemctl restart sshd.socket
Log out of all ssh sessions, make sure to also change the port in your ~/.ssh/config, log back in => success!