dt.iki.fi

Making sshd more secure on Sailfish OS

Assuming Remote connection is enabled in Settings -> Developer tools, and works.

Recent versions of Sailfish OS (currently 4.4.0.58) use a socket that listens on port 22, and start sshd (to be precise, a per-connection sshd@.service) whenever someone knocks.

Pretty neat, probably saves some resources when you don't need an ssh connection.

But safer it is not. I recommend to make some changes to /etc/ssh/sshd_config to disallow most connection attempts.

First of all, you should use ssh keys instead of passwords. The process is the same as on any other GNU/Linux system and well explained e.g. here.

Then:

  • disallow root login
  • disallow password login
  • allow login only from a specific user on a specific IP range (e.g. when your phone is connected to the local network by e.g. WLan)

Your /etc/ssh/sshd_config now might look like this (comments removed):

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms -diffie-hellman-group14-sha1
MACs -hmac-sha1,hmac-sha1-etm@openssh.com
PermitRootLogin no
PubkeyAuthentication no
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
SetEnv ENV=/usr/libexec/openssh/load_developer_profile
Subsystem   sftp    /usr/libexec/openssh/sftp-server
Match Address 10.0.0.*
    PubkeyAuthentication yes
    AllowUsers nemo
    UsePAM yes

The user is always nemo. The line Match Address 10.0.0.* is the crucial bit which you'll likely have to adapt to your specific situation (e.g. router address). It's possible to specify more than one pattern, see man sshd_config.

No reboot or unit restart is required for testing the changed configuration, just try a new ssh login.

UsePAM

This is a different authentication method that happens on the phone afaiu, e,g, allowing login through fingerprint or unlock code. I have no use for this, my /etc/ssh/sshd_config is missing the last line (UsePAM yes).

Use a different port

Unfortunately the systemd socket's port is hardcoded to 22, and I like to further harden my /etc/ssh/sshd_config by using a non-standard port.

This is easy to fix. Assuming you want port 12345:

> devel-su
> grep ^Port /etc/ssh/sshd_config
Port 12345
> cd /etc/systemd/system/
> cp /usr/lib/systemd/system/sshd.socket .
> sed -i 's/ListenStream=22$/ListenStream=12345/' sshd.socket
> systemctl daemon-reload
> systemctl restart sshd.socket