Making sshd more secure on Sailfish OS
Assuming Remote connection is enabled in Settings -> Developer tools, and works.
Recent versions of Sailfish OS (currently 126.96.36.199) use a socket that listens on port 22, and start
sshd (to be precise, a per-connection
sshd@.service) whenever someone knocks.
Pretty neat, probably saves some resources when you don't need an
But safer it is not. I recommend to make some changes to
/etc/ssh/sshd_config to disallow most connection attempts.
First of all, you should use ssh keys instead of passwords. The process is the same as on any other GNU/Linux system and well explained e.g. here.
- disallow root login
- disallow password login
- allow login only from a specific user on a specific IP range (e.g. when your phone is connected to the local network by e.g. WLan)
/etc/ssh/sshd_config now might look like this (comments removed):
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key KexAlgorithms -diffie-hellman-group14-sha1 MACs -hmac-sha1,firstname.lastname@example.org PermitRootLogin no PubkeyAuthentication no AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no SetEnv ENV=/usr/libexec/openssh/load_developer_profile Subsystem sftp /usr/libexec/openssh/sftp-server Match Address 10.0.0.* PubkeyAuthentication yes AllowUsers nemo UsePAM yes
The user is always
nemo. The line
Match Address 10.0.0.* is the crucial bit which you'll likely have to adapt to your specific situation (e.g. router address). It's possible to specify more than one pattern, see
No reboot or unit restart is required for testing the changed configuration, just try a new ssh login.
This is a different authentication method that happens on the phone afaiu, e,g, allowing login through fingerprint or unlock code. I have no use for this, my
/etc/ssh/sshd_config is missing the last line (
Use a different port-up-
Unfortunately the systemd socket's port is hardcoded to 22, and I like to further harden my
/etc/ssh/sshd_config by using a non-standard port.
This is easy to fix. Assuming you want port 12345:
> devel-su > grep ^Port /etc/ssh/sshd_config Port 12345 > cd /etc/systemd/system/ > cp /usr/lib/systemd/system/sshd.socket . > sed -i 's/ListenStream=22$/ListenStream=12345/' sshd.socket > systemctl daemon-reload > systemctl restart sshd.socket