We have moved to a new Sailfish OS Forum. Please start new discussions there.
36

Disable SSH daemon when remote connections are disabled

asked 2013-12-26 15:17:27 +0200

Plnt gravatar image

updated 2014-11-30 17:56:14 +0200

ralooyar gravatar image

Current implementation of disabling Remote connection in developer mode just disables login of nemo user but it doesn't completely disable the SSH daemon. I don't mind about the SSH listening on USB connection but I don't like the idea of having SSH daemon listening on the WiFi connection when connected to untrusted WiFi. Not that it's high-risk but it's another way how the security in the phone could be possibly exploited.

How to reproduce:

  1. Go to Settings -> System settings -> Developer mode and enable it.
  2. Disable Remote connection (if enabled).
  3. Reboot the phone.
  4. SSH is still listening on port 22 and is open not just via USB networking but completely open via WiFi connection.
edit retag flag offensive close delete

Comments

2

With update 2 / Sailfish OS 1.0.2.5 disabling "Remote connection" still only disables password-based logins of user nemo. Key-based logins (authorized_keys) still work. Please stop the SSH daemon alltogether when the "Remote connection" setting is disabled.

Nirkus ( 2013-12-27 23:42:39 +0200 )edit

2 Answers

Sort by » oldest newest most voted
2

answered 2015-01-11 00:58:57 +0200

ralooyar gravatar image

updated 2015-01-11 01:10:55 +0200

This seems to be fixed with 1.1.1.27 (Vaarainjärvi).

I just did

ssh nemo@jolla

as I always did with 1.0.8.21 (Tahkalampi). But this time, I got:

ssh: connect to host jolla port 22: Connection refused

instead of being logged in via my pre-shared key.

Can someone confirm this?

Update: I have to object myself: This bug is not fixed, yet. I disabled remote connection and rebooted my phone and then I could connect via ssh. I don't know why I encountered the "connection refused" in the first place.

edit flag offensive delete publish link more

Comments

1

I can confirm this behavior. If I reboot Jolla with remote connections disabled SSH is listening on port 22. But if I turn the option on and off again (just "Remote connection", not "Developer mode") it behaves correctly - it doesn't listen on port 22. It also isn't listed in netstat.

Plnt ( 2015-01-11 10:50:05 +0200 )edit
0

answered 2013-12-26 15:31:00 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2013-12-26 15:32:31 +0200

TNZ gravatar image

(first post) Not specially an answer, but a reflexion about SSH on sailfish : Is RSA keying availble ? I mean, authorizing connection with idrsa/authorizedkeys mechanism.

In this case, in order to have an acceptable security level, could Sailfish lock SSH connection thru password and let RSA Keys work ?

edit flag offensive delete publish link more

Comments

3

yes that works fine, it's always my first step to install the keys for nemo and root:

ssh-copy-id nemo@192.168.2.15
ssh nemo@192.168.2.15
devel-su
cd ~
cp -vr /home/nemo/.ssh

But I agree disabling password logins and shutdown sshd should be doable from UI.

Kontio ( 2013-12-26 15:45:29 +0200 )edit
2

I guess you don't want the kiddies trying your phone over SSH with a dictionary of passwords, hence draining your battery.

gabriel ( 2014-02-07 17:15:57 +0200 )edit
2

Thanks for testing this out. I always asked me this question, but didn't manage to test this out. ;)

So, to sum this up in very few words:

Although "Remote connection" is disabled, you can still connect remotely via SSH over WiFi! (with public key authentication)

This is definitely a bug, that should be fixed. (I am kind of a person, who likes to have as much "security walls" behind each other, as one could get. ;) )

This bug is still valid for 1.0.8.21 (Tahkalampi).

ralooyar ( 2014-11-30 18:07:17 +0200 )edit
1

Another interesting fact in this topic: SSH-Login seems to be blocked, as long as your jolla phone is in sleep mode (display off).

Reproduce:

  1. wait untill your jolla turns its display off
  2. start a ssh nemo@jolla on your PC => Connection-request does not finish. It just waits.
  3. now double tab on your jolla screen to wake it up => connection is instantly enabled.

I guess this is a nice security feature. Since it gives the user a little bit more control about the time, a ssh connection can be established.

ralooyar ( 2014-11-30 18:34:54 +0200 )edit
Login/Signup to Answer

Question tools

Follow
13 followers

subscribe to rss feed

Stats

Asked: 2013-12-26 15:17:27 +0200

Seen: 929 times

Last updated: Jan 11 '15

Related questions

VPN client [released]

Word prediction should be always turned off when entering passwords in Android apps [released]

Bug: [3.0.0.8] E-mail can't read forward as attachment [released]

Password manager for Sailfish [answered]

Android VKB saves and suggests passwords in plaintext

Media player trough carkit (handsfree)not working

PBAP bluetooth profile support is requested [released]

My Jolla does not recognise any micro sd card. What I can do? [answered]

Add skype integration to sailfish os

Add DBus interface to stock music player [released]

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49