TUTORIAL: Using ssh and scp

Hardware Librem 5
1

I wrote this simple tutorial in case there are some Librem5 owners who are unaware of this capability (as I was), or who would like to see some practical examples of how to log in remotely to the L5 and/or copy files and folders over WiFi or shared ethernet. If anyone spots an error or wants to elaborate, please feel free to let me know. I’ll make corrections to the original post if necessary.

SECURE SHELL
Logging in remotely to the L5’s terminal

  1. On your computer (the client):

sudo apt update && sudo apt upgrade
sudo apt install openssh-client

  1. On the Librem 5 (the remote device):
    sudo apt update && sudo apt upgrade
    sudo apt install openssh-server

Confirm that it worked (i.e. is “active”):

sudo systemctl status ssh

If not active:

sudo systemctl enable ssh

If firewall blocks ssh on the remote device:

sudo ufw allow ssh

Other firewall options available:

stop

start

disable

  1. Determine IP address of the remote device (L5):

Available in the What IP app, or via the L5’s terminal:

ip address or ifconfig

or log in to your router to find the L5’s IP address.

  1. To log in over WiFi to the remote device (L5) from your computer:

ssh username@REMOTE.IP.ADDRESS.HERE

Example: ssh purism@192.168.1.xxx

Type the word “yes” at the next terminal question, then provide the password to your L5. The following prompt will appear:

purism@pureos:~$

You are now logged into your L5 from your computer’s terminal, and can easily execute any terminal commands remotely. This also makes it easy to copy terminal output and paste it here in the forum or elsewhere.

You can also connect your L5 to your computer over USB and use ssh without WiFi. You will need to use your computer’s network settings to create a Shared Connection over ethernet (not described here).

In the settings panel of the L5, under Sharing, you should now see that Remote Login is On. At the top of this panel, you can use the toggle to disable or enable remote sharing as you wish.

  1. To exit ssh, use the command exit in the terminal.

SECURE COPY

  1. Now that ssh is enabled, you can use the Secure Copy command (scp) to copy files or entire folders from the L5 to your computer, and vice versa. Note that in order to perform scp, you do not log in to the L5 via ssh first.

The syntax is:

scp remote_username@REMOTE.IP.ADDRESS.HERE:/remote/file.txt /local/directory

Examples:

scp purism@192.168.1.xxx:/home/purism/example.txt /home/yourusername/Desktop would copy the file example.txt located in the L5’s Home folder to the desktop of your computer.

scp purism@192.168.1.xxx:/home/purism/Pictures/2021-04-12-example.png /home/yourusername/Desktop would copy the image 2021-04-12-example.png located in the L5’s Pictures folder to the desktop of your computer.

  1. To copy an entire folder from the L5 to your computer:

scp -r purism@192.168.1.xxx:/home/purism/Pictures /home/yourusername/Desktop will copy the folder “Pictures” from the L5 to your computer. (More convenient than copying individual images or files one at a time, in case there are many to copy.) The -r after scp stands for “recursive,” indicating that the copy action should continue until all is copied.

  1. To copy a file from your computer to the L5, the syntax is:

scp file.txt remote_username@REMOTE.IP.ADDRESS.HERE:/remote/directory

If the file is not located in your computer’s Home directory, first change directory to the location of the file with the command cd, for example cd Desktop, if the file is on your desktop, and so on.

Example, from your home directory:

scp example.txt purism@192.168.1.xxx: (Use the actual ip address of your L5. This places the file in the L5’s home directory.)

scp example.txt purism@192.168.1.xxx:/home/purism/Documents (This goes to the L5’s Documents folder.)

  1. TIP: Although you perform scp without logging in to the other device with ssh, it may be helpful to use ssh first in order to list (ls) the contents of a folder so that it will be easy to copy and paste the name of a file or files for scp. Just be sure to exit ssh before you use scp or you’ll get an error.

===================
I hope this helps other members here, especially those less experienced with the terminal.

EDIT: See important security considerations and recommendations in the comments below.

24 Likes
2

Once you have installed openssh-server, a graphical option is available to activate / deactivate the SSH server
Settings > Sharing > Remote Login

By security, you should deactivate when you don’t use it
An other security mesure would be to set up the SSH connection to accept keys and refuse passord, but maybe that’s the next tutorial :stuck_out_tongue:

12 Likes
3

Nice; it’s good to keep things simple for beginners. But maybe add very brief mentions (with links for further reading) on things folks might like to do at some point. These rabbit holes come to mind:

5 Likes
4

Using preshared keys allows ssh, scp, asn rsync over ssh without a password. Keys should be protected with a passphrase. (Passphrases can be stored in an agent, so it is generally only necessary to enter a passphrase once per login.)

https://wiki.debian.org/SSH

3 Likes
5

While not guaranteed to be wrong, pureos probably ought to be purism in the above command.

Also, at this stage I have serious security reservations about allowing ssh into the purism account. On the one hand, I think purism must have a numeric password right now (right?) and you don’t want a PIN that is ridiculously long, but on the other hand that isn’t really strong security for remote access. (Keeping it simple and not getting into certificates i.e. public/private key pairs.)

I have chosen to configure my SSH server to allow access only via a supplementary account (not via purism) and I have also chosen to configure my SSH server to limit access to only from a suitable local IP address (rather than from any IP address). (The latter is not real security but it helps to thwart an attacker.)

I have also chosen to move the SSH server to a non-default port. This 100% is not security. It is just obscurity, but it helps to reduce the number of attacks.

Also, immediately after boot, sshing in to the phone does not work at all (No route to host). I think this is an ARP problem. In any case, it is a known problem (and has always been a problem for me). The guessed workaround that I am using is to ping the host computer from the Librem 5 after booting and before attempting to ssh in. (I imagine that this is only a problem when attempting to access via WiFi, not if attempting to access via the mobile network.)

Is anyone else experiencing this? Is everyone else experiencing this?

On my computer (running Ubuntu), that worked out-of-the-box i.e. operating system saw the new network device, created a new network interface, automatically was assigned an appropriate IP address, and connecting through to the phone’s IP address (for that connection) worked.

sshfs too - but maybe that’s the third tutorial. :wink:

6 Likes
6

I think this tutorial should go in the Community Wiki once you are happy with its contents.

5 Likes
7

Oops! Thanks…fixed.

Could you write this up as an addendum here?

I’ve never seen this behavior myself.

Interesting. I’m pretty sure I had to create it myself on my Mint machine. But then, I didn’t really know what I was doing anyway. :hushed:

1 Like
8

Sure.

Edit /etc/ssh/sshd_config

Change or add lines like the following:

Port 9999
AllowUsers irvine@192.168.1.0/24

but you would first have to create that additional user, irvine, from the shell, as I don’t think a GUI exists for this (yet).

adduser irvine
adduser irvine sudo

and obviously the second command is only if you want to allow this supplementary user to have sudo access

and you’ll need to set a password for the new account (with the passwd irvine command).

Edit: In case it’s not obvious, all of the above has to be done as root.

3 Likes
9

(Lucky for you.) I looked into this a bit more. I think it’s: https://source.puri.sm/Librem5/linux-next/-/issues/69 and I had managed to stumble upon the workaround given there by Todd.

I couldn’t understand from the ensuing information in that issue as to whether it should or should not be fixed by now, but it definitely isn’t fixed for me.

1 Like
10

Something else you may want to consider is the possibility X11 forwarding. This would allow a user to run a graphical application on the phone, but display that graphical window on the client computer. Might help with capturing screen output or sizing issues due to the small phone screen size.

2 Likes
11

Instead of using allowusers to allow a specific ip and a different port, I suggest using the firewall. I don’t know how to use ufw (I’m a redhat guy), but you can do it in iptables with this:
iptables -A INPUT -m tcp -p tcp --dport 22 -s 192.168.1.xxx -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j REJECT

This way things can’t even poke the ssh daemon unless they are from that ip address. Thus even if there is some sshd vulnerability:
a. It’s hard to hit the ssh daemon, as you need to have a very specific ip address.
b. It hides that you even have sshd running . Thus making it invisable to all but a targeted attack.

With the special port, all I need to do is a port scan on your host, and connect to that port, and it’ll tell me it’s an ssh server.
(note that you need a mechanism to maintain the iptables rules, on red hat systems it’s /etc/sysconfig/iptables, not sure about pureos)

3 Likes
12

Fun fact: There is tab completion for remote paths. This is very useful when using scp and rsync because without you need to type the paths yourself and maybe out of memory.

I had remote tab completion enabled by default (between two Ubuntu systems IIRC) when using key authentication instead of passwords.

Maybe an L5 owner can try so that we see if this works out of the box or if further configuration is needed.

13

Definitely a valid point.

I could suggest defence in depth - and ask for both!

(For example, iptables may not stop a relay attack via localhost. Of course I would have to have other software installed on my Librem 5 for that even to be possible and I don’t think I have installed anything that offers that opportunity to the hacker at the current time.)

At this stage, with things still very much in flux and messing around with lots of things on my Librem 5, I am trying not to activate the firewall.

(While I am at home, the Librem 5 is protected by the gateway firewall anyway. While on the mobile network, I don’t have a public IP address at all i.e. carrier grade NAT - so it would be difficult for a random internet user to probe for sshd. So I am comfortable with the level of risk. Wind the clock forward a year, things have settled down, configuration and software stable and locked down, I would definitely review the firewall situation.)

14

For me, it doesn’t seem to work when using password authentication. (This isn’t surprising in the sense that at the time of pressing Tab it hasn’t prompted for the password - and it doesn’t then prompt for a password.)

As a workaround, if you want Tab to work then use sshfs. I can confirm that that works - and that is more convenient anyway for shuffling a number of files in either direction.

15

I thought about linking this thread to the Community Wiki (rather than recreating it there). Which of the existing subheadings do you think this fits under? Or should we start a new subheading for, say, Miscellaneous Tutorials?

16

Regarding ssh configuration, generally leaving password access enabled is considered insecure. Passwords can be intercepted MITM if you’re inattentive, etc.

I would suggest disabling password access and leaving only the option to authenticate via public key. That should be more secure than changing ports, adding a separate user and limiting IP addresses all together, while taking about as much effort to set up.

10 Likes
17

Why do just one when you can do all of them? The more locked down the better.

but this is true, publickey auth only is very good.

1 Like
18

Because you can spent your efforts to actually improve your security instead.

19

and how do those things not improve security? None of them are very time consuming…

20