It never gets to the nice point of connecting to the remote L5 device over WIFI.
Environment:
ssh server up and running on L5
ports open in ufw L5 firewall and accept incoming connections on (port 22)
public L5 IP used to connect on the client using client SSH (installed)
router firewall checked and does not block IP, public L5 IP can be pinged from client, client can be pinged using client public IP from L5 with no connectivity issues
Gnome sharing settings show “Remote Login=on” and “File Sharing=Enabled”
Error stated as above. (and i am just interested in getting the instructions to work as laid out here, no fancy keys other than the L5 user password that has to be entered on remote connection attempt)
From all of that, what is the secret to configuring (configuration file settings?) SSH on the L5 to work?
Besides my issues above isn’t it much safer to just use the USB cable and connect locally only over ethernet IP where no security precautions are needed since you can be assumed to be operating from a secure environment already?
I take it you’re trying to connect over the internet, as opposed to within your home wifi network?
Here’s what I based my tutorial on: https://www.makeuseof.com/tag/beginners-guide-setting-ssh-linux-testing-setup/
It lists some troubleshooting steps that may help.
Excerpt:
“The IP address you use should be the one suitable for the connection. So, if the device is on the same network as the client, use the local IP address. For connections across the internet, use the public IP address. If the computer is located on a different network, make sure that port 22 is forwarded to the computer.”
Not necessarily whatever works. It appears that port forwarding needs to be enabled to make it work. On the server side that is enabled by default but not on the client side. I will give that a try.
I assume you have used it successfully? My question would be how?
I had no problems enabling ssh exactly as outlined here, although initially I failed to allow it in the firewall, then corrected it.
I use ssh all the time, mainly to enter the L5’s terminal from my computer, execute commands, and copy terminal output to this forum (for example).
I used scp a lot in the beginning to copy files and pictures over, but then I switched to sftp, which allows me to save devices on my network as bookmarks in the files navigator on my computer. So I can just click on “Librem 5” or “Raspberry Pi” directly on my computer, enter the password, and open up the directories from those devices. Very convenient for transferring files.
By the way, I also changed the default port to something other than 22. I’ll probably switch from password to authentication keys soon.
I would use a non-default port on the internet gateway in this case. You can use port forwarding to change the external port number (preferably not 22) to the internal port number (can be 22 if you want) - so the non-default port number can be transparent to the Librem 5.
There are a bunch of different network configurations that might be involved here and I didn’t get a clear understanding from @Captain_Morgan regarding which applies. For example:
Librem 5 is at home on the local WLAN, client is outside the home and wants to connect in to the Librem 5.
Librem 5 is at home on the local WLAN, client is inside the home and wants to connect in to the Librem 5.
Librem 5 is at home but not on the local WLAN and is instead using the cellular modem to be on the internet and client is somewhere and wants to connect in to the Librem 5. Warning: With most cellular providers this will most likely be impossible because the Librem 5 will not have a public IP address and will be relying on CGNAT.
Only for IPv4 of course. For IPv6 it should just work. So that would be a point of clarification.
If this is an IPv4 address in a NAT scenario then the above statement isn’t all that relevant. You are pinging the internet gateway, not the Librem 5 itself. (Well, OK, it establishes something about basic connectivity.)
One thing to check is your Librem 5’s SSH server config. It can be configured to filter by username and/or IP address. Any such filtering by IP address is over and above the firewall.
grep -v ^# /etc/ssh/sshd_config
I would confirm working ssh-in to the Librem 5 from the local LAN before worrying about any public scenarios.
Thats my case: one complication laptop and L5 connected on same wifi, however both use VPN and the IP is routed through different VPN servers. Since i dont think it would be secure to expose either one IP directly to the network provider.
So what i really would like to do is not using SSH at all, instead plug in my phone with a USB to USB cable and use that hardwired cable to connect to the L5 - 100% airgapped. Is there a way to set that up, and in theory shouldnt that be much easier than the relatively insecure port forwarding method or opening listening ports to the internet?
Then they aren’t really in the situation that you describe, unless you override the VPN for select cases.
The basic scenario that I was describing in that bullet point is e.g. Librem 5 is 192.168.1.4 and client is 192.168.1.5 and the two devices may directly communicate over the local LAN (presumed to be 192.168.1.0/24 in this example).
If the VPN still allows LAN communication then you should be able to ignore the VPN.
So you would need to examine the output from route -n but this is rapidly becoming something that a rando on the internet without access to your network can’t troubleshoot.
Of course. Plug it in.
But since that just creates an additional network interface, you will still need to contend with VPN and routing. (Or, to put that another way, if you pull both devices off the WiFi, and disable the VPN on both devices, and then make the USB-to-USB connection then the pair will be able to network over USB but will be airgapped from the rest of the world.)
And in my experience out-of-the-box the client operating system may not assign an IP address and bring the interface up. So the Librem 5 end will be all good but you will have to work within whatever distro is running on the client to configure and bring up the interface. That will obviously depend on what distro you are using and its current configuration. (So you would start on the Librem 5 and use ifconfig to see what its state is and then do the same on the client.)
And once you have the networking up and running, you might still choose to use SSH (sftp) to transfer files but you can use whatever application protocol works for you.
Solved my use case and feel free to add it to your tutorial:
Use case computer and phone are accessible in the same room.
follow all your instructions,
setup wired connection on phone device usb0
setup wired connection on computer (using ubuntu it tries to setup a LAN over usb connection when plugging in the phone, use that connection to edit parameters because it chooses correct usb device)
IPv4 parameters manual(turn off IPv6)
IP 192.168.0.15 computer
IP 192.168.0.16 phone
SubnetMask 255.255.255.0
Gateway 192.168.0.1
connect usb cable between phone and computer
ping computer from phone, ping phone from computer, if packets are received launch SSH connection on computer follow screen prompts, SSH purism@yourname192.168.0.16
Benefits:
Airgapped, worked and moving files can be done without any security.
Cool…
Sounds like it should be a separate tutorial for use-cases such as yours. You can register to edit the Tips & Tricks wiki and create it if you want.
Am I correct in thinking that the ssh password is the same as the one I use to unlock my phone? And, if so, why is it not working? It replies with “Permision denied”.
And anther thing that might be related, is that the ufw command is not recognized on the L5.
Ah. When I check the ssh status, it tells me that I am an “invalid user”.