Reverse SSH to be reached also on Mobile

Need: I need to SSH into my Sailfishos smartphone when it’s connected to mobile only (no wifi)
Base requirements: connection shall be private, protected and owned only by me

I found a free ssh provider that I can use to connect my Smartphone to when I’m on Mobile.

I send from SFOS mobile: ssh -R 4422:localhost:22 user@freesshproviderIjustfound.com

Done this, I can ssh to the freesshprovider with same user and than ssh to locahost into sfos.

1 Like

Generally I have a similar need, and thought much about it but couldn’t find a working solution until now. I would like to have ssh and sftp access to a phone not connected to my own WLAN but out in the field and only connected by mobile data - in the same way as I can do this in the WLAN.
My idea was, to have some service or daemon running on own private homepage (that has a static IP address) and is also reachable by some URL and not only by numeric IP address, and phone and other communication partner (home computer or other Sailfish phone on the way) connects to this service or daemon, so that all network traffic from one side is forwarded to the other side.
This would avoid the need of freesshproviders, who (in theory) are able to listen to your data and access your devices.

A tor hidden service can handle the backtunnel instead of ssh. Therefore no need for some proxy host under your control. Unfortunately the tor packages on Openrepos are outdated since they depend on an ancient openssl version. Recompiling the Fedora 39 Source RPM isn’t rocket science (works out-of-the-box after removing two %pre checks) but proper packaging will take some time.

On the phone you need the hidden service, i.e. configuration options HiddenServiceDir pointing to some persistent directory writable by the tor daemon and HiddenServicePort 22 127.0.0.1:22 for ssh access. Make sure to properly secure ssh on the phone, e.g. disable password authentication.

At first start tor will register the hidden service and dump its hostname in the configured HiddenServiceDir.

On a client you need a tor daemon with socks proxy enabled (default port 9050) and some ssh configuration (~/.ssh/config) , e.g.

Host my_jolla
    hostname "HERE IS THE HOSTNAME OF YOUR HIDDEN SERVICE.onion"
    user nemo
    proxyCommand socat - socks4a:127.0.0.1:%h:%p,socksport=9050

Now ssh my_jolla will try to login as user nemo to your phone’s hidden service on port 22, i.e. ssh.

1 Like

If you find any way to have a private homepage on a server please pm to me because I cannot find any VPS to ssh into (or have a VPN running on).

What about tailscale? There is SfOS app for that:
https://openrepos.net/node/11720

Sorry, I don’t understand you. What do you mean with your question?

On the topic of reverse ssh tunnels, there are some guides out there (non SFOS-specific) on how to do this with systemd.

I have auch a setup running right now, using a template service ~/.config/systemd/user/revssh@.service like this:

[Unit]
Description=Reverse tunnel to %I
After=network.target

[Service]
Type=simple
EnvironmentFile=%h/.config/systemd/user/reverse-ssh-tunnel@%i.env
ExecStart=/usr/bin/ssh -g -N -T -o Compression=yes -o VerifyHostKeyDNS=no  -o ServerAliveInterval=120 -o ServerAliveCountMax=4 -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -R ${REMOTE_PORT}:localhost:${LOCAL_PORT} ${REMOTE_USER}@${REMOTE_HOST} -i ${PATH_TO_KEY}
RestartSec=20
#Restart=always
Restart=on-success
KillMode=mixed

# pointlessly harden this:
#NoNewPrivileges=true
PrivateTmp=true

ProtectHome=read-only
ProtectKernelTunables=true
ProtectSystem=strict

#[Install]
#WantedBy=multi-user.target  

With corresponding .env files like

PATH_TO_KEY=/home/nemo/.ssh/id_phonehome
REMOTE_USER=rnemo
REMOTE_HOST=ssh.example.org
REMOTE_PORT=2222
LOCAL_PORT=22 

The ssh server has in /etc/ssh/sshd.conf:

Match User rnemo
ChrootDirectory /home/rnemo
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
#       PermitTTY no
X11Forwarding no
AllowTcpForwarding yes
AllowAgentForwarding no
PermitTunnel no

and a passwd entry like

 rnemo:x:1006:1020:for SFOS phones to phone home:/home/rnemo:/bin/rbash

Using rbash is not strictly necessary and may complicate things, but I’d recommend keeping privileges of that user to an absolute minimum.

5 Likes

I explain better: you wrote "to have some service or daemon running on own private homepage "
I agree this is a good solution for the implementation.
I tried many Virtual Private Servers, bu the cost of this solution is high (the cheaper is 20€ per month)
My home provider not allow port forwarding and also the mobile provider not allow the phone to be reachable via ssh.

But please if you find a way for creating a private homepage for free or low cost please keep me posted because I’m interested.

Thank you!

@philter But please if you find a way for creating a private homepage for free or low cost please keep me posted because I’m interested.

It’s simple: I have an ordinary contract with an internet provider, including the connection at home, domain, 3 mail addresses and 1 GB webspace. With an upgrade of the contract i can also have a virtual server.

You can use ZeroTierOne (available on openrepos) to have free ssh to your phone, but of course this goes through their servers, so not exactly ‘owned by yourself’ solution

People struggling with ISPs blocking access to port 22 might want to look into the sslh tool for their home server.

It can listen on port 443 (https) and detect what connects, and then forward to the appropriate service locally.

Works great for running sshd, openvpn and a web server all over one port.

4 Likes

Small instances on Digital Ocean, Linode, or any other cloud hosting privider will allow you to SSH in, also if you pay your ISP for a fixed IP or make sure they don’t put you on a CG-NAT while also using some dyndns service/script you should be able to SSH home.

As an aside if you create a systemd service for reverse tunnels autossh is a very good wrapper, though as far a quick search from my phone shows it is probably not available on SFOS at this time.