iPhone and Linux

Saturday, December 5, 2009

ssh tricks and security

If you have a jailbroken iPhone with ssh installed, you've probably heard about the handful of worms going around that exploits the fact that people don't change their default iPhone passwords.

Of course, the fix is simple. Change your damn password! As an added bit of security, if you have SBSettings, you can get an ssh toggle to turn off ssh access when you're not using it. That should be good enough, but why not go a little further?

First, set up ssh keys using this how-to. It may seem confusing the first time, but it's really very simple. I've done it twice. The first time took a few minutes and the second time took about 30 seconds. I set up keys to login to my computer from my iPhone, and also keys to login to my phone from my computer.

(As a side note; if you have ssh keys setup on a phone or computer that gets lost, you will need to remove it's entry in authorized_keys on the other computer and delete the key.)

Simply setting up ssh keys doesn't help with security yet. We'll get to that, but right now let's look at the tricks you can do with ssh keys, mainly the convenience of being able to login with without a password. Instead, the computers are authenticated with the keys. You can login with slogin:
slogin -i ~/.ssh/SSH_FILENAME user@IP
You can also put that in a script and simply run the script to login.

Another command that works with ssh keys is scp, which is ssh's copy command that copies files between computers:
scp -i ~/.ssh/SSH_FILENAME FILE_TO_COPY user@IP:/PATH/TO/COPY/TO
You can also modify that a little to put it in a script and run the script with the file you want to copy as an argument:
scp -i ~/.ssh/SSH_FILENAME $1 user@IP:/PATH/TO/COPY/TO
Another script to transfer directories:
scp -r -i ~/.ssh/SSH_FILENAME $1 user@IP:/PATH/TO/COPY/TO
You can put all of these on your iPhone and computer and perhaps name the ssh scripts "sshcomp" and "sshphone", the scp scripts "tocomp" and "tophone", and the "ssh -r" scripts to recursively copy a directory "tocompr" and "tophoner" and never have to worry about typing in long ssh or scp commands again.

Now, let's get back to ssh security. Once the keys are working, let's look at the ssh setup. The file we want to have a look at should be located at /etc/ssh/sshd_config.

There are a few lines that can greatly enhance our security. They are probably commented out and look like "# Something", so you will need to remove the "#" in order for the option to take effect. These are the options we want to look at:

Port 22 - The default port for ssh is 22 and everyone knows it. Anyone port scanning your computer or phone will probably probe ports for common services like email, web server and ssh, and it may only take one or two seconds to scan the common ports. Well, computers have 65535 ports, so why run ssh on the ssh port? Pick a random port!

(EDIT: I found that editing /etc/ssh/sshd_config didn't change the port on the iPhone. After a little google work, I found that launchd overides the port configuration, but you can change the phone's ssh listening port by editing /etc/services. You will see two lines "ssh 22/udp" and "ssh 22/tcp". Change both "22"s to whatever port you want to use.)

Don't forget to allow that port in firewalls and routers and specify it when using scp or ssh. To specify ports for those programs, use -P for scp and -p for slogin. Examples using port 5555:
scp -i ~/.ssh/SSH_FILENAME -P 5555 $1 user@IP:/PATH/TO/COPY/TO
slogin -i ~/.ssh/SSH_FILENAME -p 5555 user@IP
PermitRootLogin no - Set this as no and login as a regular user and use "su" instead.
PubkeyAuthentication yes - These are the ssh keys I've been talking about. We want to use those.
PasswordAuthentication no - This is how you normally login through ssh. You can turn this off so the only way to login is with the ssh keys. Even if someone knows your password, they can't get in without the keys.

Once you're finished editing the config file on your computer, restart the ssh daemon by running:
/etc/rc.d/rc.sshd stop
/etc/rc.d/rc.sshd start
I'm not certain how to do this on the iPhone. sshd is launched demand by launchd and I'm not sure when the config file is read. I would assume it's read at launch and that you can turn ssh off and back on in SBSettings, but I'm not familiar enough with launchd and ssh on the phone to say for sure, so you may have to reboot the phone.

(EDIT: I found that flipping the SBSettings ssh toggle off and back on will load the new preferences)

Once you're all finished, enjoy being more secure!

Blog Archive