[APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)

E:V:A · Jun 2, 2014

SSHelper (The free Android SSH Server Application)

Date: 2014-06-02
Difficulty: Easy

This is the XDA SSHelper support thread for the only completely open
source, transparent, free and ad-less SSH daemon/server Application for
Android. Sure there are plenty other Android SSH server apps out there, but
you can try to find one that is both free, without any ads, where all
the sources are clearly available and documented, where their developer
can be reached and contacted, and that has its own website.

To make things even better, I decided to start this thread in honor of,
and with permission by the main developer and scientist, Paul Lutus.
He's been developing software for NASA since the 80's and wrote one of
the first word processors for Apple-I. You can read all about it on his
website.

Another important reason for this thread is that SSHelper was developed
under CyanogenMod which is an AOSP ROM. This may cause many unexpected
side effects since those devices behave very differently from stock
(out-of-the-box) firmwares. While AOSP ROM often adds many new features,
they also remove many other OEM features that are mostly unknown or not
understood by the ROM builders/developers. So basing your app
development on a custom ROM is really begging for support trouble. This
will become even more apparent with the recent moves by Godzilla to make
AOS SELinux Enforced by default.

If you just need an SSH server right away, you can download the APK
directly from his website HERE or indirectly from Google Play.

The minimum required AOS is Honeycomb 3.2 / API 13, and the
current version is: 6.3 (04.28.2014).

SSHelper Features

SSHelper is much more than just an SSH server, it also offers:

full Rsync support
full sshd_config file support
full shell profile support
HTTP server
SCP server
SFTP server
Detailed Debug info (via App and web server)
Detailed Logcat view
Terminal Shell with OTG keyboard
and a full Busybox implementation

The Support

However, as you can imagine, the more supported features, the more
potential for problems. As the developer is a wild-life adventurer he's
not constantly sitting in front of his computer waiting to solve other
peoples problems, but often extremely isolated in the Alaskan wilderness
or in a small boat in the middle of the pacific.

That's why we need this thread. Other users may be able to help you if
they have had similar or previous problems. And if those problems aren't
solvable here, hopefully Paul will be able to have an occasional look,
insight and update.

However, since this application is based on OpenSSL / OpenSSH and so on,
the best place to find solutions and ask general SSH related questions
is on any of the 5 StackExchange related Q&A sites:

http://stackoverflow.com/
http://android.stackexchange.com/
http://unix.stackexchange.com/
http://serverfault.com/
http://superuser.com/

You should also have a good read at the SSHelper main support site.

So before posting here, search there first!

Required Android Permissions
( in: ../SSHelper/AndroidManifest.xml )

Code:

[SIZE=2]android.permission.ACCESS_NETWORK_STATE[/SIZE]
[SIZE=2]android.permission.ACCESS_SUPERUSER[/SIZE]
[SIZE=2]android.permission.ACCESS_WIFI_STATE[/SIZE]
[SIZE=2]android.permission.BLUETOOTH[/SIZE]
[SIZE=2]android.permission.CHANGE_WIFI_MULTICAST_STATE[/SIZE]
[SIZE=2]android.permission.CHANGE_WIFI_STATE[/SIZE]
[SIZE=2]android.permission.INTERNET[/SIZE]
[SIZE=2]android.permission.RECEIVE_BOOT_COMPLETED[/SIZE]
[SIZE=2]android.permission.WRITE_EXTERNAL_STORAGE[/SIZE]

These will probably need to be updated in order to solve some issues
when used on devices running SEAndoid in Enforced mode.

Application File Locations

All the SSHelper related files are located in and below the base directory at:
/data/data/com.arachnoid.sshelper

Code:

[SIZE=2]bin             Here are all the binary assets, such as busybox and sshd etc.[/SIZE]
[SIZE=2]cache           [/SIZE]
[SIZE=2]databases       [/SIZE]
[SIZE=2]dev             [/SIZE]
[SIZE=2]etc             [/SIZE]
[SIZE=2]files           [/SIZE]
[SIZE=2]home            Your home directory when using SSH[/SIZE]
[SIZE=2]lib             Symlinked to:  /data/app-lib/com.arachnoid.sshelper-1[/SIZE]
[SIZE=2]tmp             [/SIZE]
[SIZE=2]var             [/SIZE]

The APK Assets

Code:

[SIZE=2]busybox_gz[/SIZE]
[SIZE=2]rsync_gz[/SIZE]
[SIZE=2]scp_gz[/SIZE]
[SIZE=2]sftp_gz[/SIZE]
[SIZE=2]ssh_gz[/SIZE]
[SIZE=2]ssh_keygen_gz[/SIZE]
[SIZE=2]ssh_keyscan_gz[/SIZE]
[SIZE=2]sshd_gz[/SIZE]
[SIZE=2]favicon.ico[/SIZE]
[SIZE=2]profile[/SIZE]
[SIZE=2]server_page.html[/SIZE]
[SIZE=2]sshd_config[/SIZE]

Installed Binaries

From Busybox we have:

Code:

[SIZE=2]BusyBox v1.21.0 (2014-04-01 22:29:02 PDT) multi-call binary.[/SIZE]
[SIZE=2]BusyBox is copyrighted by many authors between 1998-2012.[/SIZE]
[SIZE=2]Licensed under GPLv2. See source distribution for detailed[/SIZE]
[SIZE=2]copyright notices.[/SIZE]

[SIZE=2]Usage: busybox [function [arguments]...][/SIZE]
[SIZE=2]   or: busybox --list[-full][/SIZE]
[SIZE=2]   or: busybox --install [-s] [DIR][/SIZE]
[SIZE=2]   or: function [arguments]...[/SIZE]

[SIZE=2]        BusyBox is a multi-call binary that combines many common Unix[/SIZE]
[SIZE=2]        utilities into a single executable.  Most people will create a[/SIZE]
[SIZE=2]        link to busybox for each function they wish to use and BusyBox[/SIZE]
[SIZE=2]        will act like whatever it was invoked as.[/SIZE]

[SIZE=2]Currently defined functions:[/SIZE]
[SIZE=2]        [, [[, ar, arp, ash, awk, base64, basename, bbconfig, beep, blkid,[/SIZE]
[SIZE=2]        blockdev, bootchartd, bunzip2, bzcat, bzip2, cal, cat, catv, chat,[/SIZE]
[SIZE=2]        chattr, chgrp, chmod, chown, chpst, chroot, chrt, chvt, cksum, clear,[/SIZE]
[SIZE=2]        cmp, comm, cp, cpio, crond, crontab, cttyhack, cut, dc, dd, deallocvt,[/SIZE]
[SIZE=2]        depmod, devmem, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix,[/SIZE]
[SIZE=2]        dpkg, dpkg-deb, du, dumpkmap, echo, ed, egrep, env, envdir, envuidgid,[/SIZE]
[SIZE=2]        expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,[/SIZE]
[SIZE=2]        fdisk, fgconsole, fgrep, find, findfs, flash_lock, flash_unlock,[/SIZE]
[SIZE=2]        flashcp, flock, fold, free, freeramdisk, fsync, ftpd, ftpget, ftpput,[/SIZE]
[SIZE=2]        fuser, getopt, grep, gunzip, gzip, halt, hd, hdparm, head, hexdump,[/SIZE]
[SIZE=2]        hostname, httpd, hwclock, ifconfig, ifdown, ifup, init, inotifyd,[/SIZE]
[SIZE=2]        insmod, install, iostat, ip, ipaddr, ipcalc, iplink, iproute, iprule,[/SIZE]
[SIZE=2]        iptunnel, klogd, less, linuxrc, ln, loadkmap, losetup, lpd, lpq, lpr,[/SIZE]
[SIZE=2]        ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,[/SIZE]
[SIZE=2]        makedevs, makemime, man, md5sum, mdev, mesg, mkdir, mkfifo, mknod,[/SIZE]
[SIZE=2]        mkswap, mktemp, modinfo, modprobe, more, mpstat, mv, nbd-client, nc,[/SIZE]
[SIZE=2]        netstat, nice, nmeter, nohup, od, openvt, patch, pidof, ping,[/SIZE]
[SIZE=2]        pipe_progress, pmap, popmaildir, poweroff, powertop, printenv, printf,[/SIZE]
[SIZE=2]        ps, pscan, pstree, pwd, pwdx, raidautorun, rdev, readlink, readprofile,[/SIZE]
[SIZE=2]        realpath, reboot, reformime, renice, reset, resize, rev, rm, rmdir,[/SIZE]
[SIZE=2]        rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runsv, runsvdir, rx,[/SIZE]
[SIZE=2]        script, scriptreplay, sed, sendmail, seq, setconsole, setkeycodes,[/SIZE]
[SIZE=2]        setlogcons, setserial, setsid, setuidgid, sha1sum, sha256sum, sha3sum,[/SIZE]
[SIZE=2]        sha512sum, showkey, sleep, smemcap, softlimit, sort, split,[/SIZE]
[SIZE=2]        start-stop-daemon, strings, stty, sum, sv, svlogd, switch_root, sync,[/SIZE]
[SIZE=2]        sysctl, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,[/SIZE]
[SIZE=2]        tftpd, time, timeout, top, touch, tr, traceroute, true, ttysize,[/SIZE]
[SIZE=2]        tunctl, tune2fs, udpsvd, uname, uncompress, unexpand, uniq, unix2dos,[/SIZE]
[SIZE=2]        unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode,[/SIZE]
[SIZE=2]        vconfig, vi, volname, watch, wc, wget, which, whoami, whois, xargs, xz,[/SIZE]
[SIZE=2]        xzcat, yes, zcat[/SIZE]

In addition to that, in the $SSHELPER/bin we find:

Code:

[SIZE=2]rsync[/SIZE]
[SIZE=2]scp[/SIZE]
[SIZE=2]sftp[/SIZE]
[SIZE=2]ssh[/SIZE]
[SIZE=2]ssh-keygen[/SIZE]
[SIZE=2]ssh-keyscan[/SIZE]
[SIZE=2]sshelper_sshd[/SIZE]

References and Resources:

<WIP>

E:V:A · Jun 2, 2014

Some Application Options

When you start the application you will see a list of different
configuration settings. The detailed description of each one is found
HERE. The most important being:

Code:

SSH Server Port Number  (Default: [B]2222[/B])
Server Password         (Default: [B]admin[/B])

Some Environment Variables

When you use SSHelper to login via SSH, you end up in the temporary
mksh shell at the home location set by the environment variable $ENV
which is set to be:

/data/data/com.arachnoid.sshelper/home

This behavior is contrary to what is normally used on Linux machines
where you end up in the $HOME directory. A few other important shell
variables are:

Code:

[SIZE=2]ENV=/data/data/com.arachnoid.sshelper/home[/SIZE]
[SIZE=2] HOME=/[/SIZE]
[SIZE=2] LD_LIBRARY_PATH=/vendor/lib:/system/lib[/SIZE]
[SIZE=2] LOGNAME=u0_a202[/SIZE]
[SIZE=2] LOOP_MOUNTPOINT=/mnt/obb[/SIZE]
[SIZE=2] PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/data/data/com.arachnoid.sshelper/bin[/SIZE]
[SIZE=2] SHELL=/tmp-mksh/tmp-mksh[/SIZE]
[SIZE=2] SSHELPER=/data/data/com.arachnoid.sshelper[/SIZE]
[SIZE=2] USER=u0_a202[/SIZE]

And to get the whole set, use the command "set":

Code:

[SIZE=2]ANDROID_ASSETS=/system/app[/SIZE]
[SIZE=2] ANDROID_BOOTLOGO=1[/SIZE]
[SIZE=2] ANDROID_DATA=/data[/SIZE]
[SIZE=2] ANDROID_PROPERTY_WORKSPACE=8,66560[/SIZE]
[SIZE=2] ANDROID_ROOT=/system[/SIZE]
[SIZE=2] ANDROID_SOCKET_zygote=10[/SIZE]
[SIZE=2] ANDROID_STORAGE=/storage[/SIZE]
[SIZE=2] ASEC_MOUNTPOINT=/mnt/asec[/SIZE]
[SIZE=2] BOARD=MSM8960[/SIZE]
[SIZE=2] BOOTCLASSPATH=/system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/framework2.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/sec_edm.jar:/system/framework/seccamera.jar:/system/framework/scrollpause.jar:/system/framework/stayrotation.jar:/system/framework/smartfaceservice.jar:/system/framework/secocsp.jar:/system/framework/abt-persistence.jar:/system/framework/sc.jar[/SIZE]
[SIZE=2] COLUMNS=80[/SIZE]
[SIZE=2] EMULATED_STORAGE_SOURCE=/mnt/shell/emulated[/SIZE]
[SIZE=2] EMULATED_STORAGE_TARGET=/storage/emulated[/SIZE]
[SIZE=2] ENV=/data/data/com.arachnoid.sshelper/home[/SIZE]
[SIZE=2] EXTERNAL_STORAGE=/storage/emulated/legacy[/SIZE]
[SIZE=2] HOME=/[/SIZE]
[SIZE=2] IFS='[/SIZE]
[SIZE=2] '[/SIZE]
[SIZE=2] KSHEGID=0[/SIZE]
[SIZE=2] KSHGID=0[/SIZE]
[SIZE=2] KSHUID=0[/SIZE]
[SIZE=2] KSH_VERSION='@(#)MIRBSD KSH R40 2011/10/07'[/SIZE]
[SIZE=2] LD_LIBRARY_PATH=/vendor/lib:/system/lib[/SIZE]
[SIZE=2] LINES=24[/SIZE]
[SIZE=2] LOGNAME=u0_a202[/SIZE]
[SIZE=2] LOOP_MOUNTPOINT=/mnt/obb[/SIZE]
[SIZE=2] MAIL=/var/mail/u0_a202[/SIZE]
[SIZE=2] OPTIND=1[/SIZE]
[SIZE=2] PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/data/data/com.arachnoid.sshelper/bin[/SIZE]
[SIZE=2] PGRP=333[/SIZE]
[SIZE=2] PIPESTATUS[0]=0[/SIZE]
[SIZE=2] PIPESTATUS[1]=0[/SIZE]
[SIZE=2] PPID=21382[/SIZE]
[SIZE=2] PS1='$USER@$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '[/SIZE]
[SIZE=2] PS2='> '[/SIZE]
[SIZE=2] PS3='#? '[/SIZE]
[SIZE=2] PS4='+ '[/SIZE]
[SIZE=2] PWD=/data/data/com.arachnoid.sshelper/home[/SIZE]
[SIZE=2] RANDOM=20853[/SIZE]
[SIZE=2] SECONDARY_STORAGE=/storage/extSdCard:/storage/UsbDriveA:/storage/UsbDriveB:/storage/UsbDriveC:/storage/UsbDriveD:/storage/UsbDriveE:/storage/UsbDriveF[/SIZE]
[SIZE=2] SECONDS=20[/SIZE]
[SIZE=2] SHELL=/tmp-mksh/tmp-mksh[/SIZE]
[SIZE=2] SSHELPER=/data/data/com.arachnoid.sshelper[/SIZE]
[SIZE=2] SSH_CLIENT='192.168.xx.xx 14115 2222'[/SIZE]
[SIZE=2] SSH_CONNECTION='192.168.xx.xx 14115 192.168.yy.yy 2222'[/SIZE]
[SIZE=2] TMOUT=0[/SIZE]
[SIZE=2] TZ=GMT-3[/SIZE]
[SIZE=2] USER=u0_a202[/SIZE]
[SIZE=2] USER_ID=0[/SIZE]
[SIZE=2] VIBE_PIPE_PATH=/dev/pipes[/SIZE]
[SIZE=2] _=set[/SIZE]

(These may vary somewhat, depending on your device.)

The default profile and sshd_config

profile:

Code:

[SIZE=2]# place user customizations here[/SIZE]
[SIZE=2] uname -s -r -m[/SIZE]
[SIZE=2] alias ls="$SSHELPER/bin/ls"[/SIZE]
[SIZE=2] export PS1='$USER@$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '[/SIZE]

If you are rooted and already have Busybox installed, it is highly
recommended to edit this file.

sshd_config:

Code:

[SIZE=2]#       $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $[/SIZE]

[SIZE=2] # This is the sshd server system-wide configuration file.  See[/SIZE]
[SIZE=2] # sshd_config(5) for more information.[/SIZE]

[SIZE=2] # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin[/SIZE]

[SIZE=2] # The strategy used for options in the default sshd_config shipped with[/SIZE]
[SIZE=2] # OpenSSH is to specify options with their default value where[/SIZE]
[SIZE=2] # possible, but leave them commented.  Uncommented options override the[/SIZE]
[SIZE=2] # default value.[/SIZE]

[SIZE=2] #Port 22[/SIZE]
[SIZE=2] #AddressFamily any[/SIZE]
[SIZE=2] #ListenAddress 0.0.0.0[/SIZE]
[SIZE=2] #ListenAddress ::[/SIZE]

[SIZE=2] # The default requires explicit activation of protocol 1[/SIZE]
[SIZE=2] #Protocol 2[/SIZE]

[SIZE=2] # HostKey for protocol version 1[/SIZE]
[SIZE=2] #HostKey /etc/ssh/ssh_host_key[/SIZE]
[SIZE=2] # HostKeys for protocol version 2[/SIZE]
[SIZE=2] HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_rsa[/SIZE]
[SIZE=2] HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_dsa[/SIZE]
[SIZE=2] HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_ecdsa[/SIZE]

[SIZE=2] # Lifetime and size of ephemeral version 1 server key[/SIZE]
[SIZE=2] #KeyRegenerationInterval 1h[/SIZE]
[SIZE=2] #ServerKeyBits 1024[/SIZE]

[SIZE=2] # Logging[/SIZE]
[SIZE=2] # obsoletes QuietMode and FascistLogging[/SIZE]
[SIZE=2] #SyslogFacility AUTH[/SIZE]
[SIZE=2] #LogLevel INFO[/SIZE]

[SIZE=2] # Authentication:[/SIZE]

[SIZE=2] #LoginGraceTime 2m[/SIZE]
[SIZE=2] #PermitRootLogin yes[/SIZE]
[SIZE=2] #StrictModes yes[/SIZE]
[SIZE=2] #MaxAuthTries 6[/SIZE]
[SIZE=2] #MaxSessions 10[/SIZE]

[SIZE=2] #RSAAuthentication yes[/SIZE]
[SIZE=2] #PubkeyAuthentication yes[/SIZE]

[SIZE=2] # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2[/SIZE]
[SIZE=2] # but this is overridden so installations will only check .ssh/authorized_keys[/SIZE]

[SIZE=2] # AuthorizedKeysFile (path)[/SIZE]

[SIZE=2] #AuthorizedPrincipalsFile none[/SIZE]

[SIZE=2] # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts[/SIZE]
[SIZE=2] #RhostsRSAAuthentication no[/SIZE]
[SIZE=2] # similar for protocol version 2[/SIZE]
[SIZE=2] # HostbasedAuthentication no[/SIZE]
[SIZE=2] # Change to yes if you don't trust ~/.ssh/known_hosts for[/SIZE]
[SIZE=2] # RhostsRSAAuthentication and HostbasedAuthentication[/SIZE]
[SIZE=2] # IgnoreUserKnownHosts no[/SIZE]
[SIZE=2] # Don't read the user's ~/.rhosts and ~/.shosts files[/SIZE]
[SIZE=2] #IgnoreRhosts yes[/SIZE]

[SIZE=2] # To disable tunneled clear text passwords, change to no here![/SIZE]
[SIZE=2] # PasswordAuthentication no[/SIZE]
[SIZE=2] # PermitEmptyPasswords yes[/SIZE]

[SIZE=2] # Change to no to disable s/key passwords[/SIZE]
[SIZE=2] #ChallengeResponseAuthentication yes[/SIZE]

[SIZE=2] # Kerberos options[/SIZE]
[SIZE=2] #KerberosAuthentication no[/SIZE]
[SIZE=2] #KerberosOrLocalPasswd yes[/SIZE]
[SIZE=2] #KerberosTicketCleanup yes[/SIZE]
[SIZE=2] #KerberosGetAFSToken no[/SIZE]

[SIZE=2] # GSSAPI options[/SIZE]
[SIZE=2] #GSSAPIAuthentication no[/SIZE]
[SIZE=2] #GSSAPICleanupCredentials yes[/SIZE]

[SIZE=2] # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication[/SIZE]
[SIZE=2] # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included[/SIZE]
[SIZE=2] # in this release. The use of 'gssapi' is deprecated due to the presence of[/SIZE]
[SIZE=2] # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.[/SIZE]
[SIZE=2] #GSSAPIEnableMITMAttack no[/SIZE]

[SIZE=2] # Set this to 'yes' to enable PAM authentication, account processing,[/SIZE]
[SIZE=2] # and session processing. If this is enabled, PAM authentication will[/SIZE]
[SIZE=2] # be allowed through the ChallengeResponseAuthentication and[/SIZE]
[SIZE=2] # PasswordAuthentication.  Depending on your PAM configuration,[/SIZE]
[SIZE=2] # PAM authentication via ChallengeResponseAuthentication may bypass[/SIZE]
[SIZE=2] # the setting of "PermitRootLogin without-password".[/SIZE]
[SIZE=2] # If you just want the PAM account and session checks to run without[/SIZE]
[SIZE=2] # PAM authentication, then enable this but set PasswordAuthentication[/SIZE]
[SIZE=2] # and ChallengeResponseAuthentication to 'no'.[/SIZE]
[SIZE=2] # UsePAM no[/SIZE]

[SIZE=2] # AllowAgentForwarding yes # default[/SIZE]
[SIZE=2] # AllowTcpForwarding yes # default[/SIZE]
[SIZE=2] #GatewayPorts no[/SIZE]
[SIZE=2] #X11Forwarding yes[/SIZE]
[SIZE=2] #X11DisplayOffset 10[/SIZE]
[SIZE=2] #X11UseLocalhost yes[/SIZE]
[SIZE=2] #PrintMotd yes[/SIZE]
[SIZE=2] PrintLastLog no[/SIZE]
[SIZE=2] #TCPKeepAlive yes[/SIZE]
[SIZE=2] #UseLogin no[/SIZE]
[SIZE=2] UsePrivilegeSeparation no[/SIZE]
[SIZE=2] PermitUserEnvironment yes # allow ~/.ssh/environment to contain useful path and envs for logins[/SIZE]
[SIZE=2] Compression yes[/SIZE]
[SIZE=2] ClientAliveInterval 300 # 300 seconds of idle time[/SIZE]
[SIZE=2] ClientAliveCountMax 5 # after five queries, disconnect[/SIZE]
[SIZE=2] UseDNS no[/SIZE]
[SIZE=2] # PidFile[/SIZE]
[SIZE=2] #MaxStartups 10[/SIZE]
[SIZE=2] #PermitTunnel no[/SIZE]
[SIZE=2] #ChrootDirectory[/SIZE]
[SIZE=2] #VersionAddendum none[/SIZE]

[SIZE=2] # no default banner path[/SIZE]
[SIZE=2] #Banner none[/SIZE]

[SIZE=2] # override default of no subsystems[/SIZE]
[SIZE=2] Subsystem       sftp internal-sftp[/SIZE]

[SIZE=2] # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).[/SIZE]
[SIZE=2] AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES[/SIZE]
[SIZE=2] AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT[/SIZE]
[SIZE=2] AcceptEnv LC_IDENTIFICATION LC_ALL[/SIZE]

[SIZE=2] # Example of overriding settings on a per-user basis[/SIZE]
[SIZE=2] #Match User anoncvs[/SIZE]
[SIZE=2] #       X11Forwarding no[/SIZE]
[SIZE=2] #       AllowTcpForwarding no[/SIZE]
[SIZE=2] #       ForceCommand cvs server[/SIZE]

[SIZE=2] #Match LocalAddress 127.0.0.1[/SIZE]
[SIZE=2] #  X11Forwarding yes[/SIZE]
[SIZE=2] #  AllowTcpForwarding yes[/SIZE]
[SIZE=2] #  AllowUsers sshelper[/SIZE]

E:V:A · Jun 2, 2014

Some SELinux / SEAndroid related issues

< WIP: may contain inaccuracies! >

So you're rooted and you hope to use SSH to get a root shell,
like in the good old days (yesterday), and now you've got trouble!

Thanks to Godzilla and Samsung, we now have to deal with something called
SEAndroid which stands for "Security Enchanced Linux (SEL) for Android".
This would not have been so bad, if it wasn't because these companies now
want to enable the very strict Enforcing mode, by default.
That means that nothing you're once used to, when you have root access,
works and behaves as expected. In fact SEL restricts root user, just like
any other, so you have to spend some weeks trying to understand how that
is dealt with and managed from a Super-User's perspective.

So trying to get a root shell from an SSH session, is now likely to fail
because:

You have a Samsung KNOX enabled device. Samsung KNOX is deeply intertwined with SEL.
==> Remove all KNOX garbage.
Your SEL policy is not allowing SSHelper to allocate a pseudo-terminal (/dev/ptmx ) beacuse the /dev/pts directory is mounted as RO as type /devpts.
==> remount /dev/pts to enable RW: mount -o remount,rw -t devpts /dev/pts
Your SEL policy is still not allowing you to su from outside SE context "init_shell".
==> Temporarily set SEL to Permissive mode with: su 0 setenforce 0
Your SEL policy is not allowing you to ... period.
==> Unless you have a locked bootloader, disable SEL by flashing an insecure kernel/ROM that either doesn't have SEL, or at least not in Enforcing mode.
su is not working because:
a) your AOS version is not handling SEL policies right.
b) your su version is not handling SEL contexts right.
You got fooled into buying a locked Verizon or ATT phone with locked boot loader, and no way of rooting, and no one can help you. You cannot do any development with such a phone.
==> Return phone and cancel your contract.

< TBA >

The mksh Shell

< WIP >

The MirBSD™ Korn Shell, is better known as mksh and is now the default
shell on Androids since JB 4.1, instead of ash. I don't know why this
change was made, but I suspect it has something to do with having much
better documentation, better linux community support and therefore more
features and better compatibility.

The current available mksh version is:
R49 (11 Jan 2014)

NOTE: This is the sources version and is not necessarily available as
an Android binary, unless you compile your own. (Please share it here!)

You can check your own Android mksh version with:

Code:

[SIZE=2]u0_a202@MSM8960:home $ echo $KSH_VERSION[/SIZE]
[SIZE=2] @(#)MIRBSD KSH [B][COLOR=Red]R40[/COLOR] 2011/10/07[/B][/SIZE]
[SIZE=2] [/SIZE]

The complete online man pages for mksh is found HERE.

The mksh ChangeLog is HERE.

The latest mksh sources are available HERE.

The latest statically linked ARM Android binary ~~can be downloaded HERE~~.

E:V:A · Jun 2, 2014

< Here be more Dragons 3 >

E:V:A · Jun 3, 2014

The (app) Terminal

SSHelper contain it's own terminal that can be better used with an external keyboard. However, the code that runs this terminal, is hard-coded in the Java file: ShellTerminal.java as this:

Code:

[SIZE=2]String[] com = new String[] { app.binDir + "/ssh", "-q", "-t", "-t", "-o UserKnownHostsFile /dev/null", "-o StrictHostKeyChecking no", host, "-p", port };[/SIZE]

With the effect that the local loopback IP is set to 127.0.0.1 and port as chosen in the UI.

Code:

[SIZE=2]ssh -q -t -t -o UserKnownHostsFile /dev/null -o StrictHostKeyChecking no 127.0.0.1 -p <port>[/SIZE]

Unfortunately this command will fail if there is no controlling tty allocated, or if <port> is used by, or IP 127.0.0.1 is blocked by other applications, such as firewall or SEAndroid/KNOX permissions and settings.

The sshelper_sshd binary

The binary as compiled have the following options enabled:

Code:

[SIZE=2]OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
            [-u len]
[/SIZE]

However, the built-in app command line is:

Code:

[SIZE=2]sshelper_sshd -D -p <port> -h <key_file> -o PidFile <pid_file> -f <sshd_config_file> <debug_level> -e [UI_options] -o StrictModes <yes/no> -o Banner <banner_text_file> 
[/SIZE]

where:

Code:

[SIZE=2]<debug_level>           = -d, -dd, -ddd, -dddd
<banner_text_file>      = banner1.txt (with password) or  banner2.txt (no password)

if (prefix.disablePasswords) { app.addToList(coms, "-o PasswordAuthentication no"); }
if (prefix.allowForwarding)  { app.addToList(coms, "-o PermitTunnel yes"); }
[/SIZE]

This way, if you need more special features, you can run the server from a local shell command line.

The full details which you can find HERE, but the most important shown below.
From the sshd manual pages:

Code:

[SIZE=2]     -D      When this option is specified, sshd will not detach and does not
             become a daemon.  This allows easy monitoring of sshd.

     -d      Debug mode.  The server sends verbose debug output to standard
             error, and does not put itself in the background.  The server
             also will not fork and will only process one connection.  This
             option is only intended for debugging for the server.  Multiple
             -d options increase the debugging level.  Maximum is 3.

     -e      Write debug logs to standard error instead of the system log.

     -f config_file
             Specifies the name of the configuration file.  The default is
             /etc/ssh/sshd_config.  sshd refuses to start if there is no
             configuration file.

     -h host_key_file
             Specifies a file from which a host key is read.  This option must
             be given if sshd is not run as root (as the normal host key files
             are normally not readable by anyone but root).  The default is
             /etc/ssh/ssh_host_key for protocol version 1, and
             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
             protocol version 2.  It is possible to have multiple host key
             files for the different protocol versions and host key
             algorithms.

     -o option
             Can be used to give options in the format used in the
             configuration file.  This is useful for specifying options for
             which there is no separate command-line flag.  For full details
             of the options, and their values, see sshd_config(5).

     -p port
             Specifies the port on which the server listens for connections
             (default 22).  Multiple port options are permitted.  Ports
             specified in the configuration file with the Port option are
             ignored when a command-line port is specified.  Ports specified
             using the ListenAddress option override command-line ports.

     -q      Quiet mode.  Nothing is sent to the system log.  Normally the
             beginning, authentication, and termination of each connection is
             logged.

     -t      Test mode.  Only check the validity of the configuration file and
             sanity of the keys.  This is useful for updating sshd reliably as
             configuration options may change.
[/SIZE]

E:V:A · Jul 1, 2014

So after having updated SuperSU from 1.94 to 2.00, I've suddenly got some different SELinux errors in the AVC log, but did not resolve the issue. This partially confirm that this is a combined App + SELinux issue, due to several factors:

1) App is not performing the SU operation according to current (latest AOSP) standards. For example, from THIS issue on Stackoverflow, apparently AOS >4.3 (or more likely those using SELinux 4.2.2) are no longer using setuid(), and if you still wanna use it, it is suggested to do a fork() before. In addition su has to be made in the right context.

2) According to THIS article, SU is no longer allowed to execute files on the /data partition, although there are some workarounds. Please read Chainfire's blog about how to SU, for latest developments, and workarounds.

3) The current SELinux policy is restricting the use of /dev/pts|ptm|pty and the mounted devpts FS. Most likely some of the policy/behavior is wrong.

Useful links:
http://su.chainfire.eu/
http://www.xda-developers.com/andro...ak-compatibility-with-many-current-root-apps/
http://www.xda-developers.com/andro...he-android-l-developer-preview-the-right-way/

E:V:A · Jul 22, 2014

Another possible reason for this issue, could be that since AOS 4.3 (and possibly some 4.2.2 in Enforcing) versions, the WRITE_EXTERNAL_STORAGE permissions in /system/etc/permissions/platform.xml have been changed to a much more restrictive setting, where Apps can ONLY write to their own directory. For a good description of the problem and solution:

[APP][4.4][ROOT] SDFix: Modify device permissions to allow apps to write to MicroSD
http://xdaforums.com/showthread.php?t=2684188
https://plus.google.com/+TodLiebeck/posts/gjnmuaDM8sn

This need to be checked.

=========================== EDIT =====================

On 4.2.2 Enforcing, we have:

Code:

[SIZE=2]...
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
    <group gid="sdcard_r" />
</permission>

<permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
    <group gid="sdcard_rw" />
    <group gid="media_rw" />
</permission>
...[/SIZE]

This seem OK, but perhaps SSHelper also need to set its GID to "sdcard_rw"?
Because on KK 4.4.2b4 we have:

Code:

[SIZE=2]    <permission name="android.permission.READ_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        [COLOR=Red][B]<group gid="media_rw" />[/B][/COLOR]
    </permission>

    <permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
        [COLOR=Red][B]<group gid="sdcard_r" />[/B][/COLOR]
        <group gid="sdcard_rw" />
        <group gid="media_rw" />
    </permission>

    <permission name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="sdcard_rw" />
        <group gid="sdcard_all" />
    </permission>

    <permission name="android.permission.WRITE_MEDIA_STORAGE" >
        <group gid="media_rw" />
    </permission>
[/SIZE]

Looking at the permissions in our AndroidManifest.xml file, and compare that to issue#315 in Android-Terminal-Emulator, it could that we also need to add the READ_EXTERNAL_STORAGE permission, which is not present in our manifest, and contrary to what Google said about WRITE_EXTERNAL_STORAGE as automatically including READ_ access.

To help troubleshoot permission problems when running on an AOS with enabled SELinux (>4.2.2), please provide the output of the following commands:

Code:

getprop |grep "ro.build.*"
getenforce
cat /data/misc/audit/audit.log

E:V:A · Oct 1, 2014

I have now found a work-around for the lost terminal job-control.
It's originally described in detail HERE.

---

EDIT: (Added 2014-11-23)

I've finally found a work-around for the crippled /dev/pts job-control and su combination. There are two small problems that combines to this issue.

1. The SELinux policy is screwed up by Samsung. And others?
2. The /dev/pts is mounted wrong by default.

The work-around:

Make sure you're device is already in Enforcing mode, so that you get the proper su prompt (#).

1. Open terminal session 1.

Code:

[SIZE=2]
## On Terminal 1
ssh -2 dummy@192.168... -p 2222
$ su -c /system/bin/sh -i
# su 0 setenforce 0
# umount /dev/pts
# su -cn u:r:init:s0 -c "busybox mount -t devpts -o rw,seclabel,relatime,mode=620,gid=5 devpts /dev/pts"[/SIZE]

2. Now go to Terminal 2 and login:

Code:

[SIZE=2]## On terminal 2
ssh -2 dummy@192.168... -p 2222
$ 
[/SIZE]

(You now have job-control but no su possibility.)

3. Now go back to Terminal 1 and enable Enforcing mode:

Code:

[SIZE=2]## On Terminal 1
# su 0 setenforce 1
[/SIZE]

4. Now go back to Terminal 2 and escalate to su:

Code:

[SIZE=2]## On terminal 2
$ su -c /system/bin/sh -i
# [/SIZE]

Unfortunately if you exit the su (#) shell, you'll have to repeat steps 2-4 of the procedure.

zelch · Nov 13, 2014

Any progress on a pty for lollipop users?

So now that Lollipop has landed, is there any progress on getting a pty for Lollipop users?

Ideally something that can work with something not too far from stock.

E:V:A · Nov 14, 2014

zelch said:
So now that Lollipop has landed, is there any progress on getting a pty for Lollipop users? Ideally something that can work with something not too far from stock.

Are you actually having any issues? Please post what. I've used this on a KK 4.4.4 MTK device, using SuperSU 2.16, and there are no problems with this on that device.

zelch · Nov 17, 2014

E:V:A said:
Are you actually having any issues? Please post what. I've used this on a KK 4.4.4 MTK device, using SuperSU 2.16, and there are no problems with this on that device.

In short, yes.

Currently on stack (unrooted) Lollipop on a Nexus 7 (2013), and while the ssh server works it can not allocate a pty, resulting in the shell not being all that usable.

While I expect that rooting will be a requirement to adjust things, I would rather avoid the option of completely disabiling selinux enforcement.
(Yes, it's a quick and easy way to solve the problem. But the selinux enforcement buys quite a lot in the way of security, so I'd rather limit things to say, a tweaked selinux policy.)

Deleted member 230392 · Nov 21, 2014

Okay noob question .... My rooted Nexus 5, with sshelper installed, changed listening port to 3333, set a new password

Logon from Windows server with putty gives ...

login as: admin
SSHelper Version 6.8 Copyright 2014, P. Lutus
admin@192.168.2.205's password:
Server refused to allocate pty
sh: /data/data/com.arachnoid.sshelper/home/.profile[2]: uname: not found

What cretinous thing have I omitted to notice?

Regards Marcus

dd043 · Nov 21, 2014

I've been running your app for a few days with good results, thank you for that!

Would it be possible to implement a wifi lock only when there is a client connected? Wifi lock all the time is killing my battery and my standby wifi seems to be responsive enough to receive incoming connections (often after 2 or 3 attempts, but it still eventually works)

E:V:A · Nov 23, 2014

First of all let me clarify that I am not the developer and maintainer of this App. It is Paul Lutus, and you can message him on his website. I only started this thread to help him out and to help myself of having a place to post problems. I really like his app, but THESE are really annoying issues, and has proably nothing to do with his app but with the screwed up way that Google is changing device permissions.

The only solution I know about for problem devices is something like I re-posted in edited post #8:

http://xdaforums.com/showpost.php?p=55779472&postcount=8

Good Luck.

jumika · Jan 3, 2016

Hi!
Is it possible to start sftp session as root user? If i try to reach /data for example i get permission denied error

In terminal i must type su to gain root rights.
Thank you!

bdexyxjd · Dec 9, 2017

jumika said:
Hi!
Is it possible to start sftp session as root user? If i try to reach /data for example i get permission denied error In terminal i must type su to gain root rights.
Thank you!

I would like to know this as well.

samandiriel · Jun 7, 2018

Having a problem with SFTP ssh process almost immediately disconnecting. I get messages from my file manager (caja) such as "The connection is closed (the underlying SSH process exited)". This wasn't a problem until I did a factory reset on my OnePlus 5 and upgrade it to Oreo (8.1)

How can I keep the connection alive? I tried a keep alive ping on the PC side by editing SSH config files, but that was a bust.

stormy1777 · Aug 11, 2018

How to run SSHelper from CLI/ADB - failed Phone's LCD/Screen

Hi everyone

Trying to start SSH helper on a phone with a defective screen

It is already installed, but not running... tried this:

Code:

root@BLU:/data/app # am start com.arachnoid.sshelper

Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER]pkg=com.arachnoid.sshelper }

Error: Activity not started, unable to resolve Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=com.arachnoid.sshelper }

and many other creative combinations I somehow got from online searches:

Code:

#   am start com.arachnoid.sshelper/android.intent.action.MAIN

it fails:

Code:

start com.arachnoid.sshelper/android.intent.action.MAIN                         <
Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.L
AUNCHER] cmp=com.arachnoid.sshelper/android.intent.action.MAIN }
Error type 3
Error: Activity class {com.arachnoid.sshelper/android.intent.action.MAIN} does not exist.

This directory exists:

Code:

root@BLU:/data/app # ls -ld *arach*
drwxr-xr-x system   system            2018-08-07 21:00 com.arachnoid.sshelper-2

maybe the "-2" needs to be accounted for somehow in the command to start?

pages like: http://learnandroid.blogspot.com/2008/01/run-android-application-from-command.html

says how to construct an "am start" command, but it requires info from the Manifest, except the file AndroidManifest.xml found in the ssh helper.apk seems binary

Until I get this working ADB is the only way to connect to the phone, it's rather limited in its abilities... like, no scp

Code:

C:\Android>adb shell
shell@BLU:/ $ su
root@BLU:/ # scp
tmp-mksh: scp: not found

Any tips on how to start SSH Helper, maybe someone has the text Manifest xml file?

Stormy.

measel · Aug 26, 2019

Terrible rsync transfer rates

I'm having trouble with transfer rates using rsync.
I use rsync to backup my phone to my computer but the transfer rates are always below 700kB/s which is unbearable.

My specs:
Phone: Samsung S9, rooted with custom rom.
Computer: MacOS 10.14.6

I had the same problem with SSHDroid but maybe some of you have an idea how to tackle this, or confirm the slow transfer speed.

By the way: When uploading music to my phone it is faster with 1.4MB/s (still not super great).

[APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)

Inactive Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Member

Inactive Recognized Developer

Member

Deleted member 230392

Guest

Senior Member

Inactive Recognized Developer

Member

New member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts