Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,740,250 Members 41,591 Now Online
XDA Developers Android and Mobile Development Forum

[APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)

Tip us?
 
E:V:A
Old
(Last edited by E:V:A; 26th July 2014 at 01:47 PM.)
#1  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
Default [APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)

SSHelper (The free Android SSH Server Application)

Date: 2014-06-02
Difficulty: Easy

This is the XDA SSHelper support thread for the only completely open
source, transparent, free and ad-less SSH daemon/server Application for
Android. Sure there are plenty other Android SSH server apps out there, but
you can try to find one that is both free, without any ads, where all
the sources are clearly available and documented, where their developer
can be reached and contacted, and that has its own website.

To make things even better, I decided to start this thread in honor of,
and with permission by the main developer and scientist, Paul Lutus.
He's been developing software for NASA since the 80's and wrote one of
the first word processors for Apple-I. You can read all about it on his
website.

Another important reason for this thread is that SSHelper was developed
under CyanogenMod which is an AOSP ROM. This may cause many unexpected
side effects since those devices behave very differently from stock
(out-of-the-box) firmwares. While AOSP ROM often adds many new features,
they also remove many other OEM features that are mostly unknown or not
understood by the ROM builders/developers. So basing your app
development on a custom ROM is really begging for support trouble. This
will become even more apparent with the recent moves by Godzilla to make
AOS SELinux Enforced by default.

If you just need an SSH server right away, you can download the APK
directly from his website HERE or indirectly from Google Play.

The minimum required AOS is Honeycomb 3.2 / API 13, and the
current version is: 6.3 (04.28.2014).


SSHelper Features

SSHelper is much more than just an SSH server, it also offers:
  • full Rsync support
  • full sshd_config file support
  • full shell profile support
  • HTTP server
  • SCP server
  • SFTP server
  • Detailed Debug info (via App and web server)
  • Detailed Logcat view
  • Terminal Shell with OTG keyboard
  • and a full Busybox implementation




The Support

However, as you can imagine, the more supported features, the more
potential for problems. As the developer is a wild-life adventurer he's
not constantly sitting in front of his computer waiting to solve other
peoples problems, but often extremely isolated in the Alaskan wilderness
or in a small boat in the middle of the pacific.

That's why we need this thread. Other users may be able to help you if
they have had similar or previous problems. And if those problems aren't
solvable here, hopefully Paul will be able to have an occasional look,
insight and update.

However, since this application is based on OpenSSL / OpenSSH and so on,
the best place to find solutions and ask general SSH related questions
is on any of the 5 StackExchange related Q&A sites:

http://stackoverflow.com/
http://android.stackexchange.com/
http://unix.stackexchange.com/
http://serverfault.com/
http://superuser.com/

You should also have a good read at the SSHelper main support site.

So before posting here, search there first!


Required Android Permissions
( in: ../SSHelper/AndroidManifest.xml )
Code:
Select Code
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_SUPERUSER
android.permission.ACCESS_WIFI_STATE
android.permission.BLUETOOTH
android.permission.CHANGE_WIFI_MULTICAST_STATE
android.permission.CHANGE_WIFI_STATE
android.permission.INTERNET
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.WRITE_EXTERNAL_STORAGE
These will probably need to be updated in order to solve some issues
when used on devices running SEAndoid in Enforced mode.


Application File Locations

All the SSHelper related files are located in and below the base directory at:
/data/data/com.arachnoid.sshelper

Code:
Select Code
bin             Here are all the binary assets, such as busybox and sshd etc.
cache           
databases       
dev             
etc             
files           
home            Your home directory when using SSH
lib             Symlinked to:  /data/app-lib/com.arachnoid.sshelper-1
tmp             
var             
The APK Assets

Code:
Select Code
busybox_gz
rsync_gz
scp_gz
sftp_gz
ssh_gz
ssh_keygen_gz
ssh_keyscan_gz
sshd_gz
favicon.ico
profile
server_page.html
sshd_config
Installed Binaries

From Busybox we have:
Code:
Select Code
BusyBox v1.21.0 (2014-04-01 22:29:02 PDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, ar, arp, ash, awk, base64, basename, bbconfig, beep, blkid,
        blockdev, bootchartd, bunzip2, bzcat, bzip2, cal, cat, catv, chat,
        chattr, chgrp, chmod, chown, chpst, chroot, chrt, chvt, cksum, clear,
        cmp, comm, cp, cpio, crond, crontab, cttyhack, cut, dc, dd, deallocvt,
        depmod, devmem, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix,
        dpkg, dpkg-deb, du, dumpkmap, echo, ed, egrep, env, envdir, envuidgid,
        expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
        fdisk, fgconsole, fgrep, find, findfs, flash_lock, flash_unlock,
        flashcp, flock, fold, free, freeramdisk, fsync, ftpd, ftpget, ftpput,
        fuser, getopt, grep, gunzip, gzip, halt, hd, hdparm, head, hexdump,
        hostname, httpd, hwclock, ifconfig, ifdown, ifup, init, inotifyd,
        insmod, install, iostat, ip, ipaddr, ipcalc, iplink, iproute, iprule,
        iptunnel, klogd, less, linuxrc, ln, loadkmap, losetup, lpd, lpq, lpr,
        ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,
        makedevs, makemime, man, md5sum, mdev, mesg, mkdir, mkfifo, mknod,
        mkswap, mktemp, modinfo, modprobe, more, mpstat, mv, nbd-client, nc,
        netstat, nice, nmeter, nohup, od, openvt, patch, pidof, ping,
        pipe_progress, pmap, popmaildir, poweroff, powertop, printenv, printf,
        ps, pscan, pstree, pwd, pwdx, raidautorun, rdev, readlink, readprofile,
        realpath, reboot, reformime, renice, reset, resize, rev, rm, rmdir,
        rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runsv, runsvdir, rx,
        script, scriptreplay, sed, sendmail, seq, setconsole, setkeycodes,
        setlogcons, setserial, setsid, setuidgid, sha1sum, sha256sum, sha3sum,
        sha512sum, showkey, sleep, smemcap, softlimit, sort, split,
        start-stop-daemon, strings, stty, sum, sv, svlogd, switch_root, sync,
        sysctl, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,
        tftpd, time, timeout, top, touch, tr, traceroute, true, ttysize,
        tunctl, tune2fs, udpsvd, uname, uncompress, unexpand, uniq, unix2dos,
        unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode,
        vconfig, vi, volname, watch, wc, wget, which, whoami, whois, xargs, xz,
        xzcat, yes, zcat
In addition to that, in the $SSHELPER/bin we find:

Code:
Select Code
rsync
scp
sftp
ssh
ssh-keygen
ssh-keyscan
sshelper_sshd
References and Resources:

<WIP>

MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands

[REF][ServiceMode] How to make your Samsung perform dog tricks
[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
_______________________________
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
I do not answer support related PM's.

The Following User Says Thank You to E:V:A For This Useful Post: [ Click to Expand ]
 
E:V:A
Old
(Last edited by E:V:A; 2nd June 2014 at 10:29 AM.)
#2  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
Some Application Options

When you start the application you will see a list of different
configuration settings. The detailed description of each one is found
HERE. The most important being:

Code:
Select Code
SSH Server Port Number  (Default: 2222)
Server Password         (Default: admin)
Some Environment Variables

When you use SSHelper to login via SSH, you end up in the temporary
mksh shell at the home location set by the environment variable $ENV
which is set to be:

/data/data/com.arachnoid.sshelper/home


This behavior is contrary to what is normally used on Linux machines
where you end up in the $HOME directory. A few other important shell
variables are:

Code:
Select Code
ENV=/data/data/com.arachnoid.sshelper/home
 HOME=/
 LD_LIBRARY_PATH=/vendor/lib:/system/lib
 LOGNAME=u0_a202
 LOOP_MOUNTPOINT=/mnt/obb
 PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/data/data/com.arachnoid.sshelper/bin
 SHELL=/tmp-mksh/tmp-mksh
 SSHELPER=/data/data/com.arachnoid.sshelper
 USER=u0_a202
And to get the whole set, use the command "set":

Code:
Select Code
ANDROID_ASSETS=/system/app
 ANDROID_BOOTLOGO=1
 ANDROID_DATA=/data
 ANDROID_PROPERTY_WORKSPACE=8,66560
 ANDROID_ROOT=/system
 ANDROID_SOCKET_zygote=10
 ANDROID_STORAGE=/storage
 ASEC_MOUNTPOINT=/mnt/asec
 BOARD=MSM8960
 BOOTCLASSPATH=/system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/framework2.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar:/system/framework/sec_edm.jar:/system/framework/seccamera.jar:/system/framework/scrollpause.jar:/system/framework/stayrotation.jar:/system/framework/smartfaceservice.jar:/system/framework/secocsp.jar:/system/framework/abt-persistence.jar:/system/framework/sc.jar
 COLUMNS=80
 EMULATED_STORAGE_SOURCE=/mnt/shell/emulated
 EMULATED_STORAGE_TARGET=/storage/emulated
 ENV=/data/data/com.arachnoid.sshelper/home
 EXTERNAL_STORAGE=/storage/emulated/legacy
 HOME=/
 IFS='
 '
 KSHEGID=0
 KSHGID=0
 KSHUID=0
 KSH_VERSION='@(#)MIRBSD KSH R40 2011/10/07'
 LD_LIBRARY_PATH=/vendor/lib:/system/lib
 LINES=24
 LOGNAME=u0_a202
 LOOP_MOUNTPOINT=/mnt/obb
 MAIL=/var/mail/u0_a202
 OPTIND=1
 PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/data/data/com.arachnoid.sshelper/bin
 PGRP=333
 PIPESTATUS[0]=0
 PIPESTATUS[1]=0
 PPID=21382
 PS1='$USER@$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '
 PS2='> '
 PS3='#? '
 PS4='+ '
 PWD=/data/data/com.arachnoid.sshelper/home
 RANDOM=20853
 SECONDARY_STORAGE=/storage/extSdCard:/storage/UsbDriveA:/storage/UsbDriveB:/storage/UsbDriveC:/storage/UsbDriveD:/storage/UsbDriveE:/storage/UsbDriveF
 SECONDS=20
 SHELL=/tmp-mksh/tmp-mksh
 SSHELPER=/data/data/com.arachnoid.sshelper
 SSH_CLIENT='192.168.xx.xx 14115 2222'
 SSH_CONNECTION='192.168.xx.xx 14115 192.168.yy.yy 2222'
 TMOUT=0
 TZ=GMT-3
 USER=u0_a202
 USER_ID=0
 VIBE_PIPE_PATH=/dev/pipes
 _=set
(These may vary somewhat, depending on your device.)


The default profile and sshd_config

profile:

Code:
Select Code
# place user customizations here
 uname -s -r -m
 alias ls="$SSHELPER/bin/ls"
 export PS1='$USER@$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '
If you are rooted and already have Busybox installed, it is highly
recommended to edit this file.

sshd_config:
Code:
Select Code
#       $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.

 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.

 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::

 # The default requires explicit activation of protocol 1
 #Protocol 2

 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_rsa
 HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_dsa
 HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_ecdsa

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024

 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO

 # Authentication:

 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

 #RSAAuthentication yes
 #PubkeyAuthentication yes

 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys

 # AuthorizedKeysFile (path)

 #AuthorizedPrincipalsFile none

 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 # HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 # IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
 # PasswordAuthentication no
 # PermitEmptyPasswords yes

 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
 # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
 # in this release. The use of 'gssapi' is deprecated due to the presence of
 # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 #GSSAPIEnableMITMAttack no

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 # UsePAM no

 # AllowAgentForwarding yes # default
 # AllowTcpForwarding yes # default
 #GatewayPorts no
 #X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
 PrintLastLog no
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation no
 PermitUserEnvironment yes # allow ~/.ssh/environment to contain useful path and envs for logins
 Compression yes
 ClientAliveInterval 300 # 300 seconds of idle time
 ClientAliveCountMax 5 # after five queries, disconnect
 UseDNS no
 # PidFile
 #MaxStartups 10
 #PermitTunnel no
 #ChrootDirectory
 #VersionAddendum none

 # no default banner path
 #Banner none

 # override default of no subsystems
 Subsystem       sftp internal-sftp

 # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 AcceptEnv LC_IDENTIFICATION LC_ALL

 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #       X11Forwarding no
 #       AllowTcpForwarding no
 #       ForceCommand cvs server

 #Match LocalAddress 127.0.0.1
 #  X11Forwarding yes
 #  AllowTcpForwarding yes
 #  AllowUsers sshelper
 
E:V:A
Old
(Last edited by E:V:A; 2nd June 2014 at 10:29 AM.)
#3  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
Some SELinux / SEAndroid related issues

< WIP: may contain inaccuracies! >

So you're rooted and you hope to use SSH to get a root shell,
like in the good old days (yesterday), and now you've got trouble!

Thanks to Godzilla and Samsung, we now have to deal with something called
SEAndroid which stands for "Security Enchanced Linux (SEL) for Android".
This would not have been so bad, if it wasn't because these companies now
want to enable the very strict Enforcing mode, by default.
That means that nothing you're once used to, when you have root access,
works and behaves as expected. In fact SEL restricts root user, just like
any other, so you have to spend some weeks trying to understand how that
is dealt with and managed from a Super-User's perspective.

So trying to get a root shell from an SSH session, is now likely to fail
because:

  • You have a Samsung KNOX enabled device. Samsung KNOX is deeply intertwined with SEL.
    ==> Remove all KNOX garbage.
  • Your SEL policy is not allowing SSHelper to allocate a pseudo-terminal (/dev/ptmx ) beacuse the /dev/pts directory is mounted as RO as type /devpts.
    ==> remount /dev/pts to enable RW: mount -o remount,rw -t devpts /dev/pts
  • Your SEL policy is still not allowing you to su from outside SE context "init_shell".
    ==> Temporarily set SEL to Permissive mode with: su 0 setenforce 0
  • Your SEL policy is not allowing you to ... period.
    ==> Unless you have a locked bootloader, disable SEL by flashing an insecure kernel/ROM that either doesn't have SEL, or at least not in Enforcing mode.
  • su is not working because:
    a) your AOS version is not handling SEL policies right.
    b) your su version is not handling SEL contexts right.
  • You got fooled into buying a locked Verizon or ATT phone with locked boot loader, and no way of rooting, and no one can help you. You cannot do any development with such a phone.
    ==> Return phone and cancel your contract.

< TBA >


The mksh Shell

< WIP >

The MirBSD™ Korn Shell, is better known as mksh and is now the default
shell on Androids since JB 4.1, instead of ash. I don't know why this
change was made, but I suspect it has something to do with having much
better documentation, better linux community support and therefore more
features and better compatibility.

The current available mksh version is:
R49 (11 Jan 2014)

NOTE: This is the sources version and is not necessarily available as
an Android binary, unless you compile your own. (Please share it here!)

You can check your own Android mksh version with:

Code:
Select Code
u0_a202@MSM8960:home $ echo $KSH_VERSION
 @(#)MIRBSD KSH R40 2011/10/07
The complete online man pages for mksh is found HERE.

The mksh ChangeLog is HERE.

The latest mksh sources are available HERE.

The latest statically linked ARM Android binary can be downloaded HERE.
 
E:V:A
Old
#4  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
< Here be more Dragons 3 >
MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands

[REF][ServiceMode] How to make your Samsung perform dog tricks
[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
_______________________________
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
I do not answer support related PM's.

 
E:V:A
Old
(Last edited by E:V:A; 3rd June 2014 at 05:24 PM.)
#5  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
The (app) Terminal

SSHelper contain it's own terminal that can be better used with an external keyboard. However, the code that runs this terminal, is hard-coded in the Java file: ShellTerminal.java as this:

Code:
Select Code
String[] com = new String[] { app.binDir + "/ssh", "-q", "-t", "-t", "-o UserKnownHostsFile /dev/null", "-o StrictHostKeyChecking no", host, "-p", port };
With the effect that the local loopback IP is set to 127.0.0.1 and port as chosen in the UI.

Code:
Select Code
ssh -q -t -t -o UserKnownHostsFile /dev/null -o StrictHostKeyChecking no 127.0.0.1 -p <port>
Unfortunately this command will fail if there is no controlling tty allocated, or if <port> is used by, or IP 127.0.0.1 is blocked by other applications, such as firewall or SEAndroid/KNOX permissions and settings.


The sshelper_sshd binary

The binary as compiled have the following options enabled:
Code:
Select Code
OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
            [-u len]
However, the built-in app command line is:
Code:
Select Code
sshelper_sshd -D -p <port> -h <key_file> -o PidFile <pid_file> -f <sshd_config_file> <debug_level> -e [UI_options] -o StrictModes <yes/no> -o Banner <banner_text_file> 
where:
Code:
Select Code
<debug_level>           = -d, -dd, -ddd, -dddd
<banner_text_file>      = banner1.txt (with password) or  banner2.txt (no password)

if (prefix.disablePasswords) { app.addToList(coms, "-o PasswordAuthentication no"); }
if (prefix.allowForwarding)  { app.addToList(coms, "-o PermitTunnel yes"); }
This way, if you need more special features, you can run the server from a local shell command line.

The full details which you can find HERE, but the most important shown below.
From the sshd manual pages:
Code:
Select Code
     -D      When this option is specified, sshd will not detach and does not
             become a daemon.  This allows easy monitoring of sshd.

     -d      Debug mode.  The server sends verbose debug output to standard
             error, and does not put itself in the background.  The server
             also will not fork and will only process one connection.  This
             option is only intended for debugging for the server.  Multiple
             -d options increase the debugging level.  Maximum is 3.

     -e      Write debug logs to standard error instead of the system log.

     -f config_file
             Specifies the name of the configuration file.  The default is
             /etc/ssh/sshd_config.  sshd refuses to start if there is no
             configuration file.

     -h host_key_file
             Specifies a file from which a host key is read.  This option must
             be given if sshd is not run as root (as the normal host key files
             are normally not readable by anyone but root).  The default is
             /etc/ssh/ssh_host_key for protocol version 1, and
             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
             protocol version 2.  It is possible to have multiple host key
             files for the different protocol versions and host key
             algorithms.

     -o option
             Can be used to give options in the format used in the
             configuration file.  This is useful for specifying options for
             which there is no separate command-line flag.  For full details
             of the options, and their values, see sshd_config(5).

     -p port
             Specifies the port on which the server listens for connections
             (default 22).  Multiple port options are permitted.  Ports
             specified in the configuration file with the Port option are
             ignored when a command-line port is specified.  Ports specified
             using the ListenAddress option override command-line ports.

     -q      Quiet mode.  Nothing is sent to the system log.  Normally the
             beginning, authentication, and termination of each connection is
             logged.

     -t      Test mode.  Only check the validity of the configuration file and
             sanity of the keys.  This is useful for updating sshd reliably as
             configuration options may change.
 
E:V:A
Old
(Last edited by E:V:A; 22nd July 2014 at 12:24 PM.)
#6  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
So after having updated SuperSU from 1.94 to 2.00, I've suddenly got some different SELinux errors in the AVC log, but did not resolve the issue. This partially confirm that this is a combined App + SELinux issue, due to several factors:

1) App is not performing the SU operation according to current (latest AOSP) standards. For example, from THIS issue on Stackoverflow, apparently AOS >4.3 (or more likely those using SELinux 4.2.2) are no longer using setuid(), and if you still wanna use it, it is suggested to do a fork() before. In addition su has to be made in the right context.

2) According to THIS article, SU is no longer allowed to execute files on the /data partition, although there are some workarounds. Please read Chainfire's blog about how to SU, for latest developments, and workarounds.

3) The current SELinux policy is restricting the use of /dev/pts|ptm|pty and the mounted devpts FS. Most likely some of the policy/behavior is wrong.


Useful links:
http://su.chainfire.eu/
http://www.xda-developers.com/androi...ent-root-apps/
http://www.xda-developers.com/androi...the-right-way/
 
E:V:A
Old
(Last edited by E:V:A; Yesterday at 12:33 PM.)
#7  
E:V:A's Avatar
Recognized Developer - OP
Thanks Meter 1705
Posts: 1,302
Join Date: Dec 2011
Location: -∇ϕ
Another possible reason for this issue, could be that since AOS 4.3 (and possibly some 4.2.2 in Enforcing) versions, the WRITE_EXTERNAL_STORAGE permissions in /system/etc/permissions/platform.xml have been changed to a much more restrictive setting, where Apps can ONLY write to their own directory. For a good description of the problem and solution:

[APP][4.4][ROOT] SDFix: Modify device permissions to allow apps to write to MicroSD
http://forum.xda-developers.com/show....php?t=2684188
https://plus.google.com/+TodLiebeck/posts/gjnmuaDM8sn

This need to be checked.

=========================== EDIT =====================


On 4.2.2 Enforcing, we have:
Code:
Select Code
...
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
    <group gid="sdcard_r" />
</permission>

<permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
    <group gid="sdcard_rw" />
    <group gid="media_rw" />
</permission>
...
This seem OK, but perhaps SSHelper also need to set its GID to "sdcard_rw"?
Because on KK 4.4.2b4 we have:
Code:
Select Code
    <permission name="android.permission.READ_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="media_rw" />
    </permission>

    <permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="sdcard_rw" />
        <group gid="media_rw" />
    </permission>

    <permission name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="sdcard_rw" />
        <group gid="sdcard_all" />
    </permission>

    <permission name="android.permission.WRITE_MEDIA_STORAGE" >
        <group gid="media_rw" />
    </permission>
Looking at the permissions in our AndroidManifest.xml file, and compare that to issue#315 in Android-Terminal-Emulator, it could that we also need to add the READ_EXTERNAL_STORAGE permission, which is not present in our manifest, and contrary to what Google said about WRITE_EXTERNAL_STORAGE as automatically including READ_ access.


To help troubleshoot permission problems when running on an AOS with enabled SELinux (>4.2.2), please provide the output of the following commands:
Code:
Select Code
getprop |grep "ro.build.*"
getenforce
cat /data/misc/audit/audit.log

Tags
selinux, server, sftpd, sshd, sshelper
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Control Your Toast Notifications with SlicedToasts

Toasts are delicious, even in their Android flavor. In Android, toast doesn’t lead … more

Rotation Lets You Take Full Control of Your Device’s Orientation Settings

To be brutally honest, the native options for screen … more

Change the Alarm Icon in the Status Bar with Xposed

It’s hard to find a more hated object than your alarm clock. They wake us up nearly … more

Return to Outer Space Outer Space with Ship Up Game

Since the release of Flappy Birds, we’ve had the “fortune” to see … more