Post Reply

[APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)


2nd June 2014, 09:51 AM   |  #1  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
SSHelper (The free Android SSH Server Application)

Date: 2014-06-02
Difficulty: Easy

This is the XDA SSHelper support thread for the only completely open
source, transparent, free and ad-less SSH daemon/server Application for
Android. Sure there are plenty other Android SSH server apps out there, but
you can try to find one that is both free, without any ads, where all
the sources are clearly available and documented, where their developer
can be reached and contacted, and that has its own website.

To make things even better, I decided to start this thread in honor of,
and with permission by the main developer and scientist, Paul Lutus.
He's been developing software for NASA since the 80's and wrote one of
the first word processors for Apple-I. You can read all about it on his

Another important reason for this thread is that SSHelper was developed
under CyanogenMod which is an AOSP ROM. This may cause many unexpected
side effects since those devices behave very differently from stock
(out-of-the-box) firmwares. While AOSP ROM often adds many new features,
they also remove many other OEM features that are mostly unknown or not
understood by the ROM builders/developers. So basing your app
development on a custom ROM is really begging for support trouble. This
will become even more apparent with the recent moves by Godzilla to make
AOS SELinux Enforced by default.

If you just need an SSH server right away, you can download the APK
directly from his website HERE or indirectly from Google Play.

The minimum required AOS is Honeycomb 3.2 / API 13, and the
current version is: 6.3 (04.28.2014).

SSHelper Features

SSHelper is much more than just an SSH server, it also offers:
  • full Rsync support
  • full sshd_config file support
  • full shell profile support
  • HTTP server
  • SCP server
  • SFTP server
  • Detailed Debug info (via App and web server)
  • Detailed Logcat view
  • Terminal Shell with OTG keyboard
  • and a full Busybox implementation

The Support

However, as you can imagine, the more supported features, the more
potential for problems. As the developer is a wild-life adventurer he's
not constantly sitting in front of his computer waiting to solve other
peoples problems, but often extremely isolated in the Alaskan wilderness
or in a small boat in the middle of the pacific.

That's why we need this thread. Other users may be able to help you if
they have had similar or previous problems. And if those problems aren't
solvable here, hopefully Paul will be able to have an occasional look,
insight and update.

However, since this application is based on OpenSSL / OpenSSH and so on,
the best place to find solutions and ask general SSH related questions
is on any of the 5 StackExchange related Q&A sites:

You should also have a good read at the SSHelper main support site.

So before posting here, search there first!

Required Android Permissions
( in: ../SSHelper/AndroidManifest.xml )
These will probably need to be updated in order to solve some issues
when used on devices running SEAndoid in Enforced mode.

Application File Locations

All the SSHelper related files are located in and below the base directory at:

bin             Here are all the binary assets, such as busybox and sshd etc.
home            Your home directory when using SSH
lib             Symlinked to:  /data/app-lib/com.arachnoid.sshelper-1
The APK Assets

Installed Binaries

From Busybox we have:
BusyBox v1.21.0 (2014-04-01 22:29:02 PDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, ar, arp, ash, awk, base64, basename, bbconfig, beep, blkid,
        blockdev, bootchartd, bunzip2, bzcat, bzip2, cal, cat, catv, chat,
        chattr, chgrp, chmod, chown, chpst, chroot, chrt, chvt, cksum, clear,
        cmp, comm, cp, cpio, crond, crontab, cttyhack, cut, dc, dd, deallocvt,
        depmod, devmem, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix,
        dpkg, dpkg-deb, du, dumpkmap, echo, ed, egrep, env, envdir, envuidgid,
        expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
        fdisk, fgconsole, fgrep, find, findfs, flash_lock, flash_unlock,
        flashcp, flock, fold, free, freeramdisk, fsync, ftpd, ftpget, ftpput,
        fuser, getopt, grep, gunzip, gzip, halt, hd, hdparm, head, hexdump,
        hostname, httpd, hwclock, ifconfig, ifdown, ifup, init, inotifyd,
        insmod, install, iostat, ip, ipaddr, ipcalc, iplink, iproute, iprule,
        iptunnel, klogd, less, linuxrc, ln, loadkmap, losetup, lpd, lpq, lpr,
        ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,
        makedevs, makemime, man, md5sum, mdev, mesg, mkdir, mkfifo, mknod,
        mkswap, mktemp, modinfo, modprobe, more, mpstat, mv, nbd-client, nc,
        netstat, nice, nmeter, nohup, od, openvt, patch, pidof, ping,
        pipe_progress, pmap, popmaildir, poweroff, powertop, printenv, printf,
        ps, pscan, pstree, pwd, pwdx, raidautorun, rdev, readlink, readprofile,
        realpath, reboot, reformime, renice, reset, resize, rev, rm, rmdir,
        rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runsv, runsvdir, rx,
        script, scriptreplay, sed, sendmail, seq, setconsole, setkeycodes,
        setlogcons, setserial, setsid, setuidgid, sha1sum, sha256sum, sha3sum,
        sha512sum, showkey, sleep, smemcap, softlimit, sort, split,
        start-stop-daemon, strings, stty, sum, sv, svlogd, switch_root, sync,
        sysctl, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,
        tftpd, time, timeout, top, touch, tr, traceroute, true, ttysize,
        tunctl, tune2fs, udpsvd, uname, uncompress, unexpand, uniq, unix2dos,
        unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode,
        vconfig, vi, volname, watch, wc, wget, which, whoami, whois, xargs, xz,
        xzcat, yes, zcat
In addition to that, in the $SSHELPER/bin we find:

References and Resources:


Last edited by E:V:A; 26th July 2014 at 01:47 PM.
The Following User Says Thank You to E:V:A For This Useful Post: [ View ]
2nd June 2014, 09:52 AM   |  #2  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
Some Application Options

When you start the application you will see a list of different
configuration settings. The detailed description of each one is found
HERE. The most important being:

SSH Server Port Number  (Default: 2222)
Server Password         (Default: admin)
Some Environment Variables

When you use SSHelper to login via SSH, you end up in the temporary
mksh shell at the home location set by the environment variable $ENV
which is set to be:


This behavior is contrary to what is normally used on Linux machines
where you end up in the $HOME directory. A few other important shell
variables are:

And to get the whole set, use the command "set":

 KSH_VERSION='@(#)MIRBSD KSH R40 2011/10/07'
 PS1='$USER@$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '
 PS2='> '
 PS3='#? '
 PS4='+ '
 SSH_CLIENT='192.168.xx.xx 14115 2222'
 SSH_CONNECTION='192.168.xx.xx 14115 192.168.yy.yy 2222'
(These may vary somewhat, depending on your device.)

The default profile and sshd_config


# place user customizations here
 uname -s -r -m
 alias ls="$SSHELPER/bin/ls"
 export PS1='$USER@$BOARD:$(basename $PWD) $( (($USER_ID)) && echo \$ || echo \#) '
If you are rooted and already have Busybox installed, it is highly
recommended to edit this file.

#       $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.

 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.

 #Port 22
 #AddressFamily any
 #ListenAddress ::

 # The default requires explicit activation of protocol 1
 #Protocol 2

 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_rsa
 HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_dsa
 HostKey /data/data/com.arachnoid.sshelper/home/.ssh/id_ecdsa

 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
 #ServerKeyBits 1024

 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO

 # Authentication:

 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10

 #RSAAuthentication yes
 #PubkeyAuthentication yes

 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys

 # AuthorizedKeysFile (path)

 #AuthorizedPrincipalsFile none

 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 # HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 # IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
 # PasswordAuthentication no
 # PermitEmptyPasswords yes

 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
 # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
 # in this release. The use of 'gssapi' is deprecated due to the presence of
 # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 #GSSAPIEnableMITMAttack no

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 # UsePAM no

 # AllowAgentForwarding yes # default
 # AllowTcpForwarding yes # default
 #GatewayPorts no
 #X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
 PrintLastLog no
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation no
 PermitUserEnvironment yes # allow ~/.ssh/environment to contain useful path and envs for logins
 Compression yes
 ClientAliveInterval 300 # 300 seconds of idle time
 ClientAliveCountMax 5 # after five queries, disconnect
 UseDNS no
 # PidFile
 #MaxStartups 10
 #PermitTunnel no
 #VersionAddendum none

 # no default banner path
 #Banner none

 # override default of no subsystems
 Subsystem       sftp internal-sftp

 # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).

 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #       X11Forwarding no
 #       AllowTcpForwarding no
 #       ForceCommand cvs server

 #Match LocalAddress
 #  X11Forwarding yes
 #  AllowTcpForwarding yes
 #  AllowUsers sshelper
Last edited by E:V:A; 2nd June 2014 at 10:29 AM.
2nd June 2014, 09:54 AM   |  #3  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
Some SELinux / SEAndroid related issues

< WIP: may contain inaccuracies! >

So you're rooted and you hope to use SSH to get a root shell,
like in the good old days (yesterday), and now you've got trouble!

Thanks to Godzilla and Samsung, we now have to deal with something called
SEAndroid which stands for "Security Enchanced Linux (SEL) for Android".
This would not have been so bad, if it wasn't because these companies now
want to enable the very strict Enforcing mode, by default.
That means that nothing you're once used to, when you have root access,
works and behaves as expected. In fact SEL restricts root user, just like
any other, so you have to spend some weeks trying to understand how that
is dealt with and managed from a Super-User's perspective.

So trying to get a root shell from an SSH session, is now likely to fail

  • You have a Samsung KNOX enabled device. Samsung KNOX is deeply intertwined with SEL.
    ==> Remove all KNOX garbage.
  • Your SEL policy is not allowing SSHelper to allocate a pseudo-terminal (/dev/ptmx ) beacuse the /dev/pts directory is mounted as RO as type /devpts.
    ==> remount /dev/pts to enable RW: mount -o remount,rw -t devpts /dev/pts
  • Your SEL policy is still not allowing you to su from outside SE context "init_shell".
    ==> Temporarily set SEL to Permissive mode with: su 0 setenforce 0
  • Your SEL policy is not allowing you to ... period.
    ==> Unless you have a locked bootloader, disable SEL by flashing an insecure kernel/ROM that either doesn't have SEL, or at least not in Enforcing mode.
  • su is not working because:
    a) your AOS version is not handling SEL policies right.
    b) your su version is not handling SEL contexts right.
  • You got fooled into buying a locked Verizon or ATT phone with locked boot loader, and no way of rooting, and no one can help you. You cannot do any development with such a phone.
    ==> Return phone and cancel your contract.

< TBA >

The mksh Shell

< WIP >

The MirBSD™ Korn Shell, is better known as mksh and is now the default
shell on Androids since JB 4.1, instead of ash. I don't know why this
change was made, but I suspect it has something to do with having much
better documentation, better linux community support and therefore more
features and better compatibility.

The current available mksh version is:
R49 (11 Jan 2014)

NOTE: This is the sources version and is not necessarily available as
an Android binary, unless you compile your own. (Please share it here!)

You can check your own Android mksh version with:

u0_a202@MSM8960:home $ echo $KSH_VERSION
 @(#)MIRBSD KSH R40 2011/10/07
The complete online man pages for mksh is found HERE.

The mksh ChangeLog is HERE.

The latest mksh sources are available HERE.

The latest statically linked ARM Android binary can be downloaded HERE.
Last edited by E:V:A; 2nd June 2014 at 10:29 AM.
2nd June 2014, 09:54 AM   |  #4  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
< Here be more Dragons 3 >
3rd June 2014, 04:09 PM   |  #5  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
The (app) Terminal

SSHelper contain it's own terminal that can be better used with an external keyboard. However, the code that runs this terminal, is hard-coded in the Java file: as this:

String[] com = new String[] { app.binDir + "/ssh", "-q", "-t", "-t", "-o UserKnownHostsFile /dev/null", "-o StrictHostKeyChecking no", host, "-p", port };
With the effect that the local loopback IP is set to and port as chosen in the UI.

ssh -q -t -t -o UserKnownHostsFile /dev/null -o StrictHostKeyChecking no -p <port>
Unfortunately this command will fail if there is no controlling tty allocated, or if <port> is used by, or IP is blocked by other applications, such as firewall or SEAndroid/KNOX permissions and settings.

The sshelper_sshd binary

The binary as compiled have the following options enabled:
OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
            [-u len]
However, the built-in app command line is:
sshelper_sshd -D -p <port> -h <key_file> -o PidFile <pid_file> -f <sshd_config_file> <debug_level> -e [UI_options] -o StrictModes <yes/no> -o Banner <banner_text_file> 
<debug_level>           = -d, -dd, -ddd, -dddd
<banner_text_file>      = banner1.txt (with password) or  banner2.txt (no password)

if (prefix.disablePasswords) { app.addToList(coms, "-o PasswordAuthentication no"); }
if (prefix.allowForwarding)  { app.addToList(coms, "-o PermitTunnel yes"); }
This way, if you need more special features, you can run the server from a local shell command line.

The full details which you can find HERE, but the most important shown below.
From the sshd manual pages:
     -D      When this option is specified, sshd will not detach and does not
             become a daemon.  This allows easy monitoring of sshd.

     -d      Debug mode.  The server sends verbose debug output to standard
             error, and does not put itself in the background.  The server
             also will not fork and will only process one connection.  This
             option is only intended for debugging for the server.  Multiple
             -d options increase the debugging level.  Maximum is 3.

     -e      Write debug logs to standard error instead of the system log.

     -f config_file
             Specifies the name of the configuration file.  The default is
             /etc/ssh/sshd_config.  sshd refuses to start if there is no
             configuration file.

     -h host_key_file
             Specifies a file from which a host key is read.  This option must
             be given if sshd is not run as root (as the normal host key files
             are normally not readable by anyone but root).  The default is
             /etc/ssh/ssh_host_key for protocol version 1, and
             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
             protocol version 2.  It is possible to have multiple host key
             files for the different protocol versions and host key

     -o option
             Can be used to give options in the format used in the
             configuration file.  This is useful for specifying options for
             which there is no separate command-line flag.  For full details
             of the options, and their values, see sshd_config(5).

     -p port
             Specifies the port on which the server listens for connections
             (default 22).  Multiple port options are permitted.  Ports
             specified in the configuration file with the Port option are
             ignored when a command-line port is specified.  Ports specified
             using the ListenAddress option override command-line ports.

     -q      Quiet mode.  Nothing is sent to the system log.  Normally the
             beginning, authentication, and termination of each connection is

     -t      Test mode.  Only check the validity of the configuration file and
             sanity of the keys.  This is useful for updating sshd reliably as
             configuration options may change.
Last edited by E:V:A; 3rd June 2014 at 05:24 PM.
1st July 2014, 02:50 PM   |  #6  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
So after having updated SuperSU from 1.94 to 2.00, I've suddenly got some different SELinux errors in the AVC log, but did not resolve the issue. This partially confirm that this is a combined App + SELinux issue, due to several factors:

1) App is not performing the SU operation according to current (latest AOSP) standards. For example, from THIS issue on Stackoverflow, apparently AOS >4.3 (or more likely those using SELinux 4.2.2) are no longer using setuid(), and if you still wanna use it, it is suggested to do a fork() before. In addition su has to be made in the right context.

2) According to THIS article, SU is no longer allowed to execute files on the /data partition, although there are some workarounds. Please read Chainfire's blog about how to SU, for latest developments, and workarounds.

3) The current SELinux policy is restricting the use of /dev/pts|ptm|pty and the mounted devpts FS. Most likely some of the policy/behavior is wrong.

Useful links:
Last edited by E:V:A; 22nd July 2014 at 12:24 PM.
22nd July 2014, 11:00 AM   |  #7  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
Another possible reason for this issue, could be that since AOS 4.3 (and possibly some 4.2.2 in Enforcing) versions, the WRITE_EXTERNAL_STORAGE permissions in /system/etc/permissions/platform.xml have been changed to a much more restrictive setting, where Apps can ONLY write to their own directory. For a good description of the problem and solution:

[APP][4.4][ROOT] SDFix: Modify device permissions to allow apps to write to MicroSD

This need to be checked.

=========================== EDIT =====================

On 4.2.2 Enforcing, we have:
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
    <group gid="sdcard_r" />

<permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
    <group gid="sdcard_rw" />
    <group gid="media_rw" />
This seem OK, but perhaps SSHelper also need to set its GID to "sdcard_rw"?
Because on KK 4.4.2b4 we have:
    <permission name="android.permission.READ_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="media_rw" />

    <permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="sdcard_rw" />
        <group gid="media_rw" />

    <permission name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" >
        <group gid="sdcard_r" />
        <group gid="sdcard_rw" />
        <group gid="sdcard_all" />

    <permission name="android.permission.WRITE_MEDIA_STORAGE" >
        <group gid="media_rw" />
Looking at the permissions in our AndroidManifest.xml file, and compare that to issue#315 in Android-Terminal-Emulator, it could that we also need to add the READ_EXTERNAL_STORAGE permission, which is not present in our manifest, and contrary to what Google said about WRITE_EXTERNAL_STORAGE as automatically including READ_ access.

To help troubleshoot permission problems when running on an AOS with enabled SELinux (>4.2.2), please provide the output of the following commands:
getprop |grep "*"
cat /data/misc/audit/audit.log
Last edited by E:V:A; 30th July 2014 at 12:33 PM.
1st October 2014, 07:07 PM   |  #8  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,808
1,352 posts
Join Date:Joined: Dec 2011
I have now found a work-around for the lost terminal job-control.
It's described in detail HERE.

Post Reply Subscribe to Thread

selinux, server, sftpd, sshd, sshelper
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Top Threads in Android Software Development by ThreadRank