SSHD on LineageOS 14.1

As I’m currently switching phones I had to revisit the issue of how to get sshd running on a pristine LineageOS install. I decided to collect the steps here as the how-to formerly available on the CM wiki has vanished together with CM itself. Note that some  steps are not incredibly detailed and you really should be aware of the security implications before going ahead with this.

Prerequisites

Configuring SSHD

While LineageOS includes all necessary software, the configuration of sshd must be completed manually:

  1. Connect the device via USB
  2. Run adb with root privileges:
    adb root
  3. Upload your public ssh key to the device:
    adb push ~/.ssh/id_rsa.pub /data/ssh/authorized_keys
  4. Now, open a root shell and switch to bash to get vim to behave nicely on the device through adb:
    adb shell
    bash
  5. Use cat or vim to make the following fragment the contents of /data/ssh/sshd_config:

    AuthorizedKeysFile /data/ssh/authorized_keys
    ChallengeResponseAuthentication no
    PasswordAuthentication no
    PermitRootLogin no
    Subsystem sftp internal-sftp
    pidfile /data/ssh/sshd.pid

  6. Place a modified version of the start script in the userinit.d directory:
    mkdir /data/local/userinit.d
    sed 's#/system/etc/ssh#/data/ssh#' /system/bin/start-ssh \
          > /data/local/userinit.d/99sshd
  7. Now correct the file privileges:
    chmod 755 /data/local/userinit.d/99sshd
    chmod 600 /data/ssh/authorized_keys
    chown shell /data/ssh/authorized_keys
    chmod 644 /data/ssh/sshd_config

Running SSHD

Now you should be able to run sshd manually by executing
/data/local/userinit.d/99sshd
If so you can log on as user shell to the device using your ssh key. See my previous post to find out how you can make sure sshd is started whenever the device is booted.

3 Comments

  1. Nice tutorial

    I battled with this for a while, but eventually started sshd in debug to see why I couldn’t connect. It was permissions on /data

    Not wanting to make /data more restrictive, I set StrictMode to no in the config.

    Anyone got a better approach?

  2. Hello,

    thank you for your tutorial! I have set up SSHD on my Fairphone 2 with LineageOS 15.1 by your tutorial, but all attempts to log in ended up with the message “Permission denied (publickey).”. It seems that there is something with the permission settings of the file authorized_keys or, most likely, with the directories above it, that the server doesn’t like.
    So I added the line “StrictModes no” to sshd_config and I can log in since.

    Your tutorial is based on LineageOS 14.1. Is this issue caused by a difference between the permission settings of 14.1 and 15.1? I did not make any changes to them.

    With best regards
    Rolf Lucius

  3. Sorry for the latency, just ran the procedure on a new phone with Lineage 17 and it works just fine. The only thing that didn’t work right away was getting a root shell through “adb root”, but using su from an unprivileged shell worked fine.

Leave a Reply

Your email address will not be published.