Can't SSH into Ubuntu Touch device

Question

From my computer:

cameron@cameron-ubuntu:~$ ssh phablet@192.168.99.124
Permission denied (publickey).

So it seems that openssh on the phone doesn't have password authentication enabled. But it seems to me like it should. /etc/ssh/sshd_config from the phone is the default:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

I did also try with PasswordAuthentication yes (i.e. uncommented, but it seems to me like "yes" is the default).

Also, in case it contains some useful information that I'm not aware of, ssh -v:

cameron@cameron-ubuntu:~$ ssh phablet@192.168.99.124 -v
OpenSSH_6.6, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.99.124 [192.168.99.124] port 22.
debug1: Connection established.
debug1: identity file /home/cameron/.ssh/id_rsa type -1
debug1: identity file /home/cameron/.ssh/id_rsa-cert type -1
debug1: identity file /home/cameron/.ssh/id_dsa type -1
debug1: identity file /home/cameron/.ssh/id_dsa-cert type -1
debug1: identity file /home/cameron/.ssh/id_ecdsa type -1
debug1: identity file /home/cameron/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/cameron/.ssh/id_ed25519 type -1
debug1: identity file /home/cameron/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-7 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 7f:25:18:85:69:9f:9f:f2:25:e8:93:93:c1:50:56:c6
debug1: Host '192.168.99.124' is known and matches the ECDSA host key.
debug1: Found key in /home/cameron/.ssh/known_hosts:16
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/cameron/.ssh/id_rsa
debug1: Trying private key: /home/cameron/.ssh/id_dsa
debug1: Trying private key: /home/cameron/.ssh/id_ecdsa
debug1: Trying private key: /home/cameron/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

See SSH Ubuntu Touch for a working solution. As always with password-less authentication you need to place a /home/phablet/.ssh/authorized_keys file (with a public key of the PC you're using to access the Ubuntu Touch device) on your device. — Peterino, Feb 11 '16 at 23:49

score 3 · Accepted Answer · answered Jan 03 '15 at 18:54

The SSH daemon on the phone runs with the options

/usr/sbin/sshd -D -o PasswordAuthentication=no

which overrides any options in configuration files. It might be difficult to change that.

In this case it might be easier (and more secure) to set up public key authentication. Paste your public key to /home/phablet/.ssh/authorized_keys2. Yes, there is a 2 at the end, which makes me think that /etc/ssh/sshd_config isn't even used.

You only need a way to initially log into your phone. Try adb shell, or the buttons in Qt Creator from the Ubuntu SDK to enable developer mode, setup public key authentication etc.

This is it. Tested running the service directly without that option and password login works. — Cameron Lee, Jan 04 '15 at 19:54

score 3 · Answer 2 · answered Jan 21 '15 at 12:21

3

/etc/init/ssh.override is the one where default ssh options are overridden.

cat /etc/init/ssh.override 
manual

exec /usr/sbin/sshd -D -o PasswordAuthentication=no

So you can remove it from here.

answered Jan 21 '15 at 12:21

Petar

257

gorn · Answer 3 · 2015-04-01T04:52:42.617

Install terminal app on your phone. Switch to developers mode (in settings / About device) and set password (not pin). Run terminal and type in this command

/usr/sbin/sshd

now you can connect to the device using ssh from your computer by (something like)

ssh phablet@192.168.1.100

Use the passwword you put in when switching to developers mode. The IP address needs to be IP of your phone of course. If you do not know it, just run ifconfig command in terminal of your phone and look for IP near wlan interface.

If you want to make it easier next time, copy the key from your computer to mobile by

ssh-copy-id phablet@192.168.1.100

next time you won't need the password and you may even disable the developers mode. Still you need to run the ssh server, this time with command

sudo /etc/init.d/sshd restart

Can't SSH into Ubuntu Touch device

3 Answers3

Linked