... | ... | @@ -211,3 +211,87 @@ Example, from your Home directory: |
|
|
`scp example.txt purism@192.168.xxx.xxx:/home/purism/Documents` (This goes to the L5’s Documents folder.)
|
|
|
|
|
|
TIP: Although you perform `scp` without logging in to the other device with `ssh`, it may be helpful to use `ssh` first in order to list (`ls`) the contents of a folder so that it will be easy to copy and paste the name of a file or files for `scp`. Just be sure to exit `ssh` before you use `scp` or you’ll get an error.
|
|
|
|
|
|
(Related discussion on this topic can be found in the community forum: https://forums.puri.sm/t/tutorial-using-ssh-and-scp/13080)
|
|
|
|
|
|
* Enhancing Security for Secure Shell (ssh)
|
|
|
|
|
|
Relying on the L5's passcode when using `ssh` for remote access provides relatively weak security. See below for more secure options.
|
|
|
|
|
|
* Option 1: Use private/public key-pair authentication, and disable password-based authentication for remote login.
|
|
|
|
|
|
These instructions will also work with a Unix/Linux-based server, or the Pinephone.
|
|
|
|
|
|
Enable ssh access to your Librem 5. (See related tutorial.)
|
|
|
|
|
|
|
|
|
On computer, generate the public/private RSA keys.
|
|
|
|
|
|
Open a Terminal session your computer and type the following command:
|
|
|
|
|
|
`ssh-keygen -t rsa`
|
|
|
OR
|
|
|
`ssh-keygen`
|
|
|
|
|
|
Enter file in which to save the key (/home/{YOUR_ID}/.ssh/id_rsa):
|
|
|
Created directory ‘/home/{YOUR_ID}/.ssh’.
|
|
|
Enter passphrase (empty for no passphrase):
|
|
|
Enter same passphrase again:
|
|
|
Your identification has been saved in /home/{YOUR_ID}/.ssh/id_rsa.
|
|
|
Your public key has been saved in /home/{YOUR_ID}/.ssh/id_rsa.pub.
|
|
|
|
|
|
On computer copy the contents of the id_rsa.pub key onto the Librem 5. The following command will log into your Librem 5, and configure the keys to grant access via the authorized_keys file.
|
|
|
|
|
|
`ssh-copy-id -i ~/.ssh/id_rsa.pub purism@host`
|
|
|
|
|
|
(ex. `192.168.xxx.xxx`, substitute with your ip address)
|
|
|
|
|
|
You will be asked for your password into the Librem 5 in this step.
|
|
|
Only your public key is copied. Always keep your private key private.
|
|
|
|
|
|
Restart your phone.
|
|
|
|
|
|
On computer, login to your phone using key-based authentication
|
|
|
|
|
|
`ssh purism@host` (ex. `ssh purism@192.168.xxx.xxx`)
|
|
|
|
|
|
On Librem 5, disable password-based authentication
|
|
|
|
|
|
`ssh purism@host`
|
|
|
|
|
|
Use an editor like `Nano` or `Vim` to edit the following `/etc/ssh/sshd_config`, using admin rights.
|
|
|
|
|
|
`sudo nano /etc/ssh/sshd_config`
|
|
|
|
|
|
Find the following line:
|
|
|
|
|
|
`PasswordAuthentication yes`
|
|
|
|
|
|
And change it to:
|
|
|
|
|
|
`PasswordAuthentication no`
|
|
|
|
|
|
If there is a # (this means "commented out", that is, excluded from the command/script) at the beginning of that line, remove it.
|
|
|
|
|
|
Save the file after making these changes and restart the SSH service using this command:
|
|
|
|
|
|
`systemctl restart ssh`
|
|
|
|
|
|
To test that password-based authentication is actually disabled, from computer, try to `ssh` into the Librem 5 using a different (or non-existent) id:
|
|
|
|
|
|
`ssh otherid@host`
|
|
|
|
|
|
You should get the following error:
|
|
|
`otherid@host: Permission denied (publickey)`.
|
|
|
|
|
|
That’s it. You have successfully disabled password based authentication in `ssh`.
|
|
|
|
|
|
(Related discussion on this topic can be found in the community forum: https://forums.puri.sm/t/tutorial-enable-key-based-authentication-via-ssh-on-your-librem-5/13137)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|