# Impossible to connect remotely via ssh

## Fulgurance

Hello, I have a problem, I tried to connect with my phone via ssh to my laptop, but this don't work. I enabled the sshd service already, but nothing. Is it needed to enable a feature in the config file to allow the access remotely via ssh ?

----------

## alamahant

Yes in 

/etc/ssh/sshd_config

edit

```

PasswordAuthentication yes

PermitRootLogin yes

```

Then make sure port 22/tcp is open in firewall and restart sshd

Then plz find a way to create ssh keys in your phone,

If successful copy the keys over to the laptop and

reedit

/etc/ssh/sshd_config

```

PermitRootLogin prohibit-password

PasswordAuthentication no

```

restart sshd and enjoy passwordless ssh from your phone to your laptop

----------

## NeddySeagoon

Fulgurance,

```
PasswordAuthentication yes

PermitRootLogin yes 
```

If this system is accessible from the outside world, that gives script kiddies 50% of the information required to brute force ssh.

Its OK for a test, with a good pass phrase but not for long term use.

----------

## Fulgurance

Oh yeah, I read that, and I was thinking already this can be a way to be attacked...; Thanks you for your advices.

Are there other way more secure to do that?

----------

## alamahant

 *Quote:*   

> 
> 
> Oh yeah, I read that, and I was thinking already this can be a way to be attacked...; Thanks you for your advices.
> 
> Are there other way more secure to do that?
> ...

 

Yes plz use key authentication.Plz look my updated post above.

I was using this ssh client  in my tablet

https://play.google.com/store/apps/details?id=com.sonelli.juicessh&hl=en&gl=US

Neddy is 100% right.

You will be getting countless attempts to ssh into your laptop.

Best use this scheme only in your LAN.

If you definitely need access to your laptop from the internet consider some of these

1.use a different sshd port --but it will not really protect you.

2.use a vpn

3.use torrified ssh ie ssh over tor.It is very safe but very slow.

4.totally prohibit root ssh access 

```

PermitRootLogin no

```

----------

## mv

 *NeddySeagoon wrote:*   

> Fulgurance,
> 
> ```
> PasswordAuthentication yes
> 
> ...

 

What do you mean by 50% information? If a user name is really 50% information, you are doing something very wrong with your passwords.

 *Quote:*   

> Its OK for a test, with a good pass phrase but not for long term use.

 

If all your users have a sufficiently long passphrase, there is no risk with it.

That being said, most users and administrators do not have the discipline to use such a long passphrase so that, in practice, you are right.

BTW, isn't there also a way to use SSL certificates instead of keys? Maybe with Let's encrypt this might become an option even for "normal" users nowadays?

(I never tried that, but I know that on android it was hard to find a free open-source app which uses keys.)

----------

## NeddySeagoon

mv,

The 50% meant that you need both a username and password.

The username root is widely known.

I did not intend to imply that it was 50% of the entropy, for want of a better word, to achieve a successful login.

Connectbot on Android has an option to manage public keys.

----------

## figueroa

Use Fail2Ban on your host with stringent settings. This will discourage script kiddies.

----------

## Leonardo.b

The firewall can be configured to notice when someone attempts to connect to ports in a certain range (a sort of minecamp), and add the IPs of matching connections to a banlist.

It helps if you have sshd on non-default port.

----------

## Fulgurance

One question again, I’m a noob with network …

When my phone isn’t connected to the same wifi with my laptop, I can’t established a connection via ssh to my laptop.

I think I need to use the public IP maybe, I tried as well with this address but impossible to connect ? Why ? And how I can connect to my laptop with distance ?

----------

## NeddySeagoon

Fulgurance,

When you are away from home, you will connect over the internet.

This means that you need to use your public IP and forward the ssh port in your router to the system you want to connect to.

Its likely you have a dynamic public IP, so it will change. To work around that, you need a service like no-ip, which is a dynamic DNS.

You get a name that resolves to your dynamic IP and when your IP changes your name points to the new IP.

no-ip is not a recommendation. I have a static IP, so its not a feature I have a use for.

----------

## mv

 *NeddySeagoon wrote:*   

> This means that you need to use your public IP and forward the ssh port in your router to the system you want to connect to.

 

Since this part might have got lost in the comments about no-ip:

It is the main answer to the question (because Fulgurance noted that they already tried with that IP).

Most routers are by default configured to not forward anything (as a questionable security feature).

Looking at your router is the first thing you should do if connection does not work as expected; possibly you also find log files or tools that help debugging.

Concerning the other point which NeddySeagoon mentioned: Some router vendors also provide their own dynamic DNS service and/or support various such services, so it is not necessarily something you have to do with your gentoo. But it very much depends on the router (and its vendor) - there are also routers without much functionality.

----------

## Fulgurance

Hmmm okay. But it’s strange, I remember in past, I used juicessh application on Android, and I was able to connect with distance

----------

## alamahant

Also as Neddy pointed out you will need a dyn dns service.

I like Dynu very much.

You can have up to 4 domains forwarded to your external ip.

And updating is easy even with a chrome extension.

The only way to avoid a dynamic dns is either you get an immutable external ip or use ssh over tor after creating an ssh secret tor service in your laptop.

But it is SLOW.

----------

## Fulgurance

One question because I’m not an expert with network.

When you say I need dns. If I use a dns, a dns is able to give to my laptop a fix host ?

This can be done with resolv.conf ? https://wiki.gentoo.org/wiki/Resolv.conf

----------

## NeddySeagoon

Fulgurance,

Dynamic DNS tracks a changing Public IP and points the name to it ... including the changes.

Say you were away from home for 10 days and your IP address changed every day.

Dynamic DNS would word all the time.

If you made a note oy your IP address before you left, it would only work until the first change. 

While you are at home testing, you can use your mobile phone and its data plan (not wifi) to test.

As you can see your public IP, Dynamic DNS is not required.

What router do you have? 

Post the make and model so we can find the user manual.

----------

