Kodi server part 4: remote login and administration with SSH

This is the fourth part of a multi-part tutorial describing how to configure the "perfect" Kodi media centre running on top of ubuntu server.

Other parts of the tutorial may be found here:

This section contains some tips on how to enable remote login and administration with SSH, and some ways to secure it against abuse.

Remote administration with SSH

Sometimes it's nice to set a torrent running when you're out and have it completed by the time you get home. The most reliable and secure way to do this is to enable secure shell so you can log in remotely.

The secure shell daemon is probably already installed, but if not you can install it now:

sudo apt-get update
sudo apt-get install openssh-server

In its default configuration, SSH allows users to login using their system username and password. For increased security, it's a good idea to disable password authentication (to prevent brute force attacks by bots) and require publickey authentication. If you don't have a publickey, you can learn how to create one here. Not sure if you have one? Check with ls ~/.ssh/*.pub on your workstation (not the server). If you have one you should see something like /home/sam/.ssh/id_rsa.pub.

Assuming you already have a publickey, copy them to the server by running this command from your workstation (not the server):

ssh-copy-id kodi@

Where is the IP address of the kodi box on the LAN. If you have multiple keys and you would like to copy a specific one:

ssh-copy-id -i ~/.ssh/sam_at_samhobbs.co.uk.pub kodi@

Now log in:

ssh kodi@

or to use a specific key:

ssh -i ~/.ssh/sam_at_samhobbs.co.uk kodi@

Once you have verified that publickey authentication works, you can disable password based authentication. Find the following PasswordAuthentication setting in /etc/ssh/sshd_config and change it to match the following:

PasswordAuthentication no

You may need to uncomment the setting. While you are here, check you have the following lines too:

ChallengeResponseAuthentication no

Now restart SSH:

sudo service ssh restart

Finally, set up port forwarding in your router. You need to forward port 22 from WAN to the local static IP of your kodi box. Then if you run ssh kodi@WAN_IP you will be able to log in to the kodi box. If your WAN IP address is dynamically assigned, you may want to set up dynamic DNS so that you can ssh kodi@yourdomain.com instead of using an IP address.

You may choose to forward a non-standard port to reduce the number of login attempts by bots, in which case a client config can be useful, e.g. ~/.ssh/config on the workstation:

Host subdomain.yourdomain.com
User kodi
Port 2222

Now you only need to type ssh subdomain.yourdomain.com without typing the username and port each time.

Once you are happy everything is working, continue to the next part of the tutorial.


Add new comment