search

Systemd Unit

Follow these five steps to set up the NoPorts daemon as a systemd unit background service.

hashtag
Step 1. Run the installer

  1. First, change directories into the unpacked download:

cd sshnp

  1. Then run the installer:

sudo ./install.sh systemd sshnpd

This installer must be run as root.

hashtag
Step 2. Configure the service file

After installing the systemd unit, we must configure it. This requires root privileges.

sudo vi /etc/systemd/system/sshnpd.service

You'll then be greeted with a file that looks like this:

https://github.com/atsign-foundation/noports/blob/trunk/packages/dart/sshnoports/bundles/shell/systemd/sshnpd.service

Replace <username> with the linux user running sshnpd (we suggest creating service account not running as root)

Replace <@device_atsign> with the device address

Replace <@manager_atsign> with the client address

Replace <device_name> with your own custom **unique ** identifier for this device. You will need this value later, so don't forget it.

circle-info

<device_name> must be alphanumeric snake case, max length 30 - e.g. dev_abc1

Add any additional config to the end of the line where sshnpd is run, some useful flags you should consider adding:

  • -u : "unhide" the device, sharing the username and making it discoverable by sshnp --list-devices

  • -s : "ssh-public-key", allow ssh public keys to be shared by sshnp and automatically authorized by sshd, saves you from dealing with ssh public key management. If multiple people use the device, we recommend leaving this off and managing ssh public keys yourself.

  • To see the rest of the available options run sshnpd to see the usage.

hashtag
Step 3. Activate your device address

triangle-exclamation

If you don't own a pair of noports addresses, please visit the registrararrow-up-right before continuing.

hashtag
Step 3.1. First time activating your address

We will now activate the device address—you only need to activate the device address now. The client address will be activated later during the client installation.

Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:

hashtag
Enter the One-Time Password (OTP) & Check your SPAM/PROMOTIONS folders

The application will pause and wait for the input of a one-time password (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).

***If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.

Once you receive the message, enter the pin into the application and press Enter to continue. The application should proceed to create the cryptographic keys and store them at ~/.atsign/keys/@my_noports_device_key.atKeys.

An address can only be activated once, to install this address to future devices, you must copy this file to the device (see 3.b.).

hashtag
Step 3.1. Activated this address before

circle-exclamation

If you have activated the device address before, you must copy the address from another machine where it's been activated.

The address will be located at ~/.atsign/keys/@my_noports_device_key.atKeys. Copy this file from your other machine to the same location on the machine that you are installing sshnpd on.

hashtag
Step 4. Enable the service

Using systemctl we can enable and start the sshnpd service.

hashtag
Observing the service

If you need to verify the status of the service:

If you want to follow the logs of the service you can with

hashtag
Step 5. Check your environment.

There are a number of fiddly things to get in place for ssh to work. The first is the ~/.ssh/authorized_keysfile of the user being used to run the systemd unit.

The file needs to owned by the user running the systemd unit. Currently there is a bug in the script and this sets the user to root, which needs to be corrected if not running as root. You can do this with the following command substituting debain for your username and group.

The file also needs to be only writable by the owner, else the sshd will not allow logins. This can be checked with ls -l and corrected with the chmod command.

Once complete it should look like this.

hashtag
Running sshnpd at root special steps (not recommended)

If you decided to use the root user in the service setup you have a futher couple of steps.

Then you need to make sure that the root user is allowed to login via sshd. Whist this is not recommended, you can get it working by editing the /etc/ssh/sshd_config file and removing the # on this line.

Once removed, you will need to restart the sshd daemon. How to do this varies from distribution/OS so check on how to do it or reboot.

hashtag
Step 6. All Done !

Your systemd service is ready to go. You can now proceed to installing your client, or if you've already done that, check out our usage guide.

Last updated