Systemd Unit

Follow these five steps to set up the NoPorts daemon as a systemd unit background service.

Step 1. Run the installer

First, change directories into the unpacked download:

cd sshnp

Then run the installer:

sudo ./install.sh systemd sshnpd

This installer must be run as root.

Step 2. Configure the service file

After installing the systemd unit, we must configure it. This requires root privileges.

sudo vi /etc/systemd/system/sshnpd.service

You'll then be greeted with a file that looks like this:

https://github.com/atsign-foundation/noports/blob/trunk/packages/dart/sshnoports/bundles/shell/systemd/sshnpd.service

[Unit]
Description=Ssh No Ports Daemon
After=network-online.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
Restart=always
RestartSec=3
KillMode=process

# The line below runs the sshnpd service, with the options set in
# /etc/systemd/system/sshnpd.d/override.conf.
# You can edit that config with: sudo systemctl edit sshnpd
ExecStart=/usr/local/bin/sshnpd -a "$device_atsign" -m "$manager_atsign" -d "$device_name" "$delegate_policy" "$s" "$u" "$v" "$additional_args"

Replace <username> with the linux user running sshnpd (we suggest creating service account not running as root)

Replace <@device_atsign> with the device address

Replace <@manager_atsign> with the client address

Replace <device_name> with your own custom **unique ** identifier for this device. You will need this value later, so don't forget it.

<device_name> must be alphanumeric snake case, max length 30 - e.g. dev_abc1

Add any additional config to the end of the line where sshnpd is run, some useful flags you should consider adding:

-u : "unhide" the device, sharing the username and making it discoverable by sshnp --list-devices
-s : "ssh-public-key", allow ssh public keys to be shared by sshnp and automatically authorized by sshd, saves you from dealing with ssh public key management. If multiple people use the device, we recommend leaving this off and managing ssh public keys yourself.
To see the rest of the available options run sshnpd to see the usage.

Step 3. Activate your device address

If you don't own a pair of noports addresses, please visit the registrar before continuing.

Step 3.1. First time activating your address

We will now activate the device address—you only need to activate the device address now. The client address will be activated later during the client installation.

Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:

./at_activate -a @my_noports_device

Enter the One-Time Password (OTP) & Check your SPAM/PROMOTIONS folders

The application will pause and wait for the input of a one-time password (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).

***If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.

Once you receive the message, enter the pin into the application and press Enter to continue. The application should proceed to create the cryptographic keys and store them at ~/.atsign/keys/@my_noports_device_key.atKeys.

An address can only be activated once, to install this address to future devices, you must copy this file to the device (see 3.b.).

Step 3.1. Activated this address before

If you have activated the device address before, you must copy the address from another machine where it's been activated.

The address will be located at ~/.atsign/keys/@my_noports_device_key.atKeys. Copy this file from your other machine to the same location on the machine that you are installing sshnpd on.

Step 4. Enable the service

Using systemctl we can enable and start the sshnpd service.

sudo systemctl enable sshnpd.service
sudo systemctl start sshnpd.service

Observing the service

If you need to verify the status of the service:

sudo systemctl status sshnpd.service

If you want to follow the logs of the service you can with

sudo journalctl -u sshnpd.service -f

Step 5. Check your environment.

There are a number of fiddly things to get in place for ssh to work. The first is the ~/.ssh/authorized_keysfile of the user being used to run the systemd unit.

The file needs to owned by the user running the systemd unit. Currently there is a bug in the script and this sets the user to root, which needs to be corrected if not running as root. You can do this with the following command substituting debain for your username and group.

The file also needs to be only writable by the owner, else the sshd will not allow logins. This can be checked with ls -l and corrected with the chmod command.

debian@beaglebone:~$ ls -l ~/.ssh/
total 0
-rw-r--r-- 1 root root 0 Feb 18 00:28 authorized_keys
debian@beaglebone:~$ sudo chown debian:debian ~/.ssh/authorized_keys
debian@beaglebone:~$ ls -l ~/.ssh/
total 0
-rw-r--r-- 1 debian debian 0 Feb 18 00:28 authorized_keys
debian@beaglebone:~$ chmod 600 ~/.ssh/authorized_keys

Once complete it should look like this.

debian@beaglebone:~$ ls -l ~/.ssh/
total 0
-rw------- 1 debian debian 0 Feb 18 00:28 authorized_keys
debian@beaglebone:~$

Running sshnpd at root special steps (not recommended)

If you decided to use the root user in the service setup you have a futher couple of steps.

sudo mkdir -p ~root/.ssh
sudo touch ~root/.ssh/authorized_keys
sudo chmod 600 ~root/.ssh/authorized_keys

Then you need to make sure that the root user is allowed to login via sshd. Whist this is not recommended, you can get it working by editing the /etc/ssh/sshd_config file and removing the # on this line.

# PermitRootLogin prohibit-password

Once removed, you will need to restart the sshd daemon. How to do this varies from distribution/OS so check on how to do it or reboot.

Step 6. All Done !

Your systemd service is ready to go. You can now proceed to installing your client, or if you've already done that, check out our usage guide.

Last updated 6 months ago