I thought of it a lot of times in the past, if there was a way to login all different SSH servers I have configured with different passphrases automatically without having to copy them from password manager into the command line. This process was irritating at times when I had to do it frequently esp. from a friend’s computer, where I had to open my password manager’s mobile app and manually feed the passphrase therein into the command line. It isn’t just the exercise part that irked me, there is also a slight privacy issue of you exposing it while feeding it into a terminal.
As an everyday user of SSH who owns a smartphone, I myself thought if some cool developer somewhere would work on an App that transmit my SSH passphrases over Internet or some network to terminal in a single tap or with bio-metrics for instance good old fingerprint scanner on any smartphone. I use an Android smartphone with a custom de-googled Android ROM like most of you being a privacy buff. I looked for a solution in free and open F-droid App store’s community and came across a solution called FiSSH. To my surprise, the developer thought of the application exactly how I wanted. It is a simple application model that sends your SSH server passphrases over TLS Sockets to a local network IP where you wish to use login your SSH server after authenticating using your smartphone’s biometric. Sadly, it only supports good old fingerprint scanner on Android platform exclusively and does not work over Internet as of yet. But this model is awesome and a nerdy yet cool way to store your SSH passphrases privately on your smartphone, an inseparable device for any modern Netizen today.
Developer, Distribution and License
FiSSH is developed by a younger software developer from Romania in Eastern Europe who goes by the name of Ioan Moldovan. He is a strong supporter of data privacy and security developed with properly implemented open-source software. Mr Moldovan has licensed the software under a MIT license, which is open-source initiative approved license. It is only available on Android right now. You can download it for gratis on both community promoted F-droid App store and Google Play Store.
This is just the smartphone part. The other part accepting inputs from smartphone i.e. the PC must either run GNU+Linux or Windows Subsystem for Linux to use FiSSH. These parts are completely open-source and source-code is published at Gitlab account of the developer.
Mr Ioan is quite active on IRC and responsive on email. We had a minor glitch in the application and the developer gave a fix immediately over email and IRC. He is a young chap who works as a full time developer for some firm in Romania. We really enjoyed our conversations with him. We are positive about progressive development of FiSSH in near future. He gave us some hints on implementing secure transmission of passphrase over the Internet next. I hope he brings support for macOS too.
How does it work?
The concept of SSH authentication via smartphone’s biometric over TLS Sockets with privacy in a network has two parts. One is the Android application which sends the passphrase open biometric authentication to PC over TLS Sockets with robust encryption to protect your privacy. The PC app then passes on the received passphrase to OpenSSH or SSH client and the standard ssh binary completes the login process. It is an additional application layer over a standard SSH client to deliver the smooth process of SSH authentication using your smartphone’s biometric.
Because it works over TLS for integrity and security during transport or transmission of secure passphrases stored in the Android FiSSH app, just like any https connection, the private key holds significant value to ensure the security of FiSSH between both parts i.e. Android and PC.
According to the developer, it is important to note that none of the FiSSH apps have access to private key file and that FiSSH uses TLS sockets with certificate validation to prevent man-in-the-middle attacks!
Requirements, Installation and Use
- QT Creator (optional)
- OpenSSH/LibreSSH/Something-SSH (just needs to have the “ssh” binary) configured to use a KEY protected with a PASSPHRASE (which you will have to enter into the Android app!)
- Static LAN ip on your computer (look at /etc/network/interfaces)
You have to have Linux to use it. I hope the developer adds support for macOS in near future. A Static IP is not must but good to have. Other than that you just need a SSH login and a ssh client like OpenSSH or whatever you use to login your SSH server. Although we have tested it with OpenSSH only.
Installation is very basic and simple. Easy to follow instructions for the PC part are available at https://gitlab.com/ioanm/fissh-desktop/-/blob/master/INSTALL.md.
Download FiSSH for Android from an App store of your choice or using APK directly from the developer. Once downloaded open it and add a profile where you give a Friendly name that acts like an identifier for the SSH login you wish to send passphrase for.
Also, IP of PC running FiSSH for desktop and of course private/secure SSH passphrase. You can configure or add multiple profiles and tap on either one to use biometric or fingerprint scanner on your Android phone to transport passphrase of SSH login to PC over TLS sockets with integrity, security and privacy in a jiff.
Just execute ssh login in terminal like you did with fissh binary or ssh (depends whether you configured .bashrc part from INSTALL.md)
$ fissh -p 50999 [email protected]
Once you execute the above command, a dialog box appears on PC asking you to authorize SSH connection via fingerprint or biometrics on your smartphone.
In your smartphone’s FiSSH app, select the appropriate profile and then grant access via biometric or fingerprint scanner.
When you run it for the first time, it asks you to verify the certificate you generated during instructions in INSTALL.md. Just to be extra safe [even though we are using it in a local network only]. I appreciate this extra caution by the developer.
Once done, you would be asked to use fingerprint scanner to authorize SSH authentication. It would successfully and securely transmit SSH passphrase to computer via local network IP configured in the profile over TLS Sockets.
On your PC in the terminal, you are now logged in your SSH server like magic:
Last login: Mon Jan 18 19:58:31 2021 from 2001:x:x:x::61 [[email protected] ~]$ uptime 20:01:09 up 35 days, 2:25, 1 user, load average: 0.33, 0.50, 0.44
It is just fun if not useful. It is pure nerdy and gives you pleasure even during a dry run. I just love the concept and the App. It is basic but gets the job done beautifully. You got to try it once to believe it.
FiSSH as a model has more potential for any developer to further venture and add more useful features. It would like to see support for more platforms esp. MacOS for PC/desktop and iOS for smartphone. Also, when the code-base matures and when the magic starts to happen over the Internet instead of local network. It would be truly startling for end-users and an opsec challenge for the developer. Eitherways, as it is, FiSSH is not boring. It is useful, fun and mind-boggling. You get to keep secure passphrases of every SSH login account you have in your personal smartphone that you carry with yourself all the time and only transmit it to the computer over TLS sockets to any PC only when required.