So the previous blog-post used
firejail to restrict the access to the system. It turns out that
openssh has the necessary stuff built in to do so without using
You can set up a new user that your Android SSH client will connect to, or use an existing user. (You can use an existing user because you can restrict access by the key used, not only by user.)
When you add the public key to your
.ssh/authorized_keys file, prefix the entry with options like in the following example:
restrict,port-forwarding,permitopen="127.0.0.1:6600",permitopen="[::1]:6600" <android client's ssh public key here>
restrict option blacklists all capabilities, and
port-forwarding enables the port-forwarding capability. The latter two
permitopen entries allows access to MPD listening on port 6600 with either localhost IPV4 or localhost IPV6.
Note that you can prefix any public key entry with this to have the same restrictions to only allow access to MPD. You still will need to make sure your client can access
sshd (like by configuring your firewall to allow accessing
If you want to access MPD from a PC with ssh, you may use something like:
ssh -i myKey -T -L 6600:127.0.0.1:6600 username@myMPDHost
I've been using this setup with a capable Android ssh client and the MALP app (from f-droid) to control mpd from an Android phone. Hopefully this will work just as well for you too.