Blog Comment

Easier Secure MPD Access Over SSH


Forward

So the previous blog-post used firejail to restrict the access to the system. It turns out that openssh has the necessary stuff built in to do so without using firejail.

Setting it all up

User

You can set up a new user that your Android SSH client will connect to, or use an existing user. (You can use an existing user because you can restrict access by the key used, not only by user.)

authorized_keys file

When you add the public key to your .ssh/authorized_keys file, prefix the entry with options like in the following example:

restrict,port-forwarding,permitopen="127.0.0.1:6600",permitopen="[::1]:6600" <android client's ssh public key here>

The restrict option blacklists all capabilities, and port-forwarding enables the port-forwarding capability. The latter two permitopen entries allows access to MPD listening on port 6600 with either localhost IPV4 or localhost IPV6.

Note that you can prefix any public key entry with this to have the same restrictions to only allow access to MPD. You still will need to make sure your client can access sshd (like by configuring your firewall to allow accessing sshd).

If you want to access MPD from a PC with ssh, you may use something like:

ssh -i myKey -T -L 6600:127.0.0.1:6600 username@myMPDHost

That's It

I've been using this setup with a capable Android ssh client and the MALP app (from f-droid) to control mpd from an Android phone. Hopefully this will work just as well for you too.

Comment:

Note that comments with no text will not be accepted.
Also note that the author of this blog may delete posts.
Criticism is ok, but comments that do not belong (like posts about porn, threats, or spam) will be deleted.
Please use common sense when creating your comment.
Also, you cannot delete or edit your comment once it is posted, so be careful.

Also note that when using markdown, codehilite is available.
Finally, "a" tags are disabled (this means that hyperlinks will be broken).

This website requires javascript to be enabled to post a comment.