Skip to content

Setting up SSH

Jump to bottom Edit New page
oakkitten edited this page Oct 14, 2020 · 10 revisions

You can tunnel your connection to WeeChat through SSH that's running on the same machine or local network. The communication between your SSH server and WeeChat happens in plain-text.

You can use either a password-based or a key-based authentication. If using a key, upon impoting, Weechat-Android will attempt to put it into a secure key store. On modern devices, it will likely be stored inside security hardware, out of which it cannot be retreived. You can securely store RSA keys on API 18+, EC keys on API 23+, and DSA keys on API 19 to 22. You can also use Ed25519 keys, but it is not yet possible to put this type of key inside the secure key store on Android. In this case, the key will be decrypted if it is password protected, and stored inside app preferences. On a non-rooted device, this should also be secure.

Configuring client

Set your connection type to SSH tunnel and set all options in SSH tunnel settings to match your server. If using keys, they should be in PEM file format, that is, they should start with -----BEGIN <label> PRIVATE KEY-----. The app accepts the following encrypted and unencrypted PEM formats:

  • OpenSSH keys (label OPENSSH)
  • PKCS#1 keys (label DSA, RSA, or EC)
  • PKCS#8 keys (no label or ENCRYPTED)

The “Relay” section of the configuration should reflect the point of view of your SSH server. If WeeChat is running on the same machine, set Relay host to localhost and port to e.g. 9000.

Configuring server

There is no need for any special configuration. However, if you are using a key, it's a good idea to make a separate key for Weechat-Andoid. This way, if the key is compromised, you can simply remove it from your authorized keys file. Also, it is possible to limit the capabilities of the key to only access WeeChat. For instance, try putting this into your ~/.ssh/authorized_keys:

no-agent-forwarding,no-X11-forwarding,permitopen="localhost:9000",command="echo 'This account can only be used for WeeChat relays'" ssh-rsa ...KEY DATA HERE...

Read more about how to lock down your SSH server.

Troubleshooting

If you set relay.network.bind_address to 127.0.0.1, you could end up with a “Wrong password” error upon connection. In this case, check whether your server uses IPv4 or IPv6 internally: ::1 (the equivalent for 127.0.0.1 in IPv6) could end up being rejected.

Add a custom footer
Add a custom sidebar
Clone this wiki locally