Accessing MythTV Remotely Using SSH


Introduction

One of the great advantages of MythTV over other forms of PVR is that it runs on Linux, which provides a number of tools to securely access your server from anywhere on the internet. We will assume you are doing this from an Android phone, but as we are using standard tools, these instructions could be tailored to apply to most devices.

Once we have secure access, we will be able to use the MythWeb interface to manage recordings and even transcode and view the recordings remotely.

The method we will use is to run a secure shell (SSH) to connect to our backend server from our android phone and forward any TCP ports required to access the backend server. Here's how to do it...

Install an SSH server on your Backend server

An SSH server allows you to securely access and control your computer using the command line, but it can do much more than that, such as forwarding ports or even mount filesystems. Assuming you haven't done this already, installation is easy on Ubuntu:

sudo apt-get install ssh

To test it, try connecting to your backend server using an SSH client. You can do this from the backend itself or any host on the network. In the example below, mythtv is the user and ripley is the host name of the server:

ssh mythtv@ripley

Install an SSH client on your Android device

I have been using an app called connectbot as the android SSH client. It is available for free in the Google Play store. Once installed, try connecting to your server using a config such as: ssh mythtv@192.168.0.3:22. In my case, mythtv is the user, 192.168.0.3 is the backend IP address and 22 is the default SSH port.

Making it more secure

Soon, we're going to talk about opening up your machine to the internet. As we know, the 'net is full of naughty people who want to steal your stuff and sell it to buy pizza, so we need to be careful here. SSH is pretty secure, but there are a few fairly simple methods of making it secure enough for evildoers look elsewhere.

Using a different port

This is simple but quite effective. Tell SSH to listen on a different port. Edit the file sudo vi /etc/ssh/sshd_config and add the line:

Port 11234

11234 can be changed to any valid port number which is not in use by something else. I suggest you add this along side the standard port 22, which we will keep open on the internal network. We'll only expose the new port on the 'net. Restart SSH to pick up the changes:

sudo service ssh restart

Using a privale/public key pair

The default method of authentication for SSH is your standard password. However, passwords can be cracked, so a more secure method is to use a key pair. This is a pair of files which you generate on your client. You copy the public key to the server and keep the private key on your client. You can also use this method to access your server without needing to enter a password. Connectbot will generate a key pair for you. See this tutorial for more information on SSH keys:

Disable password access

Once you have tested that your key works, it makes sense to disable password access. Edit the file sudo vi /etc/ssh/sshd_config and add the following line, the restart the SSH server:

PasswordAuthentication no

Accessing over the Internet

At this point we can access our server from anywhere on our local network, but how about logging in remotely from anywhere in the world? To do this, you need to tell your router listen on the secure SSH port you configured earlier, in this example 11234, and forward any requests through to your backend server. The method of doing this varies from router to router, looking at the manual for your router or Googling for "router port forwarding" should get you the information you need.

The other tricky bit is knowing which IP address your router has on the internet. You will need this in order to connect to it. You shoudl be able to get the address from your router's status page, or by using an online service such as whatismyipaddress

Yet another consideration is that your IP address may change. Some ISPs allow you to pay a bit extra for a static IP address. Even if you don't have this feature, you may find that it usually keeps the same address for long periods of time. If you do find it changing, there are online dynamic DNS services which you can use to provide a static domain name for your server. One example is

Once you have done this, try logging into your server using its external IP address and port.

Forwarding ports using SSH

We can now access our MythTV box from anywhere on the internet, but the real power is in being able to expose the services provided by MythTV to our android client. These services are things such as MythWeb (port 80) and the backend API (port 6544). Once forwarded, the ports will listen locally and clients will be able to connect to them as if the servcies were running on the android device itself.

The linux command line to access your backend and forward the ports is as follows:

ssh -p11234 mythtv@ripley -L18080:localhost:80 -L6544:localahost:6544

To do the same on connectbot, add a new SSH connection with the config mythtv@ripley:11234. Then long press on the connection and add the 2 port forwarding rules, eg:

Nickname:    mythweb
Type:        Local
Source port: 18080
Destination: localhost:80
Nickname:    mythservices
Type:        Local
Source port: 6544
Destination: localhost:6544

Once connected, try browsing to the following URLs on your client:

http://localhost:18080

http://localhost:6544

Conclusion

Now we have full access to out backend services from anywhere on the 'net. See the streaming tutorial for information on how to play your recordings.