Accessing MythTV Remotely Using SSH
Introduction
One of the great advantages of MythTV over other forms of PVR is that it runs on Linux, which provides a number of tools to securely access your server from anywhere on the internet. We will assume you are doing this from an Android phone, but as we are using standard tools, these instructions could be tailored to apply to most devices.
Once we have secure access, we will be able to use the MythWeb interface to manage recordings and even transcode and view the recordings remotely.
The method we will use is to run a secure shell (SSH) to connect to our backend server from our android phone and forward any TCP ports required to access the backend server. Here's how to do it...
Install an SSH server on your Backend server
An SSH server allows you to securely access and control your computer using the command line, but it can do much more than that, such as forwarding ports or even mount filesystems. Assuming you haven't done this already, installation is easy on Ubuntu:
sudo apt-get install ssh
To test it, try connecting to your backend server using an SSH client. You can do this from the backend itself or any host on the network. In the example below, mythtv is the user and ripley is the host name of the server:
ssh mythtv@ripley
Install an SSH client on your Android device
I have been using an app called connectbot as the android SSH client. It is available for free in the Google Play store. Once installed, try connecting to your server using a config such as: ssh mythtv@192.168.0.3:22. In my case, mythtv is the user, 192.168.0.3 is the backend IP address and 22 is the default SSH port.
Making it more secure
Soon, we're going to talk about opening up your machine to the internet. As we know, the 'net is full of naughty people who want to steal your stuff and sell it to buy pizza, so we need to be careful here. SSH is pretty secure, but there are a few fairly simple methods of making it secure enough for evildoers look elsewhere.
Using a different port
This is simple but quite effective. Tell SSH to listen on a different port. Edit the file sudo vi /etc/ssh/sshd_config and add the line:
Port 11234
11234 can be changed to any valid port number which is not in use by something else. I suggest you add this along side the standard port 22, which we will keep open on the internal network. We'll only expose the new port on the 'net. Restart SSH to pick up the changes:
sudo service ssh restart
Using a privale/public key pair
The default method of authentication for SSH is your standard password. However, passwords can be cracked, so a more secure method is to use a key pair. This is a pair of files which you generate on your client. You copy the public key to the server and keep the private key on your client. You can also use this method to access your server without needing to enter a password. Connectbot will generate a key pair for you. See this tutorial for more information on SSH keys:
Disable password access
Once you have tested that your key works, it makes sense to disable password access. Edit the file sudo vi /etc/ssh/sshd_config and add the following line, the restart the SSH server:
PasswordAuthentication no
Accessing over the Internet
At this point we can access our server from anywhere on our local network, but how about logging in remotely from anywhere in the world? To do this, you need to tell your router listen on the secure SSH port you configured earlier, in this example 11234, and forward any requests through to your backend server. The method of doing this varies from router to router, looking at the manual for your router or Googling for "router port forwarding" should get you the information you need.
The other tricky bit is knowing which IP address your router has on the internet. You will need this in order to connect to it. You shoudl be able to get the address from your router's status page, or by using an online service such as whatismyipaddress
Yet another consideration is that your IP address may change. Some ISPs allow you to pay a bit extra for a static IP address. Even if you don't have this feature, you may find that it usually keeps the same address for long periods of time. If you do find it changing, there are online dynamic DNS services which you can use to provide a static domain name for your server. One example is
Once you have done this, try logging into your server using its external IP address and port.
Forwarding ports using SSH
We can now access our MythTV box from anywhere on the internet, but the real power is in being able to expose the services provided by MythTV to our android client. These services are things such as MythWeb (port 80) and the backend API (port 6544). Once forwarded, the ports will listen locally and clients will be able to connect to them as if the servcies were running on the android device itself.
The linux command line to access your backend and forward the ports is as follows:
ssh -p11234 mythtv@ripley -L18080:localhost:80 -L6544:localahost:6544
To do the same on connectbot, add a new SSH connection with the config mythtv@ripley:11234. Then long press on the connection and add the 2 port forwarding rules, eg:
Nickname: mythweb Type: Local Source port: 18080 Destination: localhost:80
Nickname: mythservices Type: Local Source port: 6544 Destination: localhost:6544
Once connected, try browsing to the following URLs on your client:
http://localhost:18080 http://localhost:6544
Conclusion
Now we have full access to out backend services from anywhere on the 'net. See the streaming tutorial for information on how to play your recordings.