Rewrite SSH to use native foreground service for persistent sshd

The previous implementation used single-shot runInProot() which can't
run daemons — proot uses --kill-on-exit so sshd dies when the command
finishes. Also pgrep/hostname -I don't work reliably inside proot.

Changes:
- Add SshForegroundService.kt: runs sshd -D (foreground mode) in a
  persistent proot process with wake lock and notification
- Add native bridge methods: startSshd, stopSshd, isSshdRunning,
  getSshdPort, getDeviceIps, setRootPassword
- getDeviceIps uses Android NetworkInterface (not proot hostname -I)
- setRootPassword runs chpasswd via processManager.runInProotSync
- Register SshForegroundService in AndroidManifest.xml
- Rewrite ssh_service.dart to use native methods
- Update ssh_screen.dart to fetch IPs from Android

Co-Authored-By: Mithun Gowda B <[email protected]>

Author: mithun50

flutter_app/android/app/src/main/AndroidManifest.xml

@@ -66,6 +66,11 @@
             android:exported="false"
             android:foregroundServiceType="specialUse" />
 
+        <service
+            android:name=".SshForegroundService"
+            android:exported="false"
+            android:foregroundServiceType="specialUse" />
+
         <service
             android:name=".ScreenCaptureService"
             android:exported="false"

flutter_app/android/app/src/main/kotlin/com/nxg/openclawproot/MainActivity.kt

@@ -162,6 +162,50 @@ class MainActivity : FlutterActivity() {
                     NodeForegroundService.updateStatus(text)
                     result.success(true)
                 }
+                "startSshd" -> {
+                    val port = call.argument<Int>("port") ?: 8022
+                    try {
+                        SshForegroundService.start(applicationContext, port)
+                        result.success(true)
+                    } catch (e: Exception) {
+                        result.error("SERVICE_ERROR", e.message, null)
+                    }
+                }
+                "stopSshd" -> {
+                    try {
+                        SshForegroundService.stop(applicationContext)
+                        result.success(true)
+                    } catch (e: Exception) {
+                        result.error("SERVICE_ERROR", e.message, null)
+                    }
+                }
+                "isSshdRunning" -> {
+                    result.success(SshForegroundService.isRunning)
+                }
+                "getSshdPort" -> {
+                    result.success(SshForegroundService.currentPort)
+                }
+                "getDeviceIps" -> {
+                    result.success(SshForegroundService.getDeviceIps())
+                }
+                "setRootPassword" -> {
+                    val password = call.argument<String>("password")
+                    if (password != null) {
+                        Thread {
+                            try {
+                                val escaped = password.replace("'", "'\\''")
+                                processManager.runInProotSync(
+                                    "echo 'root:$escaped' | chpasswd", 15
+                                )
+                                runOnUiThread { result.success(true) }
+                            } catch (e: Exception) {
+                                runOnUiThread { result.error("SSH_ERROR", e.message, null) }
+                            }
+                        }.start()
+                    } else {
+                        result.error("INVALID_ARGS", "password required", null)
+                    }
+                }
                 "requestBatteryOptimization" -> {
                     try {
                         val intent = Intent(Settings.ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS).apply {

flutter_app/android/app/src/main/kotlin/com/nxg/openclawproot/SshForegroundService.kt

@@ -0,0 +1,213 @@
+package com.nxg.openclawproot
+
+import android.app.Notification
+import android.app.NotificationChannel
+import android.app.NotificationManager
+import android.app.PendingIntent
+import android.app.Service
+import android.content.Context
+import android.content.Intent
+import android.os.Build
+import android.os.IBinder
+import android.os.PowerManager
+import java.io.BufferedReader
+import java.io.InputStreamReader
+import java.net.NetworkInterface
+
+/**
+ * Foreground service that runs sshd in a persistent proot process.
+ * sshd must run with -D (no daemonize) so proot stays alive.
+ */
+class SshForegroundService : Service() {
+    companion object {
+        const val CHANNEL_ID = "openclaw_ssh"
+        const val NOTIFICATION_ID = 5
+        const val EXTRA_PORT = "port"
+        var isRunning = false
+            private set
+        var currentPort = 8022
+            private set
+        private var instance: SshForegroundService? = null
+
+        fun start(context: Context, port: Int = 8022) {
+            val intent = Intent(context, SshForegroundService::class.java).apply {
+                putExtra(EXTRA_PORT, port)
+            }
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+                context.startForegroundService(intent)
+            } else {
+                context.startService(intent)
+            }
+        }
+
+        fun stop(context: Context) {
+            val intent = Intent(context, SshForegroundService::class.java)
+            context.stopService(intent)
+        }
+
+        /** Get device IP addresses via Android NetworkInterface. */
+        fun getDeviceIps(): List<String> {
+            val ips = mutableListOf<String>()
+            try {
+                val interfaces = NetworkInterface.getNetworkInterfaces() ?: return ips
+                for (iface in interfaces) {
+                    if (iface.isLoopback || !iface.isUp) continue
+                    for (addr in iface.inetAddresses) {
+                        if (addr.isLoopbackAddress) continue
+                        val hostAddr = addr.hostAddress ?: continue
+                        // Skip IPv6 link-local
+                        if (hostAddr.contains("%")) continue
+                        // Prefer IPv4, but include IPv6 too
+                        ips.add(hostAddr)
+                    }
+                }
+            } catch (_: Exception) {}
+            return ips
+        }
+    }
+
+    private var sshdProcess: Process? = null
+    private var wakeLock: PowerManager.WakeLock? = null
+
+    override fun onBind(intent: Intent?): IBinder? = null
+
+    override fun onCreate() {
+        super.onCreate()
+        createNotificationChannel()
+    }
+
+    override fun onStartCommand(intent: Intent?, flags: Int, startId: Int): Int {
+        val port = intent?.getIntExtra(EXTRA_PORT, 8022) ?: 8022
+        currentPort = port
+        startForeground(NOTIFICATION_ID, buildNotification("Starting SSH on port $port..."))
+        acquireWakeLock()
+        startSshd(port)
+        return START_STICKY
+    }
+
+    override fun onDestroy() {
+        isRunning = false
+        instance = null
+        stopSshd()
+        releaseWakeLock()
+        super.onDestroy()
+    }
+
+    private fun startSshd(port: Int) {
+        isRunning = true
+        instance = this
+
+        Thread {
+            try {
+                val filesDir = applicationContext.filesDir.absolutePath
+                val nativeLibDir = applicationContext.applicationInfo.nativeLibraryDir
+                val pm = ProcessManager(filesDir, nativeLibDir)
+
+                // Ensure directories exist
+                val bootstrapManager = BootstrapManager(applicationContext, filesDir, nativeLibDir)
+                bootstrapManager.setupDirectories()
+                bootstrapManager.writeResolvConf()
+
+                // Generate host keys if missing, configure sshd, then run in
+                // foreground mode (-D) so the proot process stays alive.
+                // -e logs to stderr instead of syslog (easier debugging).
+                // PermitRootLogin yes is needed since proot fakes root.
+                val cmd = "mkdir -p /run/sshd /etc/ssh && " +
+                    "test -f /etc/ssh/ssh_host_rsa_key || ssh-keygen -A && " +
+                    "sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config 2>/dev/null; " +
+                    "grep -q '^PermitRootLogin' /etc/ssh/sshd_config || echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config; " +
+                    "/usr/sbin/sshd -D -e -p $port"
+
+                sshdProcess = pm.startProotProcess(cmd)
+                updateNotification("SSH running on port $port")
+
+                // Read stderr for logs
+                val stderrReader = BufferedReader(InputStreamReader(sshdProcess!!.errorStream))
+                Thread {
+                    try {
+                        var line: String?
+                        while (stderrReader.readLine().also { line = it } != null) {
+                            // Could log these if needed
+                        }
+                    } catch (_: Exception) {}
+                }.start()
+
+                val exitCode = sshdProcess!!.waitFor()
+                isRunning = false
+                updateNotification("SSH stopped (exit $exitCode)")
+                stopSelf()
+            } catch (e: Exception) {
+                isRunning = false
+                updateNotification("SSH error: ${e.message?.take(50)}")
+                stopSelf()
+            }
+        }.start()
+    }
+
+    private fun stopSshd() {
+        sshdProcess?.let {
+            it.destroyForcibly()
+            sshdProcess = null
+        }
+    }
+
+    private fun acquireWakeLock() {
+        val powerManager = getSystemService(Context.POWER_SERVICE) as PowerManager
+        wakeLock = powerManager.newWakeLock(
+            PowerManager.PARTIAL_WAKE_LOCK,
+            "OpenClaw::SshWakeLock"
+        )
+        wakeLock?.acquire(24 * 60 * 60 * 1000L)
+    }
+
+    private fun releaseWakeLock() {
+        wakeLock?.let {
+            if (it.isHeld) it.release()
+        }
+        wakeLock = null
+    }
+
+    private fun createNotificationChannel() {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+            val channel = NotificationChannel(
+                CHANNEL_ID,
+                "OpenClaw SSH",
+                NotificationManager.IMPORTANCE_LOW
+            ).apply {
+                description = "Keeps the SSH server running in the background"
+            }
+            val manager = getSystemService(NotificationManager::class.java)
+            manager.createNotificationChannel(channel)
+        }
+    }
+
+    private fun buildNotification(text: String): Notification {
+        val intent = Intent(this, MainActivity::class.java)
+        val pendingIntent = PendingIntent.getActivity(
+            this, 0, intent,
+            PendingIntent.FLAG_UPDATE_CURRENT or PendingIntent.FLAG_IMMUTABLE
+        )
+
+        val builder = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+            Notification.Builder(this, CHANNEL_ID)
+        } else {
+            @Suppress("DEPRECATION")
+            Notification.Builder(this)
+        }
+
+        builder.setContentTitle("OpenClaw SSH")
+            .setContentText(text)
+            .setSmallIcon(android.R.drawable.ic_lock_lock)
+            .setContentIntent(pendingIntent)
+            .setOngoing(true)
+
+        return builder.build()
+    }
+
+    private fun updateNotification(text: String) {
+        try {
+            val manager = getSystemService(NotificationManager::class.java)
+            manager.notify(NOTIFICATION_ID, buildNotification(text))
+        } catch (_: Exception) {}
+    }
+}

flutter_app/lib/screens/ssh_screen.dart

@@ -42,8 +42,11 @@ class _SshScreenState extends State<SshScreen> {
     List<String> ips = [];
     if (installed) {
       running = await SshService.isSshdRunning();
+      // Always fetch IPs so user can see them before starting
+      ips = await SshService.getIpAddresses();
       if (running) {
-        ips = await SshService.getIpAddresses();
+        final port = await SshService.getPort();
+        if (mounted) _portController.text = port.toString();
       }
     }
     if (mounted) {
@@ -61,9 +64,13 @@ class _SshScreenState extends State<SshScreen> {
     try {
       if (_running) {
         await SshService.stopSshd();
+        // Give the service a moment to stop
+        await Future.delayed(const Duration(milliseconds: 500));
       } else {
         final port = int.tryParse(_portController.text.trim()) ?? 8022;
         await SshService.startSshd(port: port);
+        // Give the service a moment to start
+        await Future.delayed(const Duration(seconds: 2));
       }
       await _refresh();
     } catch (e) {
@@ -167,7 +174,6 @@ class _SshScreenState extends State<SshScreen> {
 
   Widget _buildInstalledView(ThemeData theme, bool isDark) {
     final port = _portController.text.trim();
-    final iconBg = isDark ? AppColors.darkSurfaceAlt : const Color(0xFFF3F4F6);
 
     return ListView(
       padding: const EdgeInsets.all(16),
@@ -306,12 +312,12 @@ class _SshScreenState extends State<SshScreen> {
               child: Column(
                 crossAxisAlignment: CrossAxisAlignment.start,
                 children: [
-                  _infoRow(theme, iconBg, 'User', 'root'),
+                  _infoRow(theme, 'User', 'root'),
                   const Divider(height: 24),
-                  _infoRow(theme, iconBg, 'Port', port),
+                  _infoRow(theme, 'Port', port),
                   if (_ips.isNotEmpty) ...[
                     const Divider(height: 24),
-                    _infoRow(theme, iconBg, 'IP Addresses', _ips.join(', ')),
+                    _infoRow(theme, 'IP Addresses', _ips.join(', ')),
                   ],
                   const Divider(height: 24),
                   Text(
@@ -350,7 +356,7 @@ class _SshScreenState extends State<SshScreen> {
     );
   }
 
-  Widget _infoRow(ThemeData theme, Color iconBg, String label, String value) {
+  Widget _infoRow(ThemeData theme, String label, String value) {
     return Row(
       children: [
         Expanded(

flutter_app/lib/services/native_bridge.dart

@@ -157,4 +157,30 @@ class NativeBridge {
   static Future<bool> writeRootfsFile(String path, String content) async {
     return await _channel.invokeMethod('writeRootfsFile', {'path': path, 'content': content});
   }
+
+  // SSH Service
+  static Future<bool> startSshd({int port = 8022}) async {
+    return await _channel.invokeMethod('startSshd', {'port': port});
+  }
+
+  static Future<bool> stopSshd() async {
+    return await _channel.invokeMethod('stopSshd');
+  }
+
+  static Future<bool> isSshdRunning() async {
+    return await _channel.invokeMethod('isSshdRunning');
+  }
+
+  static Future<int> getSshdPort() async {
+    return await _channel.invokeMethod('getSshdPort');
+  }
+
+  static Future<List<String>> getDeviceIps() async {
+    final result = await _channel.invokeMethod('getDeviceIps');
+    return List<String>.from(result);
+  }
+
+  static Future<bool> setRootPassword(String password) async {
+    return await _channel.invokeMethod('setRootPassword', {'password': password});
+  }
 }