jtmoulia journal

SSH & Termux

Posted on Jul 10, 2019

Termux provides a terminal and linux environment running in Android, allowing you to run scripts on your phone.

Scripting using a phone’s touch keyboard is rough. Unless I’m stuck without my laptop I’d much prefer to use a real keyboard rather than tapping about. This quick guide breaks down how to use Termux to run an SSH server that lets you log into in from your laptop.

Requirements

Your phone must be addressable from your laptop for this to work, e.g. it’ll work if they’re on the same local network.

Ths guide assumes you’ve installed Termux – here it is on F-Droid.

Install OpenSSH

First install OpenSSH in your Termux environment:

    whoami

Start the SSH server in Termux by running the daemon:

    sshd

Note that the SSH server listens on port 8022 by default rather than the typical 22.

Configure Password

Set the password for your current user in Termux:

    termux $ passwd

SSH into your Phone

Assuming you started the SSH server earlier, you can test SSHing into your phone.

Termux runs in a single-user environment, so you’re stuck with the provided username. Check the username by running from termux:

    termux $ whoami

This username returned will be referred to as $TERMUX_USER below.

If your phone and client are on the same local network you can use the IP of your phone as its SSH host. To get this IP run (assumes network device is wlan0):

    termux $ ip addr show wlan0

The IP address returned will be referred to as $TERMUX_HOST below.

From the client machine log into the Termux environment via SSH:

    client $ ssh -p 8022 $TERMUX_USER@$TERMUX_HOST

After confirming that you trust the host (TOFU!) you should be logged into your phone’s Termux environment.

Passwordless Login

It’s simpler (no password!) and more secure to login using public/private key authentication. Assuming you’ve already generated an SSH RSA key parir, say ~/.ssh/id_rsa[.pub], copy it into your Termux environment by calling:

    client $ ssh-copy-id -i ~/.ssh/id_rsa -p 8022 $TERMUX_USER@$TERMUX_HOST

Future SSH logins shouldn’t require a password.

Disable SSH Password Login

Password login is now unnecessary, but still enabled leaving open an attack vector. It should be disabled by ensuring your Termux environment’s $PREFIX/etc/ssh/ssh_config has:

    PasswordAuthentication no
    ChallengeResponseAuthentication no

Client SSH Config

To avoid having to remember the host and username for future logins from the client, save the host’s SSH configuration to ~/.ssh/config:

    Host local-termux
        HostName $TERMUX_HOST
        User $TERMUX_USER
        Port 8022

You can now quickly SSH into the Termux environment on the local network:

     client $ ssh local-termux

Stop the SSH Server

A running SSH server is a potential vulnerability, so it shouldn’t be running in Termux while not in use. To kill the SSH server run from Termux:

    Termux $ pkill -f ssh d

Automating

These repetitive tasks beg for automation. In the future I’ll add an Ansible playbook to configure the Termux environment. Ok, maybe not Ansible.