MagiskSSH – SSH server on Android without Termux
Comments
lutusp
freedomben
I'll say things were better in the past. It's obviously subjective, but I hate the direction things are going.
The user is now viewed as a security threat to their own device, the hyper-churn culture of the javascript ecosystem is now embedding in other areas even systems (like Android, as you point out), "updates" for apps and to a lesser but growing extent OSes, are routinely pushed and forced on users regardless whether they contain new bugs/regressions or horrible UI/UX changes, more and more software is becoming proprietary SaaS and "subscription" based, and backwards compatibility is for the birds. In the name of "security", tech companies and even individual devs are turning our own home networks into opaque spy apparatuses that make network connections that we (the owners of the network) can't even inspect. Even maintaining self-hosted apps is becoming a several-hours-per-week job.
It feels like during the late 00s and early 10s we had some real golden years of open source, but now the poisonous engineering culture that pushes the above things is poised to squash it as a "daily driver" for people. For example, once Microsoft completes their requirements for TPMS and can do hardware attestation like Apple and Google, the ratchet of websites not working (or not working completely) unless the device passes hardware attestation will start, and it will make life on a Linux laptop/desktop similar to how Tor is now where you get endless CAPTCHA hell and nobody cares because you're in a tiny minority of users and many of the tools that provide technological liberation for an individual are also tools used by gray and black hat actors.
And I haven't even gotten to the Apple-ization of everything where it's becoming all about building walled gardens. I remember when compatibility was a selling point of hardware/software.
It's not all bad of course, but it does feel like a lot more bad than good is developing. Happy Monday everyone!
Zak
When Microsoft first proposed attestation features in 2002 under the name Palladium, it was almost universally seen as a nightmare scenario. I don't understand why most of the tech world is OK with Apple and Google doing the same thing to our phones now, and Microsoft bringing it back on Windows.
I do understand trying to bury full access to the device a bit deeper than it was on older PC operating systems. The average person doesn't know how to use a computer, and it doesn't appear there was ever much hope of that situation changing. Letting a third party verify the computer is in a certain state, however seems outright malicious.
therealmarv
I think this is a bit overkill for my taste with root but depends on use case.
I'm SSHing regularly into my Android phone (and it does not need root) for backup purposes. Used various apps for that but settled for years on Termux.
* Install https://f-droid.org/ store
* Install Termux from there
* Install ssh daemon and rsync in Termux with
pkg upgrade
pkg install openssh rsync
dotancohen
I use `adb shell` very often on my Android phone. What are your use cases for SSH where adb does not suffice?
Not arguing, just curious.
therealmarv
It's mostly rsync for me. I love rsync.
And also: I don't want to connect my phone over the cable to my PC very often. I just want to quickly transfer sometimes (over WiFi).
dotancohen
Thanks.
1727706962
Not OP but personally
- Always available over my network/wireguard without touching the phone or a cable. Wireless ADB over a tcp socket technically works but requires a USB cable to bootstrap when you use the phone as a hotspot like I do, nor would I dare open it up to the internet.
- Any number of SFTP clients rather than the limited ADB options
- Higher throughput than wired ADB (at least on my Pixel 6A over USB)
- I want ssh access to my termux environment anyway so may as well use it for file transfers too.
I only really use adb for app development, maybe the odd nslookup or android package management with `pm`
Oxodao
If you are rooted, you do no need a wire to bootstrap, there are apps that start the process, but it's mainly for convinience.
Also this lets you run script on your real device instead of the chroot thing of termux which can be helpful (e.g. accessing /data/data stuff which is a pain with termux, not sure if its even possible).
And my last reason is just that why would I need a separate app that I need to configure when I can just have a real ssh server
dotancohen
I see, thank you.
1vuio0pswjnm7
No wireless ADB in older phones.
0x38B
> ... It also includes rsync (which actually was my main motivation for this project)
I would take rsync any day over unreliable GUI apps that silently fail to complete remote transfers, often as soon as the screen is turned off.
I've used an iPhone for the past few years but may move to a Pixel running GrapheneOS for my next phone. It's apps (well, modules) like this and Termux that tip the scales in Android's favor.
razemio
Sadly, termux now has its own issues since android 12+. It is possible to work around the limitations, when you do not have an Android Phone with MDM enabled and have no problems with turning on dev tools and start remote adb from time to time. I no longer use it because of those reasons. However, there appears to be a native terminal in android 15. Maybe this will be the game changer I waited for.
jeroenhd
On my (Pixel based) LineageOS ROM, you can disable enough power saving settings to make Termux work well again. Unfortunately, many vendors remove half the settings from their interfaces and make their app killers extra aggressive (just to spite people, it seems, because battery life doesn't seem affected in my experience).
If your phone's manufacturer disabled the necessary power saving settings, I doubt they'll enable them for the Android 15 terminal.
gruez
>Unfortunately, many vendors remove half the settings from their interfaces and make their app killers extra aggressive (just to spite people, it seems, because battery life doesn't seem affected in my experience).
To be fair, for every well behaved background app (ie. a ssh server that's listening on a socket, which should consume basically zero power), there's probably 10 other misbehaving app that's phoning home every 30 seconds for ad/tracking/analytics purposes. Moreover, "battery life" is a metric that often shows up on reviews, so it makes sense to game this metric as hard as possible, especially since most people probably aren't running servers 24/7 on their phones.
jeroenhd
I'm not opposed to power saving measures being enabled by default, but "let this app run in the background at all times" should still be a setting. Require a PIN or biometrics to toggle the setting for all I care, but not being able to turn off app killers is what turned me off several brands of phones. The defaults are good for the general population but I'm not the general population so let me turn that damn thing off. Show me a daily notification about how an app drained 40% of my battery life if you have to but don't make me root my phone again just to turn off the stupid app killer.
I run into issues with the smart watch integration app getting killed before Google Maps, even when I'm not navigating on one of my devices. No way to whitelist the integration app or set some kind of preference, it's just a lottery, probably based on guesstimated power consumption (which, for an app with a Bluetooth lock, will probably be above average) that I want to tweak.
faust201
Some sales/ad Manager will force app dev for money (that will happily take money - and write in hn after 5 years that he/she is so overwhelmed with guilt that they have to live with 6digit money on a beach now) and build UI that will trick user into enabling that for that crap app.
ssl-3
Some of those apps are things I want to phone home, like the system I have that is supposed to dial my thermostat back automatically (as well as back up again).
When these are the tasks that are killed, it costs me more than whatever precious bodily fluids that some ad/tracking/analytics stuff may sap: It costs me real money.
gruez
The problem is less with phoning home per se, and more about doing it in a way that's against user expectations. I already acknowledged that there are legitimate use cases out there, but for the overwhelming majority of users, their phone is primarily a communication and media consumption device, which doesn't need 24/7 background access. Yes, it's tragic that the handful of people are being harmed by this, but it's hardly because of "spite" as OP suggested.
ssl-3
The problem is that I'm only theoretically harmed by things that unexpectedly succeed in phoning home, while I'm absolutely harmed by things failing to phone home when I need them to do so.
Dollars I have lost due to things phoning home against my expectations: Close to zero -- if not literally zero. (And close to zero time spent managing that.)
Dollars I have lost due to things failing to phone home when I want them to do so: More than zero. (And hours and hours of time spent trying to make them work more reliably.)
gruez
If you really want to get into a game of theoretically vs practically, for most users: they're only theoretically harmed by not being able to disable background activity, because all they're doing is texting (worst case, there's GCM which is whitelisted) and watching tiktok. Meanwhile they're practically harmed because the one-of-a-dozen e-commerce app has some misbehaving background service that's trying to send telemetry 24/7. People also have terrible battery discipline, and if you're out and about a dead phone has actual costs (eg. having to rent a power bank, or having to take a cab rather than uber).
None of this invalidates your use case, but given the rarity of your use case compared to the more common use case, I hope you understand why companies are implementing it not purely out of "spite".
ssl-3
Spite?
A thing can be abhorrent and disdainful and motivated by the best and most pure of intentions, all at the same time. These are not in any way mutually-exclusive constructs.
Rarity?
Perhaps the best way to make sure a thing remains rare or unusual is to neuter it straight out of the gate. In the past few days here we've seen SSH servers and Docker containers on Android, with the repeated caveat of "Yeah, but the task killer won't let that really work." And that's absolutely true: It won't.
notpushkin
> just to spite people, it seems, because battery life doesn't seem affected in my experience
Don't forget all the crap they can run in the freed capacity now!
ForHackernews
You might also check out /e/OS - https://e.foundation/
It's less hardened than Graphene, but more user-friendly (IMHO) and similarly avoids Google spyware.
chasil
I am running a copy of this on a spare phone. I'm 95% sure that it bundles an sshd, as LineageOS does.
The Bliss launcher leaves a number of features to be desired. I can't see how to create a shortcut of the browser as an incognito tab, which for me is a must-have. The lack of widgets beyond the separate widget pane also is limiting.
I've seen some methods to get Trebuchet imported by various means. That would be required for a daily driver.
Otherwise it looks like a reasonable clone of Lineage with odds and ends.
Edit: LineageOS bundles /product/bin/sshd - I have seen wikis on how to set this up with authorized_keys. /e/OS likely has the server daemon as well. My phone says that it's OpenSSH 9.0p1, BoringSSL.
ForHackernews
:shrug: different strokes. I prefer /e/OS to LineageOS because things like maps, banking apps, microG + signature spoofing work out of the box. I think most Lineage users just install GApps, but I'm trying to avoid the google ecosystem.
chasil
Wells Fargo runs on LineageOS on my phone running Mind the Gapps.
So does google maps.
ForHackernews
That's exactly my point: You're deliberately installing Google software on your LineageOS device, so it's not really that different (from a supported apps or data privacy perspective) from a stock ROM.
GrapheneOS and /e/OS are trying to solve different problems: producing a usable Android operating system that isn't tied to Google.
colordrops
I've found that synchthing on Android is very reliable when setup properly.
Oxodao
I use syncthing a lot too and yes it used to be perfect on my OnePlus 6 with lineage, but on my new Pixel 8 on stock I can't seem to get it too stay opened it always get killed even though I'm pretty sure I disabled every battery saving things for it
saint_yossarian
Make sure the notification is visible (you can minimize it though), and also switch to syncthing-fork if you haven't yet.
Oxodao
I did switch to syncthing-fork at the same time I got my Pixel. The notification is visible until it closes by itself.
For some reason I can swipe it away too, while from what I remember, persisting apps like this used to prevent you from doing so
noman-land
GrapheneOS is incredible. Nearly perfect OS.
compootr
I use it and find that it's a bit rough around the edges. Any tips to make the experience a bit better?
noman-land
It really depends which edges you find rough. Maybe we don't have the same needs. I try to use mostly open source apps and sync my calendar, contacts, files, notes and podcasts via Nextcloud. I use sandboxed Google Play Services for the small handful of apps I need but can't get any other way, everything else comes from the various open stores like F-Droid, Aurora, Accrescent, and Obtainium.
jcul
I've used countless ROMs over the years, as well as stock android, AOSP, cyanogen mod, later lineage os., caylx etc., without google, with microg etc.
Honestly Graphene is the first where everything just worked, and gave me the option to take or leave google apps, and have them in a sandbox if I desired.
Probably the first time I haven't felt the need to root or install magisk modules to customize behavior.
For me it's like having your cake and eating it too.
To be honest, and this probably seems minor / trivial, but one of the only things I miss about using GOS is the ability to turn on the flash light by holding the power or whatever other button.
I'm curious about the rough edges you experienced.
compootr
ones so far:
1. apps are rather slow to install, since GOS compiles JIT (just-in-time compiled code) on install for security/speed. It's a bit of a pain when I'm needing something now 2. play integrity fails, so some banks¹ don't work, and NFC payments are pretty much bricked 3. I had some weird issue setting up my galaxy watch. probably a Samsung thing but it'd download software for an hour then fail with a generic message multiple times
now writing this out, I realize a lot of these are skill issues I need to just take a couple hours and try to fix
1: my solution is just to use web apps and it works well since I end up with less apps. PWA FTW!
noman-land
You can add a flashlight tile in the pull down menu thing. It's not the same but it's close.
jcul
Yeah I do have that, but it does require turning on and looking at the screen, vs just having a flashlight by touch.
SushiHippie
All my smartphones had been Samsung, and then I bought a Pixel just to get GrapheneOS and for me it's a way nicer experience, so I'm curious what the rough edges are that you experience?
stavros
Do all apps support notifications? What would I lose if I switched to GrapheneOS from a Pixel?
bubblethink
You'll lose any apps that use play integrity or other similar checks that check for a non-google OS. Some banking, media, or gaming apps may use those checks, but I haven't encountered many in the US. Other than that, everything will work as stock if you use the sandboxed play services. If you don't use play services, there's perhaps a longer list of things that won't work, including notifications for most apps that rely on FCM. The OS supports different types of isolation schemes like private spaces and additional user profiles. So you can find some middle ground on whether or not you want play services, which accounts are logged in where, etc.
stavros
That sounds OK, thank you!
JeremyNT
The only downside is the increasingly onerous attestation requirements that are eventually going to infect virtually all proprietary software for Android.
If you only care about running open source code, you're golden.
spiffytech
To pull files off my Android phone I installed an FTP server app. Gets the job done for me, and works on stock Android. I only turn it on when I need it.
https://play.google.com/store/apps/details?id=com.theolivetr...
j1elo
On Android 14 it doesn't allow installing and the Play Store says:
> This app isn't available for your device because it was made for an older version of Android.
Nevertheless, an alternative is Material Files, a FOSS file manager that includes an FTP Server and Client:
* https://f-droid.org/packages/me.zhanghai.android.files
* https://play.google.com/store/apps/details?id=me.zhanghai.an...
spiffytech
Hmmm, that's strange? I have it installed on my Pixel 8, which launched with Android 14 and recently upgraded to Android 15. I wonder what's different for you?
sphars
I also have a Pixel 8, stock Android 15 and the app is unavailable for me as well
jcul
Graphene OS do not recommend or support rooting as far as I know.
Though I'm pretty sure you can just flash magisk / magisk modules as you would with any other ROM.
trallnag
With every new Android release I'm afraid that Google decides to limit all these freedoms we have on Android
colordrops
I've found that synching on Android is very reliable when setup properly.
n144q
Sadly you are in the vanishing minority of Android users who care about this. Most people just want a phone that works. So much that many people switch to iPhones because, admittedly, many things are work better in their walled garden, and the phone is "simpler" because the OS hides many details or doesn't allow you to do anything.
I used to spend lots of time trying different ROMs, figuring out SU and SELinux stuff, and fighting with SafetyNet. These days I just use stock Samsung ROM. I still have Termux on my devices but only use them occasionally when I don't have a laptop next to me and need to do some hardcore stuff. (I might even switch to iPhone someday because the password autofill experience on Android is just atrocious and infuriating while Google has done almost nothing for the past few years.)
aftbit
Personally, I would suggest trying out GrapheneOS on a modern Pixel before going to iPhone. They remove 80% of the Google annoyances and have a very good security profile compared to anything rooted and most custom ROMs that don't bother with relocking the bootloader.
You will still fail to pass device verification, but that doesn't really matter to me. I don't use tap to pay (that's why NFC credit cards are for) nor play any mobile games that actually care.
I could not imagine using a stock Samsung ROM personally, but to be fair, it has been years since I tried. Maybe I'm still just too burned from the bloatware of the early Galaxy days.
dizhn
Samsung phones are pretty nice these days. It's also very easy to migrate to a new phone. Their software migrates almost everything including side loaded apps.
edent
BitWarden on Android is pretty good for auto-filling passwords. Works in-app and in-browser.
xelamonster
For some definitions of works. It's frustratingly inconsistent for me, very often it'll give me no suggestions on apps it's filled many times before and I have to go open it and manually copy out passwords.
n144q
Using Bitwarden on a Samsung device, it is hit or miss. Tried everything possible. If you have some magic to make it work everywhere, let me know.
ddxv
I've been liking the Firefox autofill on Android, not sure if that fits your needs.
n144q
How well does it work with other apps, especially WebView?
e.g. if I open doordash and try to log in, which opens a web view with a login form, does autofill popup?
In my experience, autofill works the best in Chrome if you have all your entire digital life dedicated to Google's ecosystem.
But I use Firefox with Bitwarden, which works at most 50% of the time. That works about 85% of the time on iPhone or iPad.
ddxv
It works great with other apps. I've switched phones a couple times and had no issues that I can think of with passwords. Maybe sometimes some banking apps prevent FF from opening, so I had to manually lookup the password, but I think the most recent time I didn't have this issue with any apps. Also, I use FF to randomly generate most passwords.
> e.g. if I open doordash and try to log in, which opens a web view with a login form, does autofill popup?
yes, I just checked with Gmail > random website in Gmail WebView, and Firefox autofilled it fine. That being said, WebView's can be unique app to app, so can't promise it works for door dash as I don't have that app.
n144q
[flagged]
Asmod4n
There are things Android forbids you to tinker with, even on a rooted device. And it’s advertisement related things.
cf100clunk
I assume "official stock OEM Android" is what you meant, and I hope you'll give specifics of the things you mention. Alternative browsers like ungoogled-chromium-android, Cromite, Vanadium, and some others purport to have stripped most of that out from the Chromium browser, while GrapheneOS, LineageOS, /e/OS, and maybe some others purport to do that at the OS level.
guerrilla
> And it’s advertisement related things.
What do you mean?
Asmod4n
You can’t supply your own ipv6 settings, not even disabling it.
That means you can’t use something like pihole with android.
guerrilla
I don't underatand. You're saying people can't use PiHole with Android? But lots of people do that... Or do you mean it can't be installed on Android itself? I googled that and it seems it can be...
1. https://www.reddit.com/r/pihole/comments/18ov638/pi_hole_on_...
Asmod4n
You still can’t set the IPv6 dns server manually and you can’t permanently disable IPv6.
When you install pihole and set it as the dhcp server and also as the IPv6 „Ra“ server the ipv6 dns server from your router will still be used primarily. Making dns based blocking on android ineffective
tetris11
This looks good.... but I don't get the importance of it. What can this do that termux openssh can't?
Can I mount remote filesystems at the system level via sshfs?
noname120
Termux gets killed easily, even if you set it to unrestricted in your battery-saving settings. Here is one of the mechanisms that causes Termux (and other apps) to be killed: https://github.com/agnostic-apollo/Android-Docs/blob/master/...
This module isn't affected by battery-saving mechanisms because it runs as a system process rather than an app process.
nolist_policy
You can disable the phantom process killer in developer settings in Android 14.
Termux is rock solid on my Galaxy Fold 4 without any root or adb shenanigans.
adhamsalama
It still killed Linux desktop environments after a couple of minutes for me when I tried it.
dataflow
Yeah I had the same question. Why would I prefer this?
tetris11
I'm guessing it's for the use case where you "adb shell" into the phone, and want to ssh elsewhere (where dynamically-linked Termux binaries would not work)....
Edit: .. though, one could always just start an ssh server in Termux in the OS for this.
Maybe it's if you want to have ssh and rsync in the recovery or fastboot modes? Just in case you can't get (or don't want) to run the android system?
Edit2: Ah. It's for when you want to use another app that can call system commands, without having to build ssh and rsync into the app, nor spawn an intermediate termux process from the app. It cuts out the middle-man. That is quite useful.
hagbard_c
Installed it just now - don't forget to enable incoming connections on the firewall (AFWall+) if you happen to use one - and did some experimenting, especially to find out whether it would open up the device to the deluge of ssh probing. Even though those probes will (in a sane universe) not succeed they're unwelcome anyway. I do notice the device listens on port 22 on both IPv4 and IPv6. Fortunately it is possible to change this by editing /data/ssh/sshd_config where I disabled IPv6 (not necessary in this context) and changed the listening port. You never know on which network your device will end up after all.
Oxodao
Great tip! I will apply it to my setup
nickcw
I wonder if that includes the SFTP server component of openssh?
If so it would be very useful for use with rclone. I back up my phone by running an sshd in termux then using rclone with sftp remotely. This works very well (until the phone decides on a whim to kill the sshd!).
chasil
On my LineageOS device, /product/bin contains scp, sftp, ssh, sshd, and ssh-keygen along with a startup script.
In f-droid, there is also a "primitive FTP server" that includes an SFTP, but that probably gets killed unless you are very careful.
tacomagick
The project looks awesome. If this was also done using Shizuku it would be pretty cool aswell.
paravz
my rsync backup use case over usb and adb (with adb root)
start rsync daemon: adb root adb forward tcp:6010 tcp:11873 adb shell "rsync --daemon --port 11873 --config=/sdcard/rsyncd.conf &"
rsync: rsync -rltHDhP --stats --size-only --append-verify --partial --delete rsync://localhost:6010/root/data/data/ /backup/data
cleanup: adb kill-server
/sdcard/rsyncd.conf for the phone: address = 127.0.0.1 uid = root gid = root [root] path = / read only = true
sammyo
A (super easy to set up) rsync on IPhone that can "see" the itunes music folder would be a huge boon and likely change the world for the better!
dboreham
Interferes with Apple's ideas on how to make more money.
From the linked Gitlab writeup: "Some changes to OpenSSH are used from Arachnoid's SSHelper." I'm very glad to see this port of open-source code I wrote years ago, especially now that Google has removed SSHelper from the Google Play store (BTW still available at https://arachnoid.com/android/SSHelper).
After years of trying to keep up with Google's perpetual Android tweaks, I gave up and accepted that they would eventually remove any apps that weren't updated for each new Android version.
These events only remind me how out-of-date I am as a programmer. I wrote and released my first major title, Apple Writer (https://en.wikipedia.org/wiki/Apple_Writer) in 1979. It lasted for six years in various forms, then was replaced by better programs. I wasn't a corporation, I was an individual, and my programs (then and since) have been individual projects.
In modern times, individual releases are rare, and in the future are likely to be even more rare, replaced by collaborations between developer teams and AI.
Not saying things were better in the past. Just different.