Debug1: sshexchangeidentification: Dropbear multi-purpose version 0.53.1. Debug1: sshexchangeidentification: Make a symlink pointing at this binary with one of the following names: debug1: sshexchangeidentification: 'dropbear' - the Dropbear server. Debug1: sshexchangeidentification: 'dbclient' or 'ssh' - the Dropbear client. OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture. Default SSH port in Termux is 8022. Starting and stopping OpenSSH server. Since Termux does not use initialization system, services are started manually from command line. To start OpenSSH server.

Termux is capable of accessing remote devices by using some common tools. It is also possible to turn a device running Termux into remote controlled server.

Warning: plain FTP is deprecated and insecure anyway. Termux FTP server supports only anonymous login, there no any authentication and everyone on your network can access files on your device. Use SFTP (OpenSSH) instead!

Termux FTP server is based on busybox and service is managed by [Termux-services]. If you decided to use FTP server, install these packages:

After installation you need to restart session or source this file:

Now you ready to enable and start the FTP daemon service:

FTP server will run on port 8021 in read-only mode.

If you need to stop server, run sv down ftpd.

SSH provides a secure way for accessing remote hosts and replaces tools such as telnet, rlogin, rsh, ftp. Termux provides SSH via two packages: dropbear and openssh. If you never used these tools before, it is recommended to install 'openssh' as it is more common.

Using the SSH client

You can obtain an SSH client by installing either `openssh` or `dropbear`.

Usage example

To login to a remote machine where the ssh daemon is running at the standard port (22):

Same as above, but if the ssh daemon running on different port, e.g. 8022:

Using public key authentication with ssh running on the standard port and a private key stored in the file `id_rsa`:

Note, that if `id_rsa` will be stored in `~/.ssh` directory, you can omit specifying it in the command. But if you have multiple keys, it is necessary to pick a specific key with `-i {path_to_privkey}`.

SSH Agent

Important note: this does not work for Dropbear.

If you wish to use an SSH agent to avoid entering passwords, the Termux openssh package provides a wrapper script named `ssha` (note the `a` at the end) for ssh, which:

• Starts the ssh agent if necessary (or connect to it if already running).
• Runs the `ssh-add` if necessary.
• Runs the `ssh` with the provided arguments.

This means that the agent will prompt for a key password at first run, but remember the authorization for subsequent runs.

Using the SSH server

OpenSSH

OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

Default SSH port in Termux is 8022.

Starting and stopping OpenSSH server

Since Termux does not use initialization system, services are started manually from command line.

To start OpenSSH server, you need to execute this command:

If you need to stop `sshd`, just kill it's process:

SSH daemon does logging to Android system log, you can view it by running logcat -s 'sshd:*'. You can do that either from Termux or ADB.

Setting up password authentication

Password authentication is enabled by default. This will allow you to get started with it much easier. Before proceeding, make sure that you understand that password authentication is less secure than a pubkey-based one.

1. Ensure that everything is up to date and package `openssh` is installed:

2. Password authentication is enabled by default in configuration file. But you can still review it ($PREFIX/etc/ssh/sshd_config), it should be like this:

3. Set new password. Execute command passwd. While program allows minimal password length is 1 character, the recommended password length is more than 8-10 characters. Passwords are not printed to console.

Setting up public key authentication

Public key authentication is the recommended way for logging in using SSH. To use this type of authentication, you need to have a public/private key pair. For successful login, the public key must exist in the authorized keys list on remote machine while private key should be kept safe on your local host.

In the following example it will be assumed that you want to establish public key authentication between your PC (host) and your Android device running Termux (remote). It also will be assumed that you running Linux distribution on your PC.

1. If you do not have keys, you can generate them. In this example we will generate RSA key. On PC, execute this command:

The command shown above generates private RSA key with 2048 bit key length and saves it to file `id_rsa`. In the same directory you can find a file `id_rsa.pub` – it is a public key.

Important note: 2048 bit is the minimal key length that is considered safe. You can use higher values, but do not use higher than 4096 as remote server may not support big keys.

2. Copy key to the remote machine (Termux). Password authentication has to be enabled in order to install pubkey on remote machine. Now do:

Do not forget to replace `IP_ADDRESS` with the actual LAN IP address of your device. It can be determined by using command ifconfig.

If everything was okay, you will see a message like this one:

3. From this point password authentication can be disabled. Edit file $PREFIX/etc/ssh/sshd_config and replace line beginning with 'PasswordAuthentication' by

Then execute command pkill sshd; sshd in order to restart server with updated configuration file.

Dropbear

Dropbear is a software package written by Matt Johnston that provides a Secure Shell-compatible server and client. It is designed as a replacement for standard OpenSSH for environments with low memory and processor resources, such as embedded systems.

Important note: Dropbear does not provide SFTP server.

Starting and stopping Dropbear server

Same as for OpenSSH, you will need to execute it's binary manually. Also, unlike OpenSSH, Dropbear does not use a configuration file but only command line arguments.

Server is running in background, both password and public key authentication available. To achieve this, just type in console:

If you need only public key authentication, do this instead:

Also, server can be started in foreground. For this purpose use a parameter `-F`:

Server started in foreground can be stopped by just Ctrl-C key combination. If it is in the background, then you can use a `pkill`:

Setting up password authentication

Same as for OpenSSH, password authentication is enabled by default.

Everything you have to do, is:

1. Make sure that everything is up to date and dropbear is installed:

2. Set password by executing command passwd.

3. Start dropbear server. You can execute either just dropbear to start it in background or dropbear -F to start it in the foreground.

Setting up public key authentication

Same as for OpenSSH, you can put your keys by using ssh-copy-id. But if you consider to setup a public key authentication from Termux to something else, it is worth to mention some important differences between OpenSSH and Dropbear.

1. Dropbear uses a different command for generating keys. Example of generating RSA key (2048 bit):

2. Public key should be obtained manually. To do this, you have to use 'dropbearkey' again, but in different way:

3. Dropbear and OpenSSH uses a different key formats. To use a Dropbear's key in OpenSSH, you will have to convert it:

This procedure can be done vice versa to obtain a key in Dropbear's format:

Using the SFTP

Package OpenSSH provides a tool for accessing remote hosts over SFTP. This will allow you to work with files in same way as via FTP but with better security.

Connecting to Termux (sshd listening on port 8022):

Connecting to somewhere else (sshd listening on standard port):

However, to use command line SFTP client you should know some basic commands:

• cd PATH - change current directory to `PATH`.
• get REMOTE [LOCAL] - download file `REMOTE` and rename it as `LOCAL` (optional).
• mkdir PATH - create directory `PATH`.
• ls [PATH] - list files in directory `PATH`. If no argument, files in current directory will be listed.
• put LOCAL [REMOTE] - Upload file `LOCAL` and rename it as `REMOTE` (optional).
• rm FILE - Delete file `FILE`.

This is not a complete list of SFTP commands. To view all available commands, consider to view man page (man sftp) or view short help in interactive SFTP session by issuing command `help`.

Mosh is a remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.

Usage example

Important note: Mosh should be installed on both client and server side.

Busybox Ssh Server

Connecting to remote host (sshd listening on standard port):

Connecting to Termux (sshd listening on port 8022):

Rsync is a tool for synchronizing files with remote hosts or local directories (or drives). For better experience of using rsync, make sure that package `openssh` (or `dropbear`) is installed.

Usage example

Sync your photos with PC:

Get photos from remote Android device:

Sync local directories (e.g. from external sdcard to Termux home):

You may want to see man page (`man rsync`) to learn more about it's usage.

This guide explains how to unlock a LUKS encrypted ubuntu system via SSH. This is convenient if in example you want to turn on a server but don't have a keyboard and screen attached to it. Or if you don't have physical access to it. I assume that you know already how to set up an OpenSSH server and you know how to activate/deactivate public key login. Else read Ubuntu Help: OpenSSH Server and check more online resources.

This guide was tested with ubuntu 18.04 and ubuntu 17.10.

To connect from Windows, I used ssh from bash (if you install Git for Windows you get bash).

Open a terminal and install dropbear and busybox:
You will get a warning here as it completes: dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won’t work!, just ignore it for now.

Activate BUSYBOX and DROPBEAR in initramfs
Change BUSYBOX=auto to option to BUSYBOX=y and add (below it or at the end of the file) this line:
Browse to the /etc/dropbear-initramfs/ directory, which includes all the dropbear configurations needed to be included in the initramfs:

Note: host keys are already present, as they were automatically generated during the installation of the dropbear package, so there is no need to create new ones as other guides tell you to do. Just convert the rsa one, as follows:
Add your client public key to the authorized_keys. If you are logged to your machine via SSH, and your public key is already in your authorized_keys file, you can copy the existing authorized_keys file, as follows:
Else you can add a public key as follows: sudo echo “your public key” >> authorized_keys

Set dropbear to start:
Change NO_START=1 to NO_START=0

In dropbear, use a different port from the one you are using in your host, so you won’t get the annoying 'man in the middle attack' warning in your ssh client that will notice that the host has different keys. Different ports are considered different hosts, so you won’t get any warning at all. I’ve seen other complicated solutions to avoid the warning, but I think that using a different port is the easiest and most elegant solution.
Uncomment the DROPBEAR_OPTIONS line and add the option to specify the port. In this example I use port 21. Use the port you desire.
Now add the script that will be needed to actually unlock your LUKS partition:
Copy and paste the contents from gusennan' sh script in the file (or copy the text from the raw file), then give it executable rights:
Update initramfs:
Disable the dropbear service on boot, so it won't interfere with your openssh server:
Important, I had to update grub and disable the splash screen, because with splash active, after connecting to dropbear and typing unlock the screen was blocked and I could not enter the LUKS password.
In the GRUB_CMDLINE_LINUX_DEFAULT line, replace 'quiet slash' with 'quiet' , as follows:
Save and update grub:
Reboot your server:
Try to connect to your machine. You must use the root user, and specify the port you configured in the previous step:
Once connected you will see something like this:
type unlock , insert your LUKS password, if everything worked correctly your partition will decrypt and your machine will boot. You will see this:
Give it time to boot, then you can finally ssh into your linux box, as usual.

Encrypted HOME directory

If not only your partition is encrypted, but also your home directory, you won't be able to login with your public key, as the public key is saved in ~/.ssh/authorized_keys , which is encrypted.

To solve this, follow Stephen's Encrypted Home directories + SSH Key Authentication guide.

Troubleshooting

Busybox Commands

If you get this error when you try to connect to your server, it's because you didn't follow my advise to change port in dropbear:

Busybox Extras

I still prefer my solution, but if you insist on using the same port, here a few nerdy solutions:

Solution 1, works like a charm in linux, but not really on bash on windows.

Solution 2, provide some command line hack to avoid the warning:

Credits

This guide was inspired by: https://oliverviebrooks.com/2017/12/05/unlocking-luks-volumes-without-local-access/

Thanks also to Stephen (link above) for his encrypted home directories solution.

I hope that this guide was helpful for you, if so, consider buying a gadget at banggood using my referral link. Like this (comparing to a donation) we both benefit, you get a gadget that may be useful for you and I get something too (a little commission, but the price for you is the same).