Error 404 Learning Guide

SSH from Android with Termux

Guide for connecting from an Android phone to a Linux/home server using SSH keys in Termux.

Recommended setup:

Android Termux โ†’ Tailscale โ†’ SSH key โ†’ server

Here you can find the guide how to set-up Tailscale.

This keeps SSH private and avoids exposing SSH directly to the internet.

This guide uses the default SSH port:

22

Goal

The goal is to:

  • Install SSH in Termux
  • Create an SSH key on Android
  • Add the public key to the server
  • Test SSH login
  • Make login easier with SSH config
  • Harden SSH safely after key login works
  1. Install SSH in Termux

Open Termux.

Update packages:

pkg update

Install OpenSSH:

pkg install openssh

Check SSH version:

ssh -V

If this shows an SSH version, SSH is installed.

  1. Create an SSH key on Android

Create an Ed25519 SSH key:

ssh-keygen -t ed25519 -C "termux-android"

When it asks where to save the key, press Enter.

Default location:

/data/data/com.termux/files/home/.ssh/id_ed25519

When it asks for a passphrase:

Use a passphrase if you want extra security. Leave it empty if you want easier access.

For a phone, a passphrase is safer.

What files are created?

After creating the key, Termux creates two files:

~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub

Meaning:

id_ed25519 = private key id_ed25519.pub = public key

The private key stays on your phone.

The public key goes to the server.

Never copy or share the private key.

  1. Copy the public key

Show the public key:

cat ~/.ssh/id_ed25519.pub

Copy the full line.

It starts with:

ssh-ed25519

Example shape:

ssh-ed25519 AAAA... termux-android

Copy the full line, not only part of it.

  1. Add the public key to the server

On the server, add the Termux public key to:

~/.ssh/authorized_keys

Create the ".ssh" directory if needed:

mkdir -p ~/.ssh

Edit the authorized keys file:

nano ~/.ssh/authorized_keys

Paste the Termux public key on a new line.

Then fix permissions:

chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys

These permissions matter.

SSH may refuse key login if the permissions are too open.

  1. Test SSH from Termux

From Android Termux:

ssh USERNAME@SERVER_IP

With Tailscale IP:

ssh USERNAME@TAILSCALE_IP

With Tailscale hostname or MagicDNS:

ssh USERNAME@SERVER_NAME

Example:

ssh USERNAME@SERVER_NAME

If login works without asking for the server account password, the key login is working.

It may still ask for the SSH key passphrase if you created one. That is normal.

  1. Make SSH easier with config

Instead of typing the full SSH command every time, create an SSH config file.

In Termux:

nano ~/.ssh/config

Add:

Host homeserver HostName SERVER_NAME_OR_TAILSCALE_IP User USERNAME Port 22 IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes

Fix config permissions:

chmod 600 ~/.ssh/config

Now connect with:

ssh homeserver

This is easier than typing the full server address every time.

  1. Test the SSH config

Before changing server hardening settings, test the config.

From Termux:

ssh homeserver

Then open a second Termux session and test again:

ssh homeserver

Keep the first working SSH session open.

This is important because if the next steps break SSH, you still have one open session to fix the server.

  1. Safety check before hardening SSH

Do not disable password login until key login works.

Best order:

  1. Create SSH key in Termux.
  2. Add public key to the server.
  3. Test SSH login from Termux.
  4. Create ~/.ssh/config.
  5. Test ssh homeserver.
  6. Open a second SSH session and test again.
  7. Keep the first working session open.
  8. Only then disable password login.
  9. Restart SSH.
  10. Test again before closing the old session.

This prevents locking yourself out.

  1. Harden SSH

Only do this after the safety check above is complete.

On the server, edit the SSH server config:

sudo nano /etc/ssh/sshd_config

Look for or add:

PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin no

Meaning:

PubkeyAuthentication yes = allow SSH key login PasswordAuthentication no = disable password login PermitRootLogin no = disable direct root login

Save the file.

Before restarting SSH, check the config syntax:

sudo sshd -t

If there is no output, the syntax is okay.

Then restart SSH.

On RHEL-like systems:

sudo systemctl restart sshd

On Debian/Ubuntu-like systems:

sudo systemctl restart ssh

Check status:

sudo systemctl status sshd

or:

sudo systemctl status ssh

  1. Test after hardening

From Termux, test again:

ssh homeserver

If it works, SSH key login still works.

Now check the active SSH settings on the server:

sudo sshd -T | grep -Ei 'passwordauthentication|pubkeyauthentication|permitrootlogin|port'

Expected result should look similar to:

port 22 pubkeyauthentication yes passwordauthentication no permitrootlogin no

Only close your old SSH session after confirming the new login works.

  1. Recommended access method

The cleanest setup is:

Termux โ†’ Tailscale โ†’ SSH key โ†’ server

Recommended:

Use Tailscale for remote access. Use SSH keys for login. Keep SSH on port 22. Do not expose SSH directly to the internet unless there is a strong reason.

  1. Useful SSH commands from Termux

Connect using SSH config:

ssh homeserver

Connect with a full command:

ssh USERNAME@SERVER_NAME

Use verbose output for troubleshooting:

ssh -v homeserver

More verbose:

ssh -vvv homeserver

Show SSH files:

ls -lah ~/.ssh

Show public key:

cat ~/.ssh/id_ed25519.pub

  1. Common problems

Permission denied

Check permissions on the server:

chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys

Check that the public key is inside:

cat ~/.ssh/authorized_keys

Check permissions in Termux:

ls -lah ~/.ssh chmod 600 ~/.ssh/id_ed25519 chmod 644 ~/.ssh/id_ed25519.pub chmod 600 ~/.ssh/config

SSH asks for password instead of key

From Termux, test with verbose mode:

ssh -v homeserver

Look for whether the key is being offered.

Check SSH config:

cat ~/.ssh/config

Check that this line points to the correct private key:

IdentityFile ~/.ssh/id_ed25519

Also check that this line exists:

IdentitiesOnly yes

Cannot reach the server

Check Tailscale first:

tailscale status

Then test SSH:

ssh homeserver

If using an IP:

ssh USERNAME@TAILSCALE_IP

On the server, check SSH service:

sudo systemctl status sshd

or:

sudo systemctl status ssh

Check if SSH listens on port 22:

ss -tulpn | grep :22

  1. Security notes

Good SSH habits:

Use SSH keys. Use a passphrase on phone keys. Disable direct root SSH login. Disable password login only after key login works. Use Tailscale for private remote access. Keep Termux and packages updated. Do not share private keys.

Avoid:

Exposing SSH directly to the internet. Using weak passwords. Allowing root login. Disabling password login before testing keys. Closing your only working SSH session before testing the new setup.

  1. Quick command summary

Termux:

pkg update pkg install openssh ssh -V ssh-keygen -t ed25519 -C "termux-android" cat ~/.ssh/id_ed25519.pub nano ~/.ssh/config chmod 600 ~/.ssh/config ssh homeserver ssh -v homeserver

Server:

mkdir -p ~/.ssh nano ~/.ssh/authorized_keys chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys sudo nano /etc/ssh/sshd_config sudo sshd -t sudo systemctl restart sshd sudo sshd -T | grep -Ei 'passwordauthentication|pubkeyauthentication|permitrootlogin|port'