Remote Access

Termux is capable of accessing remote devices by using some common tools. It is also possible to turn a device running Termux into remote controlled server.

= FTP =

Termux provides a lightweight FTP server so you can manage your files via remote connection. FTP server is provided by busybox package, so you don't have to install anything.

Security warning: this FTP server supports only anonymous login, so there is no authentication and anyone can connect to your device and do nasty things. Use it only in your own network or use SFTP instead.

To start FTP server you have to run `ftpd` via `tcpsvd`:

$ tcpsvd -vE 0.0.0.0 1024 ftpd /

Command shown above will start FTP server on port 1024 from the root (`/`) directory.

By default, ftpd is started in read-only mode, e.g. you can only download files or perform directory listing. If you want to upload files, then ftpd should be started in this way:

$ tcpsvd -vE 0.0.0.0 1024 ftpd -w /

Then you can connect to Termux from another device. Example for connecting to Termux with command line FTP client (from PC):

$ ftp 192.168.1.3 1024

You shouldn't start FTP on port lower than 1024 otherwise this will result in the following error message:

tcpsvd: bind: Permission denied

= SSH =

SSH provides secure way for accessing remote hosts and replaces tools such as telnet, rlogin, rsh, ftp. Termux provides SSH via two packages: dropbear and openssh. If you never used these tools before, it is recommended to install 'openssh' as it is more common.

Using the SSH client
You can obtain SSH client by installing either package `openssh` or `dropbear`.

Usage example
Logging in to the remote machine where ssh daemon is running at the standard port (22):

ssh user@hostname_or_ip

Same as above, but if ssh daemon running on different port, e.g. 8022:

ssh -p 8022 user@hostname_or_ip

Using public key authentication with assuming that ssh running on standard port and private key is stored in file `id_rsa`:

ssh -i id_rsa user@hostname_or_ip

Note, that if `id_rsa` will be stored in `~/.ssh` directory, you can omit specifying of it in the command. But if you have multiple keys, it is necessary to pick a specific key by using `-i {path_to_privkey}`.

SSH Agent
Important note: this does not work for Dropbear.

If you wish to use an SSH agent to avoid entering passwords, the Termux openssh package provides a wrapper script named `ssha` (note the `a` at the end) for ssh which:


 * Starts the ssh agent if necessary (or connect to it if already running).
 * Runs the `ssh-add` if necessary.
 * Runs the `ssh` with the provided arguments.

This means that the agent will prompt for a key password at first run, but remember the authorization for subsequent runs.

OpenSSH
OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

Starting and stopping OpenSSH server
Since Termux does not use initialization system, services are started manually from command line.

To start OpenSSH server, you need to execute this command:

sshd

If you need to stop `sshd`, just kill it's process:

pkill sshd

SSH daemon does logging to syslog, you can view it by running. You can do that either from Termux or ADB.

Setting up password authentication
Password authentication is enabled by default. This will allow you to get started with it much easier. Before proceeding, make sure that you understand that password authentication is less secure than a pubkey-based one.

1. Ensure that everything is up to date and package `openssh` is installed:

pkg upgrade pkg install openssh

2. Password authentication is enabled by default in configuration file. But you can still review it ($PREFIX/etc/ssh/sshd_config), it should be like this:

PrintMotd no PasswordAuthentication yes PubkeyAcceptedKeyTypes +ssh-dss Subsystem sftp /data/data/com.termux/files/usr/libexec/sftp-server

3. Set new password. Execute command. While program allows minimal password length is 1 character, the recommended password length is more than 8-10 characters. Passwords are not printed to console.

$ passwd New password: Retype new password: New password was successfully set.

Setting up public key authentication
Public key authentication is the recommended way for logging in using SSH. To use this type of authentication, you need to have a public/private key pair. For successful login, the public key must exist in the authorized keys list on remote machine while private key should be kept safe on your local host.

In the following example it will be assumed that you want to establish public key authentication between your PC (host) and your Android device running Termux (remote). It also will be assumed that you running Linux distribution on your PC.

1. If you do not have keys, you can generate them. In this example we will generate RSA key. On PC, execute this command:

ssh-keygen -t rsa -b 2048 -f id_rsa

The command shown above generates private RSA key with 2048 bit key length and saves it to file `id_rsa`. In the same directory you can find a file `id_rsa.pub` – it is a public key.

Important note: 2048 bit is the minimal key length that is considered safe. You can use higher values, but do not use higher than 4096 as remote server may not support big keys.

2. Copy key to the remote machine (Termux). Make sure that password authentication is properly configured. Now do:

ssh-copy-id -p 8022 -i id_rsa IP_ADDRESS

Do not forget to replace `IP_ADDRESS` with the actual LAN IP address of your device. It can be determined by using command.

If everything was okay, you will see a message like this one: Number of key(s) added: 1

Now try logging into the machine, with:  "ssh -p '8022' '192.168.1.4'" and check to make sure that only the key(s) you wanted were added.

Dropbear
Dropbear is a software package written by Matt Johnston that provides a Secure Shell-compatible server and client. It is designed as a replacement for standard OpenSSH for environments with low memory and processor resources, such as embedded systems.

Important note: Dropbear does not provide SFTP server.

Starting and stopping Dropbear server
Same as for OpenSSH, you will need to execute it's binary manually. Also, unlike OpenSSH, Dropbear does not use a configuration file but only command line arguments.

Server is running in background, both password and public key authentication available. To achieve this, just type in console:

dropbear

If you need only public key authentication, do this instead:

dropbear -s

Also, server can be started in foreground. For this purpose use a parameter `-F`:

dropbear -F

Server started in foreground can be stopped by just Ctrl-C key combination. If it is in the background, then you can use a `pkill`:

pkill dropbear

Setting up password authentication
Same as for OpenSSH, password authentication is enabled by default.

Everything you have to do, is:

1. Make sure that everything is up to date and dropbear is installed:

pkg upgrade pkg install dropbear

2. Set password by executing command.

3. Start dropbear server. You can execute either just  to start it in background or   to start it in the foreground.

Setting up public key authentication
Same as for OpenSSH, you can put your keys by using. But if you consider to setup a public key authentication from Termux to something else, it is worth to mention some important differences between OpenSSH and Dropbear.

1. Dropbear uses a different command for generating keys. Example of generating RSA key (2048 bit):

dropbearkey -t rsa -f id_rsa -s 2048

2. Public key should be obtained manually. To do this, you have to use 'dropbearkey' again, but in different way:

dropbearkey -f id_rsa -y

3. Dropbear and OpenSSH uses a different key formats. To use a Dropbear's key in OpenSSH, you will have to convert it:

dropbearconvert dropbear openssh ./id_rsa ./id_rsa_openssh

This procedure can be done vice versa to obtain a key in Dropbear's format:

dropbearconvert openssh dropbear ./id_rsa_openssh ./id_rsa_dropbear

Using the SFTP
Package OpenSSH provides a tool for accessing remote hosts over SFTP. This will allow you to work with files in same way as via FTP but with better security.

Connecting to Termux (sshd listening on port 8022):

$ sftp -P 8022 192.168.1.20

Connecting to somewhere else (sshd listening on standard port):

$ sftp sftp.example.com

However, to use command line SFTP client you should know some basic commands:


 * cd PATH - change current directory to `PATH`.
 * get REMOTE [LOCAL] - download file `REMOTE` and rename it as `LOCAL` (optional).
 * mkdir PATH - create directory `PATH`.
 * ls [PATH] - list files in directory `PATH`. If no argument, files in current directory will be listed.
 * put LOCAL [REMOTE] - Upload file `LOCAL` and rename it as `REMOTE` (optional).
 * rm FILE - Delete file `FILE`.

This is not a complete list of SFTP commands. To view all available commands, consider to view man page or view short help in interactive SFTP session by issuing command `help`.

= MOSH =

Mosh is a remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.

Usage example
Important note: Mosh should be installed on both client and server side.

Connecting to remote host (sshd listening on standard port):

mosh user@ssh.example.com

Connecting to Termux (sshd listening on port 8022):

mosh --ssh="ssh -p 8022" 192.168.1.25

= Rsync =

Rsync is a tool for synchronizing files with remote hosts or local directories (or drives). For better experience of using rsync, make sure that package `openssh` (or `dropbear`) is installed.

Usage example
Sync your photos with PC:

$ rsync -av /sdcard/DCIM/ user@192.168.1.20:~/Pictures/Android/

Get photos from remote Android device:

$ rsync -av -e 'ssh -p 8022' 192.168.1.3:/sdcard/DCIM/ /sdcard/DCIM/

Sync local directories (e.g. from external sdcard to Termux home):

$ rsync -av /storage/0123-4567/myfiles ~/files

You may want to see man page (`man rsync`) to learn more about it's usage.

= Accessing Termux from the Internet =

It is possible to access your device over the Internet even if you are behind NAT device (e.g. Wi-Fi router or on mobile network). There are some ways to achieve this, but will require installing additional software and a bit of configuration.

Tor
Accessing device via Tor is the most secure and effective method - offers strong end-to-end encryption (onion services don't use 'exit' node), virtual ports (e.g. 80 port without root), your service won't be visible on plain Internet.

However, this method requires setting up a Tor Onion Service.

Installing needed packages
The main package is tor. Install it by running this command: pkg install tor

You may want to install a `torsocks` for accessing the Tor Network: pkg install torsocks

Setting up Onion Service
You will have to modify the default configuration file of tor. Here is an example of configuring SSH Onion Service: SOCKSPort 127.0.0.1:9050
 * 1) Enable TOR SOCKS proxy

HiddenServiceDir /data/data/com.termux/files/home/.tor/hidden_ssh HiddenServicePort 22 127.0.0.1:8022
 * 1) Hidden Service: SSH

Then you need to make a directory where information about Hidden Service will be stored: mkdir -p ~/.tor/hidden_ssh

Now you can execute in console. If start was successfull, you can get your onion service hostname: cat ~/.tor/hidden_ssh/hostname Output should be like this:

Accessing your service
First of all make sure that on client device `tor` is running and you have all necessary software for accessing Tor Network (in this case package `torsocks`).

To access the onion service created in previous step, run this: torsocks ssh g3yv3tvqrbow7koz.onion

If everything is ok, the output should be like this: The authenticity of host 'g3yv3tvqrbow7koz.onion (127.42.42.0)' can't be established. ED25519 key fingerprint is SHA256:WGualHEq7SJdvVeXgy8a+btPQCd7uxTeXjlWdHHLwLc. Are you sure you want to continue connecting (yes/no)?

Remember, `tor` should be running on both (client/server) sides, otherwise you will get connection errors. You can configure other servers (e.g. Nginx) in the same way as shown in above example for SSH.

Learn more about Onion Services
Better explanation about Onion Services and other Tor-related things you can found at torproject.org.

Ngrok
Homepage: https://ngrok.com/

Warning: this service may intercept and analyze your traffic.

Ngrok is a service for exposing your local ports to the Internet. Software is closed source, but still can be executed on Termux.

Restrictions
Ngrok is a paid service, but it provides a free plan with some restrictions. Depending on your requirements, these restrictions may be unsuitable for you.

What is available on free plan:


 * HTTP/TCP tunnels are only on random URLs/ports
 * 4 tunnels per account
 * 40 connections per minute

Installation
Go to the Ngrok downloads page, and choose a binary with architecture correct for your device. You can follow instructions available on the downloads page, but for better experience you can follow these instructions that will install binary to the Termux environment.

In these instructions will be assumed, that yours architecture is AArch64 (i.e. arm64), and Ngrok's version is 2.2.8.

1. Unzip downloaded archive:

unzip ngrok-2.2.8-linux-arm64.zip

2. Move binary to the right place:

mv -i ngrok $PREFIX/bin/

3. Set executable permissions:

chmod 700 $PREFIX/bin/ngrok

4. You need to authorize your ngrok installation. Here will be assumed that you registered an account on https://ngrok.com/signup so you can proceed with:

ngrok authtoken {your auth token}

Note that authentication token should be retrieved from your account's page. The token is similar to this string:.

Usage example
In this example will be shown how to forward SSH port via Ngrok. Before proceed, make sure that Ngrok is installed and authenticated, otherwise you will get errors.

Type in your console this:

ngrok tcp 8022

You should see an output similar to this:

ngrok by @inconshreveable                                      (Ctrl+C to quit) Session Status               online Account                      XXXXXX XXXXXXXX (Plan: Free) Version                      2.2.8 Region                       United States (us) Web Interface                http://127.0.0.1:4040 Forwarding                   tcp://0.tcp.ngrok.io:13766 -> localhost:8022 Connections                  ttl     opn     rt1     rt5     p50     p90 0      0       0.00    0.00    0.00    0.00

Here, a string  represents an URL of your service (in this case SSH) available on the Internet.

You can verify if it works by doing:

ssh -p 13766 0.tcp.ngrok.io

Serveo.net
Homepage: https://serveo.net/

Warning: this service may intercept and analyze your traffic.

A free service for exposing your local ports to the Internet. Since it uses SSH to forward ports, it does not require any configuration. Everything that you need is a running server on your device, for example Nginx, and package OpenSSH or Dropbear.

Usage example
Here will be assumed that you have a web server running on port 8080 and you want to share it over Internet. Make sure that SSH client is installed. Note that in case of web service, serveo.net will provide access via both http and https.

Run in your Termux the following command:

ssh -R 80:localhost:8080 serveo.net

If everything is okay, you will see output like this:

Forwarding HTTP traffic from https://colo.serveo.net Press g to start a GUI session and ctrl-c to quit.

This means that your service is now available via. By default, serveo.net will reserve a random subdomain for your connection. To customize it, proceed to the next example.

Customizing subdomain
You may want to use a custom subdomian. In this example, a subdomain  will be used.

Custom subdomains work only with ports 22, 80 or 443 !

Execute this in your console:

ssh -R mytermux.serveo.net:80:localhost:8080 serveo.net

If subdomain was free, you should receive this output:

Forwarding HTTP traffic from https://mytermux.serveo.net Press g to start a GUI session and ctrl-c to quit.

Otherwise, you will see an error which indicates that you should select a different subdomain:

Warning: remote port forwarding failed for listen port 80

Tmate
Tmate is utility for sharing terminals. It is very easy to use, though it will destroy connection once client disconnected.

Utility can be installed with  directory. If not, on each device do:

pkg install openssh mkdir ~/.ssh ssh-keygen -t rsa -f ~/.ssh/id_rsa

2. Execute the following command within Termux:

tmate

3. Once you done previous step, you should see a colored line at the screen bottom with link. Save it, because it is your connection token. It looks like

Bff5fhJquRpO105c3OL62Icfp@fk2.tmate.io

4. On another device from which you want to connect to Termux, run

ssh Bff5fhJquRpO105c3OL62Icfp@fk2.tmate.io

Important note: link shown above is just example and should not be copy-pasted !

= See Also =

https://termux.com/ftp/ Run an SSH server on your Android with Termux