<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>Sshd on kistu</title>
  <link rel="alternate" href="/tags/sshd/" />
  <link rel="self" href="/tags/sshd/index.xml" />
  <subtitle>Recent content in Sshd on kistu</subtitle>
  <id>/tags/sshd/</id>
  <generator uri="http://gohugo.io" version="0.124.0">Hugo</generator>
  <language>en</language>
  <updated>2026-03-28T08:53:29+02:00</updated>
  <author>
    
    
  </author>
  
      <entry>
        <title>Servers on Android</title>
        <link rel="alternate" href="/posts/009-servers-on-android/" />
        <id>/posts/009-servers-on-android/</id>
        <published>2026-03-28T08:53:29+02:00</published>
        <updated>2026-04-17T11:49:46+02:00</updated>
        <summary type="html">Android is a powerful operating system. To fully utilize it&amp;rsquo;s capabilities, a specific set of tools are required. Termux is a terminal emulator application enhanced with a large set of command line utilities ported to Android 1. It is used to install a server for remote access (sshd) and for serving a static website (httpd). These are exposed to the internet using Tor.
The Terminal A terminal emulator provides an interface to the system using text commands.</summary>
          <content type="html"><![CDATA[<p>Android is a powerful operating system. To fully utilize it&rsquo;s capabilities, a specific set of tools are required. Termux is a terminal emulator application enhanced with a large set of command line utilities ported to Android <sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>. It is used to install a server for remote access (sshd) and for serving a static website (httpd). These are exposed to the internet using Tor.</p>
<p>



    
    <input type="checkbox" id="zoomCheck-d6d88" hidden>
    <label for="zoomCheck-d6d88">
        <img class="zoomCheck" loading="lazy" decoding="async" 
            src="servers-on-android.svg" alt="servers on android" 
             />
    </label>

</p>
<h1 id="the-terminal">The Terminal</h1>
<p>A terminal emulator provides an interface to the system using text commands. A core set of utilites are provided by default, and more can be installed and upgraded with pkg - the Termux package manager <sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup>.</p>
<p>



    
    <input type="checkbox" id="zoomCheck-99e2b" hidden>
    <label for="zoomCheck-99e2b">
        <img class="zoomCheck" loading="lazy" decoding="async" 
            src="termux-terminal.jpg" alt="termux terminal|10x30" 
             />
    </label>

</p>
<p>Refer to the official documentation to learn more about Termux: <a href="https://wiki.termux.dev/wiki/Main_Page">https://wiki.termux.dev/wiki/Main_Page</a>.</p>
<h2 id="installation">Installation</h2>
<p>The official source for installation is F-Droid, although builds are published on Github as well <sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup>. Google PlayStore is not recommended. Do not mix applications between sources. Applications are installed by downloading and opening the Android Package Kit (APK) file.</p>
<blockquote>
<p>To install applications from APK files, &ldquo;Install from Unknown Sources&rdquo; must be temporarily enabled in Settings for the file manager. For security, disable it once installation is completed.</p>
</blockquote>
<p>The following applications need to be installed:</p>
<ul>
<li><a href="https://f-droid.org/en/packages/com.termux/">termux</a></li>
<li><a href="https://f-droid.org/en/packages/com.termux.api/">termux-api</a></li>
<li><a href="https://f-droid.org/en/packages/com.termux.boot/">termux-boot</a></li>
</ul>
<blockquote>
<p>F-Droid does not need to be downloded; search for the &ldquo;Download APK&rdquo; link under the latest version.</p>
</blockquote>
<p><code>termux</code> is the main application. <code>termux-api</code> exposes device functionality like vibrate, clipboard, torch and fingerprint <sup id="fnref:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup>. <code>termux-boot</code> allows Termux to automatically start after device is restarted <sup id="fnref:5"><a href="#fn:5" class="footnote-ref" role="doc-noteref">5</a></sup>.</p>
<h1 id="servers">Servers</h1>
<h2 id="sshd">sshd</h2>
<blockquote>
<p>Remote acceses via Secure SHell (ssh).</p>
</blockquote>
<p>Install and start <code>sshd</code>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">pkg install openssh
</span></span><span class="line"><span class="cl">sshd
</span></span></code></pre></div><p>To use ssh, the hostname of the server and a username/password combination is required. Run <code>whoami</code> to determine the username (typically in the format u0_aXXX), and set the password with <code>passwd</code>.</p>
<p>The local IP address of the phone can be used to test the connection. The local IP address can be found under WiFi settings by expanding the currently connected network. Run <code>ssh</code> from a different machine on the same network:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh -p <span class="m">8022</span> u0_aXXX@192.168.0.1
</span></span></code></pre></div><blockquote>
<p>What follows is configuring key based authentication. While not strictly necessary, it is recommended for security. It can be configured later if required.</p>
</blockquote>
<p>The password will be prompted when connecting. This is not very secure since attackers could try and guess the username/password. To increase security, switch to key-based authentication by generating a key with <code>ssh-keygen</code> on the machine you will be connecting to the phone from:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ssh-keygen -t rsa
</span></span><span class="line"><span class="cl">Enter file in which to save the key (/home/username/.ssh/id_rsa): /home/username/.ssh/keyname
</span></span><span class="line"><span class="cl">Enter passphrase for &#34;key-filename&#34; (empty for no passphrase): 
</span></span></code></pre></div><p>This will create two files under <code>/home/username/.ssh</code>:</p>
<ul>
<li><code>keyname</code>: a passphrase protected private key</li>
<li><code>keyname.pub</code>: a public key</li>
</ul>
<p>The public key&rsquo;s content must be copied to the file <code>/data/data/com.termux/files/home/.ssh/known_hosts</code>. This can be done using USB, by copying the text to clipboard and pasting it over <code>ssh</code>, or by using <code>ssh-copy-id</code>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh-copy-id -p <span class="m">8022</span> -i /home/username/.ssh/keyname.pub u0_aXXX@192.168.0.1
</span></span></code></pre></div><p>The private key can now be used to connect to the phone without a password:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh -p <span class="m">8022</span> -i /home/username/.ssh/keyname u0_aXXX@192.168.0.1
</span></span></code></pre></div><p>Once the key-based authentication has been tested, disable password authentication by editing <code>/data/data/com.termux/files/usr/etc/ssh/sshd_config</code> and setting <code>PasswordAuthentication no</code>. Restart <code>sshd</code> for the changes to take effect:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">pkill sshd
</span></span><span class="line"><span class="cl">sshd
</span></span></code></pre></div><p>Try connecting from a different machine without the key; this should now fail:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh -o <span class="nv">PasswordAuthentication</span><span class="o">=</span>yes <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span>    -o <span class="nv">PreferredAuthentications</span><span class="o">=</span>keyboard-interactive,password <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span>    -o <span class="nv">PubkeyAuthentication</span><span class="o">=</span>no <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span>    u0_aXXX@192.168.0.1
</span></span></code></pre></div><p>Keep the private key at <code>/home/username/.ssh/keyname</code> secure - you cannot login remotely without it if &ldquo;PasswordAuthentication&rdquo; is disabled.</p>
<h2 id="httpd">httpd</h2>
<blockquote>
<p>Web server to host a website.</p>
</blockquote>
<p>Install <code>httpd</code>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">pkg install apache2
</span></span></code></pre></div><p>Edit <code>/data/data/com.termux/files/usr/etc/apache2/httpd.conf</code>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-apache" data-lang="apache"><span class="line"><span class="cl"><span class="c"># Set server hostname and path to executables</span>
</span></span><span class="line"><span class="cl"><span class="nb">ServerName</span> <span class="m">127.0.0.1</span>
</span></span><span class="line"><span class="cl"><span class="nb">ServerRoot</span> <span class="s2">&#34;/data/data/com.termux/files/usr&#34;</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Set port which server accepts connections over</span>
</span></span><span class="line"><span class="cl"><span class="nb">Listen</span> <span class="m">8080</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Set directory from which Apache will serve files</span>
</span></span><span class="line"><span class="cl"><span class="nb">DocumentRoot</span> <span class="s2">&#34;/data/data/com.termux/files/home/folderToServe&#34;</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Set the file to save errors to</span>
</span></span><span class="line"><span class="cl"><span class="nb">ErrorLog</span> <span class="s2">&#34;/data/data/com.termux/files/home/httpd.log&#34;</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Handle concurrent connections with Worker Multi-Processing Module</span>
</span></span><span class="line"><span class="cl"><span class="nb">LoadModule</span> mpm_worker_module libexec/apache2/mod_mpm_worker.so
</span></span><span class="line"><span class="cl"><span class="c"># Maps file extensions to content types</span>
</span></span><span class="line"><span class="cl"><span class="nb">LoadModule</span> mime_module libexec/apache2/mod_mime.so
</span></span><span class="line"><span class="cl"><span class="c"># Ensures proper privilege handling on Unix systems</span>
</span></span><span class="line"><span class="cl"><span class="nb">LoadModule</span> unixd_module libexec/apache2/mod_unixd.so
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Set default webpage to return when client connects to the server</span>
</span></span><span class="line"><span class="cl"><span class="nb">LoadModule</span> dir_module libexec/apache2/mod_dir.so
</span></span><span class="line"><span class="cl"><span class="nb">DirectoryIndex</span> index.html
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Prevent arbitrary file requests (lock down filesystem)</span>
</span></span><span class="line"><span class="cl"><span class="nb">LoadModule</span> authz_core_module libexec/apache2/mod_authz_core.so
</span></span><span class="line"><span class="cl"><span class="nt">&lt;Directory</span> <span class="s">&#34;/&#34;</span><span class="nt">&gt;</span>
</span></span><span class="line"><span class="cl">    <span class="nb">Require</span> <span class="k">all</span> denied
</span></span><span class="line"><span class="cl"><span class="nt">&lt;/Directory&gt;</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c"># Allow access only from local connections (127.0.0.1)</span>
</span></span><span class="line"><span class="cl"><span class="nb">LoadModule</span> authz_host_module libexec/apache2/mod_authz_host.so
</span></span><span class="line"><span class="cl"><span class="nt">&lt;Directory</span> <span class="s">&#34;/data/data/com.termux/files/home/folderToServe&#34;</span><span class="nt">&gt;</span>
</span></span><span class="line"><span class="cl">	<span class="nb">Require</span> local
</span></span><span class="line"><span class="cl"><span class="nt">&lt;/Directory&gt;</span>
</span></span></code></pre></div><p>Replace <code>folderToServer</code> with the path your website is saved at. Modules are available for more functionality - refer to the Apache http server documentation: <a href="https://httpd.apache.org/docs/current/mod/">https://httpd.apache.org/docs/current/mod/</a>.</p>
<p>A folder from a different machine can be copied to the phone over <code>ssh</code> using <code>rsync</code> (without the <code>--dry-run</code> flag):</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">rsync -havP --checksum --delete --dry-run <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span>    -e <span class="s1">&#39;ssh -i /home/username/.ssh/keyname&#39;</span>
</span></span><span class="line"><span class="cl">    /local/path/to/folder/in/machine <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span>    u0_aXXX@192.168.0.1:/data/data/com.termux/files/home/folderToServe
</span></span></code></pre></div><p>Test to ensure the server starts without errors by running <code>httpd</code>. If the command doesn&rsquo;t fail due to invalid configuration, errors will be logged to the file specified above by <code>ErrorLog</code>. The files under <code>DocumentRoot</code> should now be served - visit <code>127.0.0.1:8080</code> on the phone&rsquo;s browser.</p>
<h1 id="tor">Tor</h1>
<blockquote>
<p>The proxy to the Internet.</p>
</blockquote>
<p>To access a server over the internet, the server needs a public IP address. A Virtual Private Server (VPS) is a publicly accessible machine hosted by a cloud provider. Since the phone itself does not have a public IP address, it must use a reverse proxy like <a href="https://github.com/fatedier/frp">frp</a> or <a href="https://nginx.org/">nginx</a> running on a VPS to be accessible on the internet. An alternative is to use the Tor network.</p>
<p>The Tor network is a group of volunteer-operated servers <sup id="fnref:6"><a href="#fn:6" class="footnote-ref" role="doc-noteref">6</a></sup>. It uses a special protocol for privacy and anonymity. A Tor service can be set up to make the local services accessible to the internet.</p>
<p>A Tor service address is different from public domains; this is the link for the Tor Project homepage:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/
</span></span></code></pre></div><p>It can be accessed using the <a href="https://www.torproject.org/download/">Tor Browser</a>, and will not work with browsers that do not route traffic through the Tor network.</p>
<!-- raw HTML omitted -->
<p>To setup the Tor service, edit <strong>tor</strong> <strong>r</strong>un <strong>c</strong>onfig <code>/data/data/com.termux/files/usr/etc/tor/torrc</code> and append:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># Service for sshd</span>
</span></span><span class="line"><span class="cl">HiddenServiceDir /data/data/com.termux/files/home/.tor/ssh/
</span></span><span class="line"><span class="cl">HiddenServicePort <span class="m">22</span> 127.0.0.1:8022
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Service for httpd</span>
</span></span><span class="line"><span class="cl">HiddenServiceDir /data/data/com.termux/files/home/.tor/webserver/
</span></span><span class="line"><span class="cl">HiddenServicePort <span class="m">80</span> 127.0.0.1:8080
</span></span></code></pre></div><p><code>HiddenServiceDir</code> defines where the identity files for the service must be stored. <code>HiddenServicePort</code> maps a virtual port to a local port. Clients will target the virtual port (22 or 80) and <code>tor</code> will forward this traffic to the specified local port (8022 or 8080).</p>
<p>Execute tor and get the hostame of the service:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">tor
</span></span><span class="line"><span class="cl">cat /data/data/com.termux/files/home/.tor/ssh/hostname
</span></span></code></pre></div><p>Use <a href="https://gitlab.torproject.org/tpo/core/torsocks/">torsocks</a> to proxy ssh connections:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">torsocks ssh -p <span class="m">22</span> -i /home/username/.ssh/keyname.pub <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span>    u0_aXXX@abcde23456abcde23456abcde23456abcde23456abcde23456abcdef.onion
</span></span></code></pre></div><blockquote>
<p>The Termux documentation recommends <code>proxychains-ng</code> over <code>torsocks</code> as <code>torsocks</code> may not work since Android 8 <sup id="fnref:7"><a href="#fn:7" class="footnote-ref" role="doc-noteref">7</a></sup>.</p>
</blockquote>
<p>Use the Tor Browser to visit the website. The services hosted on Android with Termux can now be accessed from anywhere in the world with an internet connection and Tor.</p>
<h1 id="autorun-on-boot">Autorun on boot</h1>
<blockquote>
<p>Keeping the services alive.</p>
</blockquote>
<p>When the phone is rebooted, the services will stop. To automatically start up, the service must be enabled and Termux must be started on boot.</p>
<h2 id="enable-services">Enable services</h2>
<p>Services run in the background and restart when certain conditions are triggered.</p>
<p>Install the service manager:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">pkg install termux-services
</span></span></code></pre></div><p>Start the services and enable it to autostart when Termux starts.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sv up sshd
</span></span><span class="line"><span class="cl">sv up httpd
</span></span><span class="line"><span class="cl">sv up tor
</span></span><span class="line"><span class="cl">sv-enable sshd
</span></span><span class="line"><span class="cl">sv-enable httpd
</span></span><span class="line"><span class="cl">sv-enable tor
</span></span></code></pre></div><p>The number of services supported is limited; refer to the documentation to learn more: <a href="https://wiki.termux.dev/wiki/Termux-services">https://wiki.termux.dev/wiki/Termux-services</a>.</p>
<p>The logs for running services are stored at <code>/data/data/com.termux/files/usr/var/log/sv/</code>.</p>
<p>To ensure that the serivce works, restart the service after killing all currently running processes:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sv down httpd
</span></span><span class="line"><span class="cl">pgrep httpd
</span></span><span class="line"><span class="cl">pkill -f httpd
</span></span><span class="line"><span class="cl">sv up httpd
</span></span><span class="line"><span class="cl">cat /data/data/com.termux/files/usr/var/log/sv/httpd/current
</span></span></code></pre></div><h2 id="start-termux-on-boot">Start Termux on boot</h2>
<p>Create the directory for boot scripts:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mkdir -p /data/data/com.termux/files/home/.termux/boot
</span></span></code></pre></div><p>Create a file (<code>nvim start-services</code>) under the boot directory:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/data/data/com.termux/files/usr/bin/sh
</span></span></span><span class="line"><span class="cl"><span class="cp"></span>termux-wake-lock
</span></span><span class="line"><span class="cl">. <span class="nv">$PREFIX</span>/etc/profile
</span></span></code></pre></div><p><code>termux-wake-lock</code> stops Android from going into deep sleep - this prevents Android&rsquo;s aggressive power management from suspending background processes. The second line sources <code>/data/data/com.termux/files/usr/etc/profile</code> - this configures the environment.</p>
<div class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1">
<p><a href="https://wiki.termux.dev/wiki/Getting_started">https://wiki.termux.dev/wiki/Getting_started</a>&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:2">
<p><a href="https://wiki.termux.dev/wiki/Package_Management">https://wiki.termux.dev/wiki/Package_Management</a>&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:3">
<p><a href="https://wiki.termux.dev/wiki/Main_Page#Installation">https://wiki.termux.dev/wiki/Main_Page#Installation</a>&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:4">
<p><a href="https://wiki.termux.dev/wiki/Termux:API">https://wiki.termux.dev/wiki/Termux:API</a>&#160;<a href="#fnref:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:5">
<p><a href="https://wiki.termux.dev/wiki/Termux:Boot">https://wiki.termux.dev/wiki/Termux:Boot</a>&#160;<a href="#fnref:5" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:6">
<p><a href="https://support.torproject.org/about-tor/how-tor-works/overview">https://support.torproject.org/about-tor/how-tor-works/overview</a>&#160;<a href="#fnref:6" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:7">
<p><a href="https://wiki.termux.dev/wiki/Bypassing_NAT">https://wiki.termux.dev/wiki/Bypassing_NAT</a>&#160;<a href="#fnref:7" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</div>
]]></content>
      </entry>

</feed>


