[HN Gopher] MagiskSSH - SSH server on Android without Termux
___________________________________________________________________
MagiskSSH - SSH server on Android without Termux
Author : Oxodao
Score : 90 points
Date : 2024-12-09 12:45 UTC (10 hours ago)
(HTM) web link (gitlab.com)
(TXT) w3m dump (gitlab.com)
| 0x38B wrote:
| > ... It also includes rsync (which actually was my main
| motivation for this project)
|
| I would take rsync any day over unreliable GUI apps that silently
| fail to complete remote transfers, often as soon as the screen is
| turned off.
|
| I've used an iPhone for the past few years but may move to a
| Pixel running GrapheneOS for my next phone. It's apps (well,
| modules) like this and Termux that tip the scales in Android's
| favor.
| n144q wrote:
| Sadly you are in the vanishing minority of Android users who
| care about this. Most people just want a phone that works. So
| much that many people switch to iPhones because, admittedly,
| many things are work better in their walled garden, and the
| phone is "simpler" because the OS hides many details or doesn't
| allow you to do anything.
|
| I used to spend lots of time trying different ROMs, figuring
| out SU and SELinux stuff, and fighting with SafetyNet. These
| days I just use stock Samsung ROM. I still have Termux on my
| devices but only use them occasionally when I don't have a
| laptop next to me and need to do some hardcore stuff. (I might
| even switch to iPhone someday because the password autofill
| experience on Android is just atrocious and infuriating while
| Google has done almost nothing for the past few years.)
| Asmod4n wrote:
| There are things Android forbids you to tinker with, even on
| a rooted device. And it's advertisement related things.
| guerrilla wrote:
| > And it's advertisement related things.
|
| What do you mean?
| cf100clunk wrote:
| I assume "official stock OEM Android" is what you meant,
| and I hope you'll give specifics of the things you mention.
| Alternative browsers like ungoogled-chromium-android,
| Cromite, Vanadium, and some others purport to have stripped
| most of that out from the Chromium browser, while
| GrapheneOS, LineageOS, /e/OS, and maybe some others purport
| to do that at the OS level.
| ddxv wrote:
| I've been liking the Firefox autofill on Android, not sure if
| that fits your needs.
| n144q wrote:
| How well does it work with other apps, especially WebView?
|
| e.g. if I open doordash and try to log in, which opens a
| web view with a login form, does autofill popup?
|
| In my experience, autofill works the best in Chrome if you
| have all your entire digital life dedicated to Google's
| ecosystem.
|
| But I use Firefox with Bitwarden, which works at most 50%
| of the time. That works about 85% of the time on iPhone or
| iPad.
| edent wrote:
| BitWarden on Android is pretty good for auto-filling
| passwords. Works in-app and in-browser.
| xelamonster wrote:
| For some definitions of works. It's frustratingly
| inconsistent for me, very often it'll give me no
| suggestions on apps it's filled many times before and I
| have to go open it and manually copy out passwords.
| n144q wrote:
| Using Bitwarden on a Samsung device, it is hit or miss.
| Tried everything possible. If you have some magic to make
| it work everywhere, let me know.
| aftbit wrote:
| Personally, I would suggest trying out GrapheneOS on a modern
| Pixel before going to iPhone. They remove 80% of the Google
| annoyances and have a very good security profile compared to
| anything rooted and most custom ROMs that don't bother with
| relocking the bootloader.
|
| You will still fail to pass device verification, but that
| doesn't really matter to me. I don't use tap to pay (that's
| why NFC credit cards are for) nor play any mobile games that
| actually care.
|
| I could not imagine using a stock Samsung ROM personally, but
| to be fair, it has been years since I tried. Maybe I'm still
| just too burned from the bloatware of the early Galaxy days.
| dizhn wrote:
| Samsung phones are pretty nice these days. It's also very
| easy to migrate to a new phone. Their software migrates
| almost everything including side loaded apps.
| n144q wrote:
| LOL downvoted to -2? I just spoke some hard truth. If people
| don't believe me, go to Google Trends and search for "xda
| developers". Look at curve. That's the reality, and your
| downvoting is not going to change it.
| razemio wrote:
| Sadly, termux now has its own issues since android 12+. It is
| possible to work around the limitations, when you do not have
| an Android Phone with MDM enabled and have no problems with
| turning on dev tools and start remote adb from time to time. I
| no longer use it because of those reasons. However, there
| appears to be a native terminal in android 15. Maybe this will
| be the game changer I waited for.
| jeroenhd wrote:
| On my (Pixel based) LineageOS ROM, you can disable enough
| power saving settings to make Termux work well again.
| Unfortunately, many vendors remove half the settings from
| their interfaces and make their app killers extra aggressive
| (just to spite people, it seems, because battery life doesn't
| seem affected in my experience).
|
| If your phone's manufacturer disabled the necessary power
| saving settings, I doubt they'll enable them for the Android
| 15 terminal.
| seanw444 wrote:
| https://dontkillmyapp.com/
| notpushkin wrote:
| > just to spite people, it seems, because battery life
| doesn't seem affected in my experience
|
| Don't forget all the crap they can run in the freed
| capacity now!
| gruez wrote:
| >Unfortunately, many vendors remove half the settings from
| their interfaces and make their app killers extra
| aggressive (just to spite people, it seems, because battery
| life doesn't seem affected in my experience).
|
| To be fair, for every well behaved background app (ie. a
| ssh server that's listening on a socket, which should
| consume basically zero power), there's probably 10 other
| misbehaving app that's phoning home every 30 seconds for
| ad/tracking/analytics purposes. Moreover, "battery life" is
| a metric that often shows up on reviews, so it makes sense
| to game this metric as hard as possible, especially since
| most people probably aren't running servers 24/7 on their
| phones.
| ssl-3 wrote:
| Some of those apps are things I want to phone home, like
| the system I have that _is supposed to_ dial my
| thermostat back automatically (as well as back up again).
|
| When these are the tasks that are killed, it costs me
| more than whatever precious bodily fluids that some
| ad/tracking/analytics stuff may sap: It costs me _real
| money_.
| gruez wrote:
| The problem is less with phoning home per se, and more
| about doing it in a way that's against user expectations.
| I already acknowledged that there are legitimate use
| cases out there, but for the overwhelming majority of
| users, their phone is primarily a communication and media
| consumption device, which doesn't need 24/7 background
| access. Yes, it's tragic that the handful of people are
| being harmed by this, but it's hardly because of "spite"
| as OP suggested.
| ssl-3 wrote:
| The problem is that I'm only theoretically harmed by
| things that unexpectedly succeed in phoning home, while
| I'm _absolutely_ harmed by things failing to phone home
| when I need them to do so.
|
| Dollars I have lost due to things phoning home against my
| expectations: Close to zero -- if not literally zero.
| (And close to zero time spent managing that.)
|
| Dollars I have lost due to things failing to phone home
| when I want them to do so: More than zero. (And hours and
| hours of time spent trying to make them work more
| reliably.)
| noman-land wrote:
| GrapheneOS is incredible. Nearly perfect OS.
| compootr wrote:
| I use it and find that it's a bit rough around the edges. Any
| tips to make the experience a bit better?
| SushiHippie wrote:
| All my smartphones had been Samsung, and then I bought a
| Pixel just to get GrapheneOS and for me it's a way nicer
| experience, so I'm curious what the rough edges are that
| you experience?
| ForHackernews wrote:
| You might also check out /e/OS - https://e.foundation/
|
| It's less hardened than Graphene, but more user-friendly (IMHO)
| and similarly avoids Google spyware.
| chasil wrote:
| I am running a copy of this on a spare phone. I'm 95% sure
| that it bundles an sshd, as LineageOS does.
|
| The Bliss launcher leaves a number of features to be desired.
| I can't see how to create a shortcut of the browser as an
| incognito tab, which for me is a must-have. The lack of
| widgets beyond the separate widget pane also is limiting.
|
| I've seen some methods to get Trebuchet imported by various
| means. That would be required for a daily driver.
|
| Otherwise it looks like a reasonable clone of Lineage with
| odds and ends.
|
| Edit: LineageOS bundles /product/bin/sshd - I have seen wikis
| on how to set this up with authorized_keys. /e/OS likely has
| the server daemon as well. My phone says that it's OpenSSH
| 9.0p1, BoringSSL.
| ForHackernews wrote:
| :shrug: different strokes. I prefer /e/OS to LineageOS
| because things like maps, banking apps, microG + signature
| spoofing work out of the box. I think most Lineage users
| just install GApps, but I'm trying to avoid the google
| ecosystem.
| spiffytech wrote:
| To pull files off my Android phone I installed an FTP server
| app. Gets the job done for me, and works on stock Android. I
| only turn it on when I need it.
|
| https://play.google.com/store/apps/details?id=com.theolivetr...
| colordrops wrote:
| I've found that synching on Android is very reliable when setup
| properly.
| colordrops wrote:
| I've found that synchthing on Android is very reliable when
| setup properly.
| tacomagick wrote:
| The project looks awesome. If this was also done using Shizuku it
| would be pretty cool aswell.
| nickcw wrote:
| I wonder if that includes the SFTP server component of openssh?
|
| If so it would be very useful for use with rclone. I back up my
| phone by running an sshd in termux then using rclone with sftp
| remotely. This works very well (until the phone decides on a whim
| to kill the sshd!).
| chasil wrote:
| On my LineageOS device, /product/bin contains scp, sftp, ssh,
| sshd, and ssh-keygen along with a startup script.
|
| In f-droid, there is also a "primitive FTP server" that
| includes an SFTP, but that probably gets killed unless you are
| very careful.
| tetris11 wrote:
| This looks good.... but I don't get the importance of it. What
| can this do that termux openssh can't?
|
| Can I mount remote filesystems at the system level via sshfs?
| dataflow wrote:
| Yeah I had the same question. Why would I prefer this?
| tetris11 wrote:
| I'm guessing it's for the use case where you "adb shell" into
| the phone, and want to ssh elsewhere (where dynamically-
| linked Termux binaries would not work)....
|
| Edit: .. though, one could always just start an ssh server in
| Termux in the OS for this.
|
| Maybe it's if you want to have ssh and rsync in the recovery
| or fastboot modes? Just in case you can't get (or don't want)
| to run the android system?
|
| Edit2: Ah. It's for when you want to use another app that can
| call system commands, without having to build ssh and rsync
| into the app, nor spawn an intermediate termux process from
| the app. It cuts out the middle-man. That is quite useful.
| noname120 wrote:
| Termux gets killed easily, even if you set it to unrestricted
| in your battery-saving settings. Here is one of the mechanisms
| that causes Termux (and other apps) to be killed:
| https://github.com/agnostic-apollo/Android-Docs/blob/master/...
|
| This module isn't affected by battery-saving mechanisms because
| it runs as a system process rather than an app process.
| nolist_policy wrote:
| You can disable the phantom process killer in developer
| settings in Android 14.
|
| Termux is rock solid on my Galaxy Fold 4 without any root or
| adb shenanigans.
| adhamsalama wrote:
| It still killed Linux desktop environments after a couple
| of minutes for me when I tried it.
| lutusp wrote:
| From the linked Gitlab writeup: "Some changes to OpenSSH are used
| from Arachnoid's SSHelper." I'm very glad to see this port of
| open-source code I wrote years ago, especially now that Google
| has removed SSHelper from the Google Play store (BTW still
| available at https://arachnoid.com/android/SSHelper).
|
| After years of trying to keep up with Google's perpetual Android
| tweaks, I gave up and accepted that they would eventually remove
| any apps that weren't updated for each new Android version.
|
| These events only remind me how out-of-date I am as a programmer.
| I wrote and released my first major title, Apple Writer
| (https://en.wikipedia.org/wiki/Apple_Writer) in 1979. It lasted
| for six years in various forms, then was replaced by better
| programs. I wasn't a corporation, I was an individual, and my
| programs (then and since) have been individual projects.
|
| In modern times, individual releases are rare, and in the future
| are likely to be even more rare, replaced by collaborations
| between developer teams and AI.
|
| Not saying things were better in the past. Just different.
| freedomben wrote:
| I'll say things were better in the past. It's obviously
| subjective, but I hate the direction things are going.
|
| The user is now viewed as a security threat to their own
| device, the hyper-churn culture of the javascript ecosystem is
| now embedding in other areas even systems (like Android, as you
| point out), "updates" for apps and to a lesser but growing
| extent OSes, are routinely pushed and forced on users
| regardless whether they contain new bugs/regressions or
| horrible UI/UX changes, more and more software is becoming
| proprietary SaaS and "subscription" based, and backwards
| compatibility is for the birds. In the name of "security", tech
| companies and even individual devs are turning our own home
| networks into opaque spy apparatuses that make network
| connections that we (the owners of the network) can't even
| inspect. Even maintaining self-hosted apps is becoming a
| several-hours-per-week job.
|
| It feels like during the late 00s and early 10s we had some
| real golden years of open source, but now the poisonous
| engineering culture that pushes the above things is poised to
| squash it as a "daily driver" for people. For example, once
| Microsoft completes their requirements for TPMS and can do
| hardware attestation like Apple and Google, the ratchet of
| websites not working (or not working completely) unless the
| device passes hardware attestation will start, and it will make
| life on a Linux laptop/desktop similar to how Tor is now where
| you get endless CAPTCHA hell and nobody cares because you're in
| a tiny minority of users and many of the tools that provide
| technological liberation for an individual are also tools used
| by gray and black hat actors.
|
| And I haven't even gotten to the Apple-ization of everything
| where it's becoming all about building walled gardens. I
| remember when compatibility was a _selling_ point of hardware
| /software.
|
| It's not all bad of course, but it does feel like a lot more
| bad than good is developing. Happy Monday everyone!
| Zak wrote:
| When Microsoft first proposed attestation features in 2002
| under the name Palladium, it was almost universally seen as a
| nightmare scenario. I don't understand why most of the tech
| world is OK with Apple and Google doing the same thing to our
| phones now, and Microsoft bringing it back on Windows.
|
| I do understand trying to bury full access to the device a
| bit deeper than it was on older PC operating systems. The
| average person doesn't know how to use a computer, and it
| doesn't appear there was ever much hope of that situation
| changing. Letting a third party verify the computer is in a
| certain state, however seems outright malicious.
| sammyo wrote:
| A (super easy to set up) rsync on IPhone that can "see" the
| itunes music folder would be a huge boon and likely change the
| world for the better!
| hagbard_c wrote:
| Installed it just now - don't forget to enable incoming
| connections on the firewall (AFWall+) if you happen to use one -
| and did some experimenting, especially to find out whether it
| would open up the device to the deluge of ssh probing. Even
| though those probes will (in a sane universe) not succeed they're
| unwelcome anyway. I do notice the device listens on port 22 on
| both IPv4 and IPv6. Fortunately it is possible to change this by
| editing _/ data/ssh/sshd_config_ where I disabled IPv6 (not
| necessary in this context) and changed the listening port. You
| never know on which network your device will end up after all.
| therealmarv wrote:
| I think this is a bit overkill for my taste with root but depends
| on use case.
|
| I'm SSHing regularly into my Android phone (and it does not need
| root) for backup purposes. Used various apps for that but settled
| for years on Termux.
|
| * Install https://f-droid.org/ store
|
| * Install Termux from there
|
| * Install ssh daemon and rsync in Termux with
| pkg upgrade pkg install openssh rsync
|
| * Read manual on
| https://wiki.termux.com/wiki/Remote_Access#Using_the_SSH_ser...
| on how to start, configure, stop ssh daemon. In general: The
| Termux documentation is good!
| dotancohen wrote:
| I use `adb shell` very often on my Android phone. What are your
| use cases for SSH where adb does not suffice?
|
| Not arguing, just curious.
| 1727706962 wrote:
| Not OP but personally
|
| - Always available over my network/wireguard without touching
| the phone or a cable. Wireless ADB over a tcp socket
| technically works but requires a USB cable to bootstrap when
| you use the phone as a hotspot like I do, nor would I dare
| open it up to the internet.
|
| - Any number of SFTP clients rather than the limited ADB
| options
|
| - Higher throughput than wired ADB (at least on my Pixel 6A
| over USB)
|
| - I want ssh access to my termux environment anyway so may as
| well use it for file transfers too.
|
| I only really use adb for app development, maybe the odd
| nslookup or android package management with `pm`
| therealmarv wrote:
| It's mostly rsync for me. I love rsync.
|
| And also: I don't want to connect my phone over the cable to
| my PC very often. I just want to quickly transfer sometimes
| (over WiFi).
| paravz wrote:
| my rsync backup use case over usb and adb (with adb root)
|
| start rsync daemon: adb root adb forward tcp:6010 tcp:11873 adb
| shell "rsync --daemon --port 11873 --config=/sdcard/rsyncd.conf
| &"
|
| rsync: rsync -rltHDhP --stats --size-only --append-verify
| --partial --delete rsync://localhost:6010/root/data/data/
| /backup/data
|
| cleanup: adb kill-server
|
| /sdcard/rsyncd.conf for the phone: address = 127.0.0.1 uid = root
| gid = root [root] path = / read only = true
___________________________________________________________________
(page generated 2024-12-09 23:01 UTC)