• Follow
    Subscribe to Developer Insider
    Get the latest posts delivered right to your inbox
    Great! Check your inbox and click the link to confirm your subscription
    Please enter a valid email address!

How to Set Up SSH Server on Rooted Android (LineageOS) Using Dropbear

Go to the profile of Vineet Choudhary
4 min read
By Vineet Choudhary

Why Dropbear?

Dropbear is a lightweight, standalone SSH server that works reliably on Android without system library dependencies. Meanwhile, the built-in OpenSSH sshd binary on LineageOS has a known BoringSSL compatibility issue that causes a segmentation fault during crypto initialization. It cannot be fixed through configuration.

Prerequisites

  • Rooted Android device running LineageOS
  • Magisk installed
  • ADB access to the device (via USB or wireless)
  • curl available on the device
  • Static IP assigned to the device via router DHCP reservation

1. Connect Device to ADB

1.1. Connect via USB

Connect the Android device via USB and get a root shell

adb shell
su

1.2. Connect via Wireless ADB

1. Enable wireless ADB (one-time setup via USB)

If wireless ADB is not yet enabled, connect via USB first:

adb tcpip 5555
adb connect <DEVICE_IP>:5555

Then unplug the USB cable.

2. Connect to the device

adb connect <DEVICE_IP>:5555

3. Get a root shell

adb shell
su

2. Install Dropbear

All commands below are run inside the device shell as root.

2.1. Create the SSH directory

mkdir -p /data/ssh

2.2. Download the Dropbear binary

For 32-bit ARM devices (armeabi-v7a):

curl -L -o /data/ssh/dropbear.zip https://github.com/ribbons/android-dropbear/releases/download/DROPBEAR_2025.89/dropbear-armv7a-linux-androideabi.zip

Note: Check your device architecture with getprop ro.product.cpu.abi. For 64-bit ARM (arm64-v8a), download the aarch64-linux-android variant from the same releases page.

2.3. Extract and set permissions

cd /data/ssh
unzip dropbear.zip
chmod 755 /data/ssh/dropbear /data/ssh/dropbearkey

2.4. Generate the host key (ed25519)

/data/ssh/dropbearkey -t ed25519 -f /data/ssh/dropbear_host_ed25519

3. Configure the System passwd File

Dropbear needs a passwd entry for root to locate the home directory and the authorized_keys file.

3.1. Remount the root filesystem as writable

mount -o rw,remount /

3.2. Create the passwd entry for root

echo "root:x:0:0:root:/root:/system/bin/sh" > /system/etc/passwd

3.3. Create root's home and .ssh directories

mkdir -p /root/.ssh
chmod 755 /root
chmod 700 /root/.ssh
chown -R root:root /root

3.4. Remount as read-only

mount -o ro,remount /

4. Set Up SSH Key Authentication

4.1. On your client machine, generate an ed25519 key pair

ssh-keygen -t ed25519 -f ~/.ssh/id_android_device -N ""
cat ~/.ssh/id_android_device.pub

Copy the output (the public key).

4.2. On the Android device, add the public key to authorized_keys

You need to remount as writable since /root is on the read-only filesystem:

mount -o rw,remount /
cat > /root/.ssh/authorized_keys << EOF
<paste the public key here>
EOF
chmod 600 /root/.ssh/authorized_keys
chown root:root /root/.ssh/authorized_keys
mount -o ro,remount /

Note: Dropbear performs strict permission checks on the entire path to authorized_keys. Every directory in the path must be owned by root and not writable by group or others. The /root directory satisfies this requirement, unlike /data which is owned by system:system on Android.

5. Start Dropbear and Test

5.1. Start Dropbear on the device

/data/ssh/dropbear -r /data/ssh/dropbear_host_ed25519 -p 2222 -D /root/.ssh -P /data/ssh/dropbear.pid

Note: The -D flag tells Dropbear the exact directory containing the authorized_keys file. -D /root/.ssh means Dropbear looks for /root/.ssh/authorized_keys. This is critical for proper authentication on Android.

5.2. Test the connection from your client machine

ssh -i ~/.ssh/id_android_device -p 2222 root@<DEVICE_IP> "echo works"

You should see works in the output. If it fails, run Dropbear in debug mode for troubleshooting:

/data/ssh/dropbear -r /data/ssh/dropbear_host_ed25519 -p 2222 -D /root/.ssh -F -E -v -v -v

6. Auto-Start Dropbear on Boot

6.1. Create the boot script

cat > /data/adb/service.d/start_sshd.sh << 'EOF'
#!/system/bin/sh
while [ "$(getprop sys.boot_completed)" != "1" ]; do
    sleep 5
done
sleep 5
/data/ssh/dropbear -r /data/ssh/dropbear_host_ed25519 -p 2222 -D /root/.ssh -P /data/ssh/dropbear.pid
EOF

6.2. Make it executable

chmod 755 /data/adb/service.d/start_sshd.sh

6.3. Reboot and verify

reboot

After reboot, test SSH from your client machine:

ssh -i ~/.ssh/id_android_device -p 2222 root@<DEVICE_IP> "echo works"

7. Home Assistant Integration (Optional)

If you want to control the device (reboot/shutdown) from Home Assistant via SSH:

7.1. Add shell commands to your HA configuration.yaml

shell_command:
  reboot_device: "ssh -i <SSH_KEY_PATH> -p 2222 -o StrictHostKeyChecking=no root@<DEVICE_IP> 'reboot'"
  shutdown_device: "ssh -i <SSH_KEY_PATH> -p 2222 -o StrictHostKeyChecking=no root@<DEVICE_IP> 'reboot -p'"

Note: Replace <SSH_KEY_PATH> with the actual path to your private key on the HA machine (e.g., /root/config/ssh_keys/id_android_device) and <DEVICE_IP> with your device's static IP address.

7.2. Restart Home Assistant

Restart Home Assistant to load the new configuration.

7.3. Create dashboard buttons (optional)

Add scripts in your HA scripts.yaml or via the UI:

script:
  reboot_device:
    alias: "Reboot Device"
    sequence:
      - service: shell_command.reboot_device

  shutdown_device:
    alias: "Shutdown Device"
    sequence:
      - service: shell_command.shutdown_device

Troubleshooting

Permission denied (publickey)

Run Dropbear in debug mode to see server-side errors:

/data/ssh/dropbear -r /data/ssh/dropbear_host_ed25519 -p 2222 -D /root/.ssh -F -E -v -v -v

Common causes:

  • Directory ownership issue: Every directory in the path to authorized_keys must be owned by root and not writable by group or others. Check with stat -c '%a %U:%G' /root /root/.ssh /root/.ssh/authorized_keys
  • Wrong authorized_keys content: Make sure the public key was pasted correctly as a single line without extra line breaks
  • Wrong -D path: The -D flag must point to the directory containing authorized_keys, not the parent directory
  • /data ownership: On Android, /data is owned by system:system. Never use a path under /data directly for authorized_keys. Always use /root/.ssh instead

Dropbear does not start after reboot

Check that the boot script exists and is executable:

ls -la /data/adb/service.d/start_sshd.sh
cat /data/adb/service.d/start_sshd.sh

Verify Dropbear is running:

ps | grep dropbear

Connection refused

  • Verify Dropbear is running: ps | grep dropbear
  • Check the device has the expected IP: ip addr show wlan0
  • Make sure port 2222 is not blocked by a firewall
  • Ensure the device has a static IP via DHCP reservation in your router
WikiSSHLineageOSAndroid
Prev article
How to Auto-Start Home Assistant on Boot on Rooted Android (LineageOS + Magisk)
Next article
NetDebug Toolkit: The All-in-One Network Diagnostics App for iPhone, iPad, and Apple TV

Related Articles

No results found
Navigate up/down
Enter Go to article
/ Search new term
Esc Close search
You've successfully subscribed to Developer Insider
Great! Next, complete checkout for full access to Developer Insider
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.