Set up a fresh Android device for Termux-over-SSH from a Windows PC by preparing ADB, installing the GitHub Termux build, handling HyperOS USB install restrictions, using run-as on the debuggable GitHub build, installing openssh, configuring public-key authentication, and connecting through adb port forwarding. Use when the user wants to get from a blank Android phone to a usable Termux SSH shell without root.
Use this skill when the user wants to:
Do not use this skill for generic Linux SSH work or for F-Droid-only workflows that explicitly forbid the GitHub build. This workflow relies on the GitHub Termux build being DEBUGGABLE, so run-as com.termux can be used for non-interactive setup.
The target state is:
adb forward tcp:8022 tcp:8022
ssh -o IdentitiesOnly=yes -i <pubkey_private_key> -p 8022 <termux_user>@127.0.0.1
<termux_user> must be discovered from Termux with whoami. Never hardcode user-specific values from a previous device.
%USERPROFILE%\.ssh\id_ed25519.pub.If adb is missing, install official Android SDK Platform Tools first.
arm64-v8a; derive it.INSTALL_FAILED_USER_RESTRICTED as a device policy issue, not an ADB bug.Resolve these values before proceeding:
<apk_path>: downloaded Termux APK path on Windows<release_tag>: GitHub release tag actually chosen<pubkey_path>: Windows public key path<termux_user>: output of whoami inside Termux<abi_list>: result of adb shell getprop ro.product.cpu.abilistIf adb is not installed, install Android SDK Platform Tools and ensure adb version works.
Validation:
adb version
adb devices -l
Do not proceed until the device appears as device.
If the state is unauthorized, have the user unlock the phone and approve USB debugging.
Tell the user to enable:
USB debuggingInstall via USBUSB debugging (Security settings)If adb install later fails with:
INSTALL_FAILED_USER_RESTRICTED: Install canceled by user
switch to the manual installer path in step 5.
Read the device ABI:
adb shell getprop ro.product.cpu.abilist
Use the official Termux GitHub release assets and choose the matching APK flavor. Prefer the ABI-specific asset over universal unless there is a clear reason not to.
Official sources:
If the user asks for the latest release, verify the current release tag and asset names from GitHub before downloading.
If gh is available, downloading is straightforward:
gh release download <release_tag> -R termux/termux-app -p "<apk_filename>" -p "<sha256_filename>" -D <download_dir>
Validate the SHA256 before installing.
First try:
adb install "<apk_path>"
If that fails with INSTALL_FAILED_USER_RESTRICTED, push the APK to the device and have the user install it from the file manager:
adb push "<apk_path>" /sdcard/Download/<apk_filename>
Then instruct the user to open the APK from Download and install it manually. Do not promise that HyperOS can always be fully driven from ADB; in many cases the final confirmation is user-side.
Launch the app:
adb shell monkey -p com.termux -c android.intent.category.LAUNCHER 1
adb shell pm path com.termux
adb shell dumpsys package com.termux | findstr /I "DEBUGGABLE versionName"
Then verify run-as:
adb shell run-as com.termux pwd
adb shell run-as com.termux ls -la files
If run-as com.termux fails, stop and reassess. This usually means the installed build is not the debuggable GitHub build, so this skill's non-interactive path does not apply.
For all non-interactive Termux commands, use a wrapper like this:
$remote = @'
run-as com.termux env -i HOME=/data/user/0/com.termux/files/home PREFIX=/data/user/0/com.termux/files/usr PATH=/data/user/0/com.termux/files/usr/bin:/data/user/0/com.termux/files/usr/bin/applets TERM=xterm-256color /data/user/0/com.termux/files/usr/bin/bash -lc '<termux_command>'
'@
adb shell $remote
Use it for package installation, whoami, SSH key placement, and sshd startup.
Use the wrapper and run:
pkg update -y && pkg install -y openssh
Do not skip pkg update. Initial mirror selection and package metadata refresh may take time on the first run.
Prefer the user's existing public key. A typical choice is:
%USERPROFILE%\.ssh\id_ed25519.pub
Push it to a temporary device path:
adb push "<pubkey_path>" /data/local/tmp/codex_termux_id_ed25519.pub
Then install it into authorized_keys from Termux:
mkdir -p "$HOME/.ssh" && cat /data/local/tmp/codex_termux_id_ed25519.pub > "$HOME/.ssh/authorized_keys" && chmod 700 "$HOME/.ssh" && chmod 600 "$HOME/.ssh/authorized_keys"
After that, remove the temporary copy:
adb shell rm /data/local/tmp/codex_termux_id_ed25519.pub
Start the daemon from Termux:
sshd
Discover the actual SSH username:
whoami
Save that as <termux_user>. Do not reuse a username from a prior device.
Forward USB port 8022:
adb forward tcp:8022 tcp:8022
adb forward --list
Connect:
ssh -o IdentitiesOnly=yes -i <pubkey_private_key> -p 8022 <termux_user>@127.0.0.1
For non-interactive verification, run something like:
cmd /c ssh -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=%TEMP%\termux_known_hosts -o IdentitiesOnly=yes -i <pubkey_private_key> -p 8022 <termux_user>@127.0.0.1 "whoami"
Then verify it is really a Termux environment:
cmd /c ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=%TEMP%\termux_known_hosts -o IdentitiesOnly=yes -i <pubkey_private_key> -p 8022 <termux_user>@127.0.0.1 ". /data/data/com.termux/files/usr/etc/profile; printenv HOME; printenv PREFIX; command -v pkg"
These must all pass before you claim success:
adb devices -l shows the device as deviceadb shell pm path com.termux returns a package pathadb shell run-as com.termux pwd workspkg install -y openssh completeswhoami in Termux returns a concrete <termux_user>sshd starts without fatal errorsadb forward --list contains tcp:8022ssh login succeedscommand -v pkg resolves inside Termuxadb devices -l shows unauthorizedUSB debuggingINSTALL_FAILED_USER_RESTRICTEDInstall via USBUSB debugging (Security settings)adb push plus manual on-device installrun-as com.termux failsOEM power management may kill Termux or sshd.
Recommend:
adb shell is Android's shell user, not the Termux shell