SSH

This article provides an overview of how to use the SSH server after postmarketOS was installed. It is aimed at beginners, who have possibly installed postmarketOS for the first time through the on-device installer or pmbootstrap.

Start the SSH Daemon
If you are running postmarketOS from a pre-built image, the SSH daemon is disabled. Open a terminal on your phone and type the following to start it. Your sudo password is your PIN ( in pre-built images):

Enable the service on every boot:

Note that in SXMO, you can type the minus character after long-pressing the dot.

Find the IP of your phone
When connecting your phone via USB Network, then the IP of the phone is.

Wi-Fi
In Phosh, you can find the IP in the "Settings" app, by clicking on the cogwheel next to the Wi-Fi network you are connected to, then "More details".

In any user interface, you can open a terminal and type  to display the Wi-Fi IP.

First login
Make sure your phone is on the same Wi-Fi network as your PC, or connect your phone via USB to your PC. Then type:

In pre-built images, username defaults to  and your user's password or PIN is. Adjust the IP as necessary.

If you cannot login as, see the troubleshooting instructions below.

If that doesn't help it either, see USB Network for a more detailed guide and more troubleshooting instructions.

Replace password with SSH key
If the SSH server is enabled in postmarketOS (in the on-device installer, one can decide at install-time), it listens to USB networking, Wi-Fi and cellular network. This provides a big attack surface, so it's highly recommended to install an SSH key and disable password login.

In order to do so, you need to generate a keypair on your client machine. If that is still connected to the phone, quit the connection:. Then generate the keypair:

Now you will be asked a few questions. You can hit 'Enter' to chose the default location for the keys. Set a passphrase you can remember. After the successful generation of the keys, the public key is now located in /home/user/.ssh/id_rsa.pub. The public key needs to be transferred to the phone.

You will have to enter your phones password. Now make sure everything worked by using ssh with your passphrase:

If you were asked for the passphrase and successfully logged in, everything worked as expected. The next step is to only allow logging in via the ssh keys. To do so, edit the file /etc/ssh/sshd_config. If you have nano installed the command is:

In this file, set:

PasswordAuthentication no

Save and close the file. You might have to restart the ssh server for the changes to take effect.

Enable specific network interfaces only
New installations have a  as firewall configured that limits incoming SSH connections to Wi-Fi and USB (only on some devices?). As mentioned in the linked article, you can add your own rules too if you want to lock it down even more.

Login with username "user" fails
In postmarketOS v21.03 and earlier, as well as postmarketOS edge before 2021-06, the on-device installer asked if a dedicated SSH user should be created. While the original idea was to ensure that the SSH user always has a stronger password than just a numeric PIN that would be used for the main user at the time, this made the installation process more complicated and it's more complex to use the dedicated user to access files from / start applications for the regular user. So this was removed in favor of having SSH always disabled and following the (relatively simple) steps to enable and secure it on this wiki page. So if you are currently running a postmarketOS installation that was set up like this, do the following to make it possible to login as the regular user. And then make sure that you copy over your SSH key and disable password authentication again, as described above in this article.

Open the file  with a text editor, for example  :

Then enable password authentication for your user by removing the following section from the end of the file (in : arrow keys or  /  to navigate up/down, press   twice to delete a line,   to write,   to quit). Match User user PasswordAuthentication no Match all

Save and close the file and restart (or start if not running) the SSH service:

Login with username "root" fails
After having put a good /root/.ssh/authorized_keys file into the root account (maybe just by copying the user account's one), if it still fails to get in, it is because the root account is disabled (no password is set). To enable public key SSH login with the root account you have to set a password for the root user first.

Enable SSH in downloaded image
In some hopefully rare cases, when using images downloaded from bpo, you may have no easy way to gain access to the running system to enable SSH (e.g. broken touch sensor). You can get around this limitation by enabling SSH in the image before you write it to the device. Proceed as follows:

SSH will be active in the image when you flash/burn it

Cool things to do with SSH

 * Share your PC's Internet with the phone
 * Backup and restore your data
 * Store IP in syncthing