SSH from Android with key authentication: a 2026 guide

Doing SSH from a phone used to be the kind of thing you only attempted in an emergency. The keyboard was wrong, the keys were a nightmare to manage, and half the clients still wanted passwords. In 2026 the story is different: foldables and tablets are genuinely usable, hardware-backed key storage finally works on Android, and a 5G hotspot covers most of the bandwidth you need for SSH from anywhere.

This guide walks through SSH Android key authentication end-to-end: which key algorithm to pick, how to generate keys safely on a phone, how to install the public key on a server, how to lock down server-side auth so passwords stop being a fallback, and how to handle the everyday workflow when you're away from your laptop.

Why key authentication matters more on a phone

On a laptop, the slight inconvenience of typing a password feels small. On a phone, every password is a UX disaster: shift toggles, autocorrect, the on-screen keyboard eating half the display. Key authentication isn't just more secure — it's the only sensible default for mobile SSH.

• You generate a keypair on the device once; the public key goes on every server.
• No password gets typed at the keyboard, so nothing gets phished or shoulder-surfed.
• Lose the phone? Revoke the key once on the servers; your other devices keep working.
• Modern Android stores the private key in the hardware-backed keystore; even root-level malware can't exfiltrate it.

Pick the right algorithm

In 2026 the answer is Ed25519. Here's why, briefly:

• Ed25519 keys are 32 bytes; an Ed25519 signature is 64 bytes. They fit easily into any modern protocol.
• Ed25519 doesn't depend on the quality of the RNG at signing time, the way ECDSA does. That made an actual difference on a couple of phone platforms in the early 2010s.
• Every modern server-side SSH (OpenSSH 6.5+, released 2014) supports it. Anything older is a server upgrade you should be doing anyway.

Use RSA-4096 only if you have to interoperate with a piece of legacy infrastructure that genuinely doesn't support Ed25519. RSA-2048 is fine on the same legacy hardware but is not your first choice for a new key in 2026.

Generate the key on Android

Generate the key on the phone, not on your laptop. The private key should never travel.

Using Telnety for Android

1. Open Telnety, tap the menu, and pick SSH Keys.
2. Tap Generate new. Pick Ed25519.
3. Set a passphrase. Telnety stores the passphrase in the device's hardware-backed keystore, so subsequent unlocks use the fingerprint or face sensor.
4. Set a comment — “your-name@pixel-8” is a good default so the public key is self-describing on the server.
5. Tap Generate. Telnety creates the keypair, stores the private half in the hardware keystore, and shows you the public key with a Copy button.

Using other Android SSH clients

Most Android SSH clients can generate keys. The shape of the flow is the same: pick Ed25519, set a passphrase, copy the public key. The detail that matters is whether the private key lives in the Android Keystore (hardware-backed) or in the app's own SQLite database (software-backed). Hardware-backed is strictly better for a phone you might lose; the tradeoff is that you can't export the private key to a second device.

Install the public key on the server

The public key needs to end up in ~/.ssh/authorized_keys on the server, owned by the user you log in as, with permissions 600 on the file and 700 on the directory. The easiest way is to use ssh-copy-id from a laptop you already trust:

# From a trusted machine, paste in the public key you copied from the phone
echo "ssh-ed25519 AAAAC3... your-name@pixel-8" | ssh user@host \
  "umask 077; mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Or, if you only have the phone to hand and you can still SSH in with a password, do the install over a Telnety session:

# On the server, after you've SSHed in
umask 077
mkdir -p ~/.ssh
cat >> ~/.ssh/authorized_keys
# Paste the public key, then Ctrl+D to close stdin
# Verify
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
ls -la ~/.ssh

Harden the server

Once the key works, take password auth off the table. Edit /etc/ssh/sshd_config to disable it; this is the single most effective change you can make:

# /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PermitRootLogin no

# Apply
sudo systemctl reload ssh

Open a second SSH session before you reload sshd, so if you misconfigure the file you have a way back in. The first time you do this on a server you care about, do it on a spare VM first.

Working from the phone

Once you're set up, the day-to-day workflow on Android comes down to a few practical patterns:

• Use a Bluetooth keyboard. Foldables and tablets are usable; phones are usable in emergencies. A small portable keyboard makes SSH from a phone feel like SSH from anything else.
• Set up snippets for repetitive commands. Telnety stores snippets per host and per workspace; one tap fires off a 60-character command without you typing it.
• Enable tmux on the server. Sessions detach when your phone's mobile data flakes; pick them up when you reconnect rather than starting over.
• Use mosh for high-latency or flaky links. Mosh tolerates connectivity gaps far better than raw SSH and is well worth the small server-side install.

Advanced: jump hosts and short-lived certs

Two patterns are worth setting up once you've done the basics:

Jump hosts. Your phone's key authenticates to a bastion; the bastion forwards your session to internal hosts. You only need to authorise the public key on the bastion, not on every internal machine. See the SSH setup guide for how Telnety configures multi-hop chains.

Short-lived SSH certificates. For teams, an SSH CA issues certificates that expire after a few hours. Your phone authenticates to the CA (using the same Ed25519 key) and gets back a certificate that all your servers accept for the lifetime of that cert. Lose the phone? The cert expires by itself. This is how most large engineering orgs do mobile SSH in 2026.

Picking a client

Android has plenty of SSH clients in 2026. The shortlist for our money:

• Telnety — SSH, SFTP, RDP, and VNC in one app, with hardware-keystore-backed Ed25519 keys and a free Community tier. See the Telnety vs Termius comparison for the full breakdown.
• Termius — cloud-synced across devices; iOS counterpart is the strongest in the category. The desktop and mobile UIs are mature.
• JuiceSSH — a long-time Android favourite focused purely on SSH. Excellent if you want the lightest possible client.
• Termux + ssh — not a GUI client but a full Linux-ish environment with OpenSSH. The right answer if you want the same workflow on the phone as on the laptop.

The closing call

SSH from a phone in 2026 isn't a compromise — it's a workflow. Generate an Ed25519 key in the hardware keystore, install the public key on the servers you care about, turn off password auth, and you'll be running commands from a coffee shop with a small Bluetooth keyboard before the espresso lands.

Telnety's free Android client ships every protocol on a single device — see the pricing page if you want to step up to the encrypted vault and unlimited hosts.