Appearance
ssh - Secure Shell Remote Access
Comprehensive SSH commands for secure remote access, tunneling, and system administration across all platforms.
Basic Connection
Simple Connection
| Command | Description |
|---|---|
ssh user@hostname | Connect to remote host |
ssh user@192.168.1.100 | Connect using IP address |
ssh -p 2222 user@hostname | Connect to custom port |
ssh hostname | Connect with current username |
Connection Options
| Command | Description |
|---|---|
ssh -v user@hostname | Verbose output for debugging |
ssh -vv user@hostname | More verbose output |
ssh -vvv user@hostname | Maximum verbosity |
ssh -q user@hostname | Quiet mode (suppress warnings) |
Authentication Methods
Password Authentication
bash
# Standard password login
ssh user@hostname
# Force password authentication
ssh -o PreferredAuthentications=password user@hostname
# Disable password authentication
ssh -o PasswordAuthentication=no user@hostnameKey-Based Authentication
bash
# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com" # Modern, secure
# Copy public key to remote server
ssh-copy-id user@hostname
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
# Manual key installation
cat ~/.ssh/id_rsa.pub | ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Key Management
| Command | Description |
|---|---|
ssh-keygen -t ed25519 | Generate Ed25519 key (recommended) |
ssh-keygen -t rsa -b 4096 | Generate 4096-bit RSA key |
ssh-keygen -f ~/.ssh/custom_key | Generate key with custom name |
ssh-add ~/.ssh/private_key | Add key to SSH agent |
ssh-add -l | List loaded keys |
ssh-add -D | Remove all keys from agent |
Configuration
SSH Client Config (~/.ssh/config)
bash
# Global defaults
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
TCPKeepAlive yes
# Specific host configuration
Host myserver
HostName server.example.com
User myusername
Port 2222
IdentityFile ~/.ssh/myserver_key
ForwardAgent yes
# Jump host configuration
Host target
HostName 192.168.1.100
User admin
ProxyJump jumphost
Host jumphost
HostName jump.example.com
User jumpuserCommon Configuration Options
| Option | Description | Example |
|---|---|---|
HostName | Real hostname or IP | HostName server.example.com |
User | Username for connection | User admin |
Port | SSH port number | Port 2222 |
IdentityFile | Private key file | IdentityFile ~/.ssh/id_rsa |
ForwardAgent | Enable agent forwarding | ForwardAgent yes |
Compression | Enable compression | Compression yes |
Port Forwarding and Tunneling
Local Port Forwarding
bash
# Forward local port to remote service
ssh -L 8080:localhost:80 user@hostname
# Forward to different remote host
ssh -L 3306:database.internal:3306 user@gateway
# Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostnameRemote Port Forwarding
bash
# Forward remote port to local service
ssh -R 8080:localhost:3000 user@hostname
# Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:3000 user@hostnameDynamic Port Forwarding (SOCKS Proxy)
bash
# Create SOCKS proxy on local port 1080
ssh -D 1080 user@hostname
# Use with applications
# Configure browser to use SOCKS proxy: localhost:1080X11 Forwarding
bash
# Enable X11 forwarding for GUI applications
ssh -X user@hostname
# Trusted X11 forwarding
ssh -Y user@hostname
# Run GUI application
ssh -X user@hostname firefoxFile Transfer Integration
SCP Integration
bash
# Copy file to remote host
scp file.txt user@hostname:/path/to/destination/
# Copy from remote host
scp user@hostname:/path/to/file.txt ./
# Recursive copy
scp -r directory/ user@hostname:/path/to/destination/SFTP Integration
bash
# Start SFTP session
sftp user@hostname
# SFTP with custom port
sftp -P 2222 user@hostnameAdvanced Features
Jump Hosts and Bastion Servers
bash
# Connect through jump host
ssh -J jumphost user@target
# Multiple jump hosts
ssh -J jump1,jump2 user@target
# Using ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@targetSSH Agent and Key Management
bash
# Start SSH agent
eval $(ssh-agent)
# Add key to agent
ssh-add ~/.ssh/id_rsa
# Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa
# List agent keys
ssh-add -l
# Remove specific key
ssh-add -d ~/.ssh/id_rsa
# Remove all keys
ssh-add -DConnection Multiplexing
bash
# Enable connection sharing in ~/.ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600
# Create socket directory
mkdir -p ~/.ssh/socketsSecurity and Hardening
Secure Connection Options
bash
# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname
# Use specific key only
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname
# Disable host key checking (development only)
ssh -o StrictHostKeyChecking=no user@hostname
# Use specific cipher
ssh -c aes256-ctr user@hostnameHost Key Verification
bash
# Check host key fingerprint
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
# Remove host key from known_hosts
ssh-keygen -R hostname
# Add host key manually
ssh-keyscan hostname >> ~/.ssh/known_hostsCertificate-Based Authentication
bash
# Generate user certificate
ssh-keygen -s ca_key -I user_id -n username user_key.pub
# Use certificate for authentication
ssh -o CertificateFile=user_key-cert.pub user@hostnameTroubleshooting
Connection Issues
bash
# Debug connection problems
ssh -vvv user@hostname
# Test specific authentication method
ssh -o PreferredAuthentications=publickey user@hostname
# Check SSH service status
systemctl status ssh # Linux
service ssh status # Linux (older)Common Problems and Solutions
| Problem | Symptoms | Solution |
|---|---|---|
| Permission denied | Authentication fails | Check key permissions (600 for private key) |
| Connection timeout | No response | Check firewall, network connectivity |
| Host key verification failed | Key mismatch warning | Update known_hosts or verify host identity |
| Agent forwarding not working | Keys not available on remote | Enable ForwardAgent in config |
Key Permission Issues
bash
# Fix SSH key permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/configAutomation and Scripting
Non-Interactive SSH
bash
# Run single command
ssh user@hostname "ls -la /var/log"
# Run multiple commands
ssh user@hostname "cd /var/log && tail -f syslog"
# Execute local script on remote host
ssh user@hostname 'bash -s' < local_script.sh
# Execute with sudo
ssh user@hostname "sudo systemctl restart nginx"Batch Operations
bash
#!/bin/bash
# Deploy to multiple servers
servers=("web1.example.com" "web2.example.com" "web3.example.com")
for server in "${servers[@]}"; do
echo "Deploying to $server"
ssh user@$server "cd /var/www && git pull origin main"
ssh user@$server "sudo systemctl restart nginx"
doneSSH with Expect (Password Automation)
bash
#!/usr/bin/expect
spawn ssh user@hostname
expect "password:"
send "your_password\r"
interactPerformance Optimization
Compression and Speed
bash
# Enable compression
ssh -C user@hostname
# Disable compression for fast networks
ssh -o Compression=no user@hostname
# Use faster cipher for trusted networks
ssh -c arcfour user@hostnameConnection Persistence
bash
# Keep connection alive
ssh -o ServerAliveInterval=60 user@hostname
# Persistent connection in background
ssh -f -N -L 8080:localhost:80 user@hostnamePlatform-Specific Considerations
Windows (OpenSSH)
powershell
# Windows OpenSSH client
ssh user@hostname
# Windows SSH config location
%USERPROFILE%\.ssh\config
# Start SSH agent on Windows
Start-Service ssh-agent
ssh-add ~/.ssh/id_rsamacOS Keychain Integration
bash
# Add key to macOS keychain
ssh-add --apple-use-keychain ~/.ssh/id_rsa
# Configure automatic keychain loading
Host *
AddKeysToAgent yes
UseKeychain yesBest Practices
Security
- Use Key Authentication: Disable password authentication
- Strong Keys: Use Ed25519 or 4096-bit RSA keys
- Key Rotation: Regularly rotate SSH keys
- Principle of Least Privilege: Limit user access
- Monitor Access: Log and monitor SSH connections
Configuration Management
- Centralized Config: Use ~/.ssh/config for common settings
- Host Aliases: Create meaningful host aliases
- Connection Multiplexing: Reuse connections for efficiency
- Agent Forwarding: Use carefully, only when needed
- Documentation: Document custom configurations
Operational
- Backup Keys: Securely backup private keys
- Test Connections: Regularly test SSH access
- Update Software: Keep SSH client/server updated
- Monitor Logs: Watch for suspicious activity
- Emergency Access: Maintain alternative access methods