ssh - Secure Shell Remote Access

📋 Copy All Commands 📄 Generate PDF

Comprehensive SSH commands for secure remote access, tunneling, and system administration across all platforms.

Basic Connection

Simple Connection

Command	Description
ssh user@hostname	Connect to remote host
ssh user@192.168.1.100	Connect using IP address
ssh -p 2222 user@hostname	Connect to custom port
ssh hostname	Connect with current username

Connection Options

Command	Description
ssh -v user@hostname	Verbose output for debugging
ssh -vv user@hostname	More verbose output
ssh -vvv user@hostname	Maximum verbosity
ssh -q user@hostname	Quiet mode (suppress warnings)

Authentication Methods

Password Authentication

# Standard password login
ssh user@hostname

# Force password authentication
ssh -o PreferredAuthentications=password user@hostname

# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname

Key-Based Authentication

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com"  # Modern, secure

# Copy public key to remote server
ssh-copy-id user@hostname
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname

# Manual key installation
cat ~/.ssh/id_rsa.pub|ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Key Management

Command	Description
ssh-keygen -t ed25519	Generate Ed25519 key (recommended)
ssh-keygen -t rsa -b 4096	Generate 4096-bit RSA key
ssh-keygen -f ~/.ssh/custom_key	Generate key with custom name
ssh-add ~/.ssh/private_key	Add key to SSH agent
ssh-add -l	List loaded keys
ssh-add -D	Remove all keys from agent

Configuration

SSH Client Config (~/.ssh/config)

# Global defaults
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes

# Specific host configuration
Host myserver
    HostName server.example.com
    User myusername
    Port 2222
    IdentityFile ~/.ssh/myserver_key
    ForwardAgent yes

# Jump host configuration
Host target
    HostName 192.168.1.100
    User admin
    ProxyJump jumphost

Host jumphost
    HostName jump.example.com
    User jumpuser

Common Configuration Options

Option	Description	Example
HostName	Real hostname or IP	HostName server.example.com
User	Username for connection	User admin
Port	SSH port number	Port 2222
IdentityFile	Private key file	IdentityFile ~/.ssh/id_rsa
ForwardAgent	Enable agent forwarding	ForwardAgent yes
Compression	Enable compression	Compression yes

Port Forwarding and Tunneling

Local Port Forwarding

# Forward local port to remote service
ssh -L 8080:localhost:80 user@hostname

# Forward to different remote host
ssh -L 3306:database.internal:3306 user@gateway

# Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname

Remote Port Forwarding

# Forward remote port to local service
ssh -R 8080:localhost:3000 user@hostname

# Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:3000 user@hostname

Dynamic Port Forwarding (SOCKS Proxy)

# Create SOCKS proxy on local port 1080
ssh -D 1080 user@hostname

# Use with applications
# Configure browser to use SOCKS proxy: localhost:1080

X11 Forwarding

# Enable X11 forwarding for GUI applications
ssh -X user@hostname

# Trusted X11 forwarding
ssh -Y user@hostname

# Run GUI application
ssh -X user@hostname firefox

File Transfer Integration

SCP Integration

# Copy file to remote host
scp file.txt user@hostname:/path/to/destination/

# Copy from remote host
scp user@hostname:/path/to/file.txt ./

# Recursive copy
scp -r directory/ user@hostname:/path/to/destination/

SFTP Integration

# Start SFTP session
sftp user@hostname

# SFTP with custom port
sftp -P 2222 user@hostname

Advanced Features

Jump Hosts and Bastion Servers

# Connect through jump host
ssh -J jumphost user@target

# Multiple jump hosts
ssh -J jump1,jump2 user@target

# Using ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@target

SSH Agent and Key Management

# Start SSH agent
eval $(ssh-agent)

# Add key to agent
ssh-add ~/.ssh/id_rsa

# Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa

# List agent keys
ssh-add -l

# Remove specific key
ssh-add -d ~/.ssh/id_rsa

# Remove all keys
ssh-add -D

Connection Multiplexing

# Enable connection sharing in ~/.ssh/config
Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p
    ControlPersist 600

# Create socket directory
mkdir -p ~/.ssh/sockets

Security and Hardening

Secure Connection Options

# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname

# Use specific key only
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname

# Disable host key checking (development only)
ssh -o StrictHostKeyChecking=no user@hostname

# Use specific cipher
ssh -c aes256-ctr user@hostname

Host Key Verification

# Check host key fingerprint
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

# Remove host key from known_hosts
ssh-keygen -R hostname

# Add host key manually
ssh-keyscan hostname >> ~/.ssh/known_hosts

Certificate-Based Authentication

# Generate user certificate
ssh-keygen -s ca_key -I user_id -n username user_key.pub

# Use certificate for authentication
ssh -o CertificateFile=user_key-cert.pub user@hostname

Troubleshooting

Connection Issues

# Debug connection problems
ssh -vvv user@hostname

# Test specific authentication method
ssh -o PreferredAuthentications=publickey user@hostname

# Check SSH service status
systemctl status ssh  # Linux
service ssh status    # Linux (older)

Common Problems and Solutions

Problem	Symptoms	Solution
Permission denied	Authentication fails	Check key permissions (600 for private key)
Connection timeout	No response	Check firewall, network connectivity
Host key verification failed	Key mismatch warning	Update known_hosts or verify host identity
Agent forwarding not working	Keys not available on remote	Enable ForwardAgent in config

Key Permission Issues

# Fix SSH key permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/config

Automation and Scripting

Non-Interactive SSH

# Run single command
ssh user@hostname "ls -la /var/log"

# Run multiple commands
ssh user@hostname "cd /var/log && tail -f syslog"

# Execute local script on remote host
ssh user@hostname 'bash -s' < local_script.sh

# Execute with sudo
ssh user@hostname "sudo systemctl restart nginx"

Batch Operations

#!/bin/bash
# Deploy to multiple servers

servers=("web1.example.com" "web2.example.com" "web3.example.com")

for server in "$\\\\{servers[@]\\\\}"; do
    echo "Deploying to $server"
    ssh user@$server "cd /var/www && git pull origin main"
    ssh user@$server "sudo systemctl restart nginx"
done

SSH with Expect (Password Automation)

#!/usr/bin/expect
spawn ssh user@hostname
expect "password:"
send "your_password\r"
interact

Performance Optimization

Compression and Speed

# Enable compression
ssh -C user@hostname

# Disable compression for fast networks
ssh -o Compression=no user@hostname

# Use faster cipher for trusted networks
ssh -c arcfour user@hostname

Connection Persistence

# Keep connection alive
ssh -o ServerAliveInterval=60 user@hostname

# Persistent connection in background
ssh -f -N -L 8080:localhost:80 user@hostname

Platform-Specific Considerations

Windows (OpenSSH)

# Windows OpenSSH client
ssh user@hostname

# Windows SSH config location
%USERPROFILE%\.ssh\config

# Start SSH agent on Windows
Start-Service ssh-agent
ssh-add ~/.ssh/id_rsa

macOS Keychain Integration

# Add key to macOS keychain
ssh-add --apple-use-keychain ~/.ssh/id_rsa

# Configure automatic keychain loading
Host *
    AddKeysToAgent yes
    UseKeychain yes

Best Practices

Security

1. Use Key Authentication: Disable password authentication
2. Strong Keys: Use Ed25519 or 4096-bit RSA keys
3. Key Rotation: Regularly rotate SSH keys
4. Principle of Least Privilege: Limit user access
5. Monitor Access: Log and monitor SSH connections

Configuration Management

1. Centralized Config: Use ~/.ssh/config for common settings
2. Host Aliases: Create meaningful host aliases
3. Connection Multiplexing: Reuse connections for efficiency
4. Agent Forwarding: Use carefully, only when needed
5. Documentation: Document custom configurations

Operational

1. Backup Keys: Securely backup private keys
2. Test Connections: Regularly test SSH access
3. Update Software: Keep SSH client/server updated
4. Monitor Logs: Watch for suspicious activity
5. Emergency Access: Maintain alternative access methods