ssh Command
Securely connect to and execute commands on remote systems using the Secure Shell protocol.
Syntax
ssh [OPTIONS] [user@]hostname [command]
ssh [OPTIONS] -p port [user@]hostname
The ssh (Secure Shell) command provides secure encrypted communication between two untrusted hosts over an insecure network.
Common Options
| Option | Description |
|---|---|
-p port |
Connect to specified port |
-i keyfile |
Use specific private key file |
-l username |
Login as specified user |
-v |
Verbose mode (debug output) |
-q |
Quiet mode (suppress warnings) |
-X |
Enable X11 forwarding |
-Y |
Enable trusted X11 forwarding |
-L port:host:hostport |
Local port forwarding |
-R port:host:hostport |
Remote port forwarding |
-D port |
Dynamic port forwarding (SOCKS proxy) |
-N |
Don't execute remote command (port forwarding only) |
-f |
Run in background |
-T |
Disable pseudo-terminal allocation |
-t |
Force pseudo-terminal allocation |
Basic Usage
Basic connections
# Connect to remote host
ssh user@hostname
ssh [email protected]
# Connect with specific port
ssh -p 2222 user@hostname
# Connect and execute command
ssh user@hostname 'ls -la'
ssh user@hostname 'uptime && df -h'
# Connect with different username
ssh -l username hostname
Basic SSH connections to remote systems
Interactive sessions
# Start interactive session
ssh [email protected]
# Force pseudo-terminal for interactive commands
ssh -t [email protected] 'sudo apt update'
# Run interactive command
ssh -t [email protected] 'top'
# Connect with verbose output for debugging
ssh -v [email protected]
Interactive SSH sessions and terminal allocation
SSH Key Authentication
Generating SSH keys
# Generate RSA key pair
ssh-keygen -t rsa -b 4096
# Generate with specific filename
ssh-keygen -t rsa -b 4096 -f ~/.ssh/mykey
# Generate with comment
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"
# Generate without passphrase (automated use)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/automation_key -N ""
Generate SSH key pairs for authentication
Copying public keys
# Copy public key to remote server
ssh-copy-id user@hostname
# Copy specific key
ssh-copy-id -i ~/.ssh/mykey.pub user@hostname
# Copy to specific port
ssh-copy-id -p 2222 user@hostname
# Manual copy (if ssh-copy-id not available)
cat ~/.ssh/id_rsa.pub | ssh user@hostname 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
# Set proper permissions
ssh user@hostname 'chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys'
Copy public keys to remote servers for passwordless authentication
Using SSH keys
# Connect using specific key
ssh -i ~/.ssh/mykey user@hostname
# Connect with key and specific port
ssh -i ~/.ssh/mykey -p 2222 user@hostname
# Add key to SSH agent
ssh-add ~/.ssh/mykey
# List loaded keys
ssh-add -l
# Remove all keys from agent
ssh-add -D
Use SSH keys for secure authentication
SSH Configuration
SSH config file (~/.ssh/config)
# ~/.ssh/config example
Host myserver
HostName server.example.com
User myuser
Port 2222
IdentityFile ~/.ssh/myserver_key
Host webserver
HostName 192.168.1.100
User admin
IdentityFile ~/.ssh/web_key
ForwardX11 yes
Host *.internal
User admin
ProxyJump jumphost
Host jumphost
HostName jump.example.com
User jumpuser
IdentityFile ~/.ssh/jump_key
Configure SSH connections with config file
Using SSH config
# Connect using config alias
ssh myserver
ssh webserver
# Override config settings
ssh -p 22 myserver
ssh -i ~/.ssh/other_key myserver
# Test configuration
ssh -T myserver
# Show effective configuration
ssh -G myserver
Use SSH configuration for simplified connections
Advanced configuration options
# ~/.ssh/config advanced settings
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/prod_key
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts_prod
ConnectTimeout 10
ServerAliveInterval 60
ServerAliveCountMax 3
Compression yes
Host dev-*
User developer
IdentityFile ~/.ssh/dev_key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel QUIET
Advanced SSH configuration options
Port Forwarding
Local port forwarding
# Forward local port 8080 to remote port 80
ssh -L 8080:localhost:80 [email protected]
# Forward to different host through SSH server
ssh -L 3306:database.internal:3306 [email protected]
# Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 [email protected]
# Background forwarding
ssh -f -N -L 8080:localhost:80 [email protected]
# Access forwarded service
# http://localhost:8080 -> server.com:80
Forward local ports to remote services
Remote port forwarding
# Forward remote port 8080 to local port 80
ssh -R 8080:localhost:80 [email protected]
# Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:80 [email protected]
# Forward to different local host
ssh -R 3306:database.local:3306 [email protected]
# Background remote forwarding
ssh -f -N -R 8080:localhost:80 [email protected]
Forward remote ports to local services
Dynamic port forwarding (SOCKS proxy)
# Create SOCKS proxy on port 1080
ssh -D 1080 [email protected]
# Background SOCKS proxy
ssh -f -N -D 1080 [email protected]
# Use with specific interface
ssh -D 127.0.0.1:1080 [email protected]
# Configure browser to use SOCKS proxy:
# Proxy: 127.0.0.1:1080, Type: SOCKS5
# Test SOCKS proxy
curl --socks5 127.0.0.1:1080 http://example.com
Create SOCKS proxy for dynamic port forwarding
X11 Forwarding
GUI application forwarding
# Enable X11 forwarding
ssh -X [email protected]
# Trusted X11 forwarding
ssh -Y [email protected]
# Run GUI application
ssh -X [email protected] 'firefox'
ssh -Y [email protected] 'gedit'
# Check X11 forwarding
echo $DISPLAY
xauth list
Forward X11 GUI applications over SSH
X11 forwarding configuration
# ~/.ssh/config for X11
Host gui-server
HostName server.example.com
User myuser
ForwardX11 yes
ForwardX11Trusted yes
# Server-side configuration (/etc/ssh/sshd_config)
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
# Restart SSH service after config change
sudo systemctl restart sshd
Configure X11 forwarding for GUI applications
Jump Hosts and ProxyJump
Using jump hosts
# Connect through jump host
ssh -J jumphost user@targethost
# Multiple jump hosts
ssh -J jump1,jump2 user@targethost
# Jump host with different user
ssh -J jumpuser@jumphost user@targethost
# Jump host with specific port
ssh -J jumpuser@jumphost:2222 user@targethost
Connect to remote hosts through intermediate jump hosts
ProxyJump configuration
# ~/.ssh/config with ProxyJump
Host jumphost
HostName jump.example.com
User jumpuser
IdentityFile ~/.ssh/jump_key
Host internal-server
HostName 10.0.1.100
User admin
ProxyJump jumphost
IdentityFile ~/.ssh/internal_key
Host *.internal
ProxyJump jumphost
User admin
Configure ProxyJump for automatic jump host usage
Legacy ProxyCommand
# ~/.ssh/config with ProxyCommand (older method)
Host internal-server
HostName 10.0.1.100
User admin
ProxyCommand ssh -W %h:%p jumphost
# Using netcat for proxy
Host internal-server
HostName 10.0.1.100
ProxyCommand ssh jumphost nc %h %p
Legacy ProxyCommand configuration for jump hosts
Practical Examples
Remote administration
# System monitoring
ssh user@server 'top -n 1'
ssh user@server 'df -h && free -h'
# Log monitoring
ssh user@server 'tail -f /var/log/syslog'
# Service management
ssh -t user@server 'sudo systemctl status nginx'
ssh -t user@server 'sudo systemctl restart apache2'
# File operations
ssh user@server 'find /var/log -name "*.log" -mtime +7 -delete'
# Backup operations
ssh user@server 'tar -czf backup-$(date +%Y%m%d).tar.gz /home/user/'
Common remote administration tasks
Development workflows
# Deploy code
ssh user@server 'cd /var/www && git pull origin main'
# Database operations
ssh -L 3306:localhost:3306 user@dbserver
# Then connect locally: mysql -h 127.0.0.1 -P 3306
# Remote development
ssh -X user@devserver 'code /path/to/project'
# Tunnel web development server
ssh -L 8080:localhost:3000 user@devserver
# Access at http://localhost:8080
# Remote debugging
ssh -L 5005:localhost:5005 user@server 'java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 MyApp'
SSH for development and deployment workflows
Automation and scripting
#!/bin/bash
# Automated deployment script
SERVERS="web1 web2 web3"
for server in $SERVERS; do
echo "Deploying to $server..."
ssh $server 'cd /var/www && git pull && sudo systemctl reload nginx'
done
# Parallel execution
for server in $SERVERS; do
ssh $server 'uptime' &
done
wait
# Health check script
ssh -o ConnectTimeout=5 user@server 'curl -f http://localhost/health' || echo "Server down"
Automate tasks with SSH in scripts
Security Best Practices
SSH Security Guidelines
- Use SSH keys instead of passwords for authentication
- Disable root login and password authentication on servers
- Use non-standard SSH ports to reduce automated attacks
- Implement fail2ban or similar intrusion prevention
- Regularly rotate SSH keys and remove unused ones
- Use strong passphrases for SSH private keys
- Enable SSH agent forwarding carefully
- Monitor SSH logs for suspicious activity
Server hardening
# /etc/ssh/sshd_config security settings
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers user1 user2
DenyUsers baduser
# Restart SSH service
sudo systemctl restart sshd
Secure SSH server configuration
Key management
# Set proper permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config
# Audit SSH keys
ssh-keygen -l -f ~/.ssh/id_rsa.pub
# Remove old keys from authorized_keys
ssh-keygen -R hostname
# Use SSH agent