Introduction
# SSH Essentials
Secure Shell (SSH) for remote access and secure file transfers.
## Basic Connection
### Connecting ```bash # Connect with username ssh user@hostname
# Connect to specific port ssh user@hostname -p 2222
# Connect with verbose output ssh -v user@hostname
# Connect with specific key ssh -i ~/.ssh/id_rsa user@hostname
# Connect and run command ssh user@hostname 'ls -la' ssh user@hostname 'uptime && df -h' ```
### Interactive use ```bash # Connect with forwarding agent ssh -A user@hostname
# Connect with X11 forwarding (GUI apps) ssh -X user@hostname ssh -Y user@hostname # Trusted X11
# Escape sequences (during session) # ~. - Disconnect # ~^Z - Suspend SSH # ~# - List forwarded connections # ~? - Help ```
## SSH Keys
### Generating keys ```bash # Generate RSA key ssh-keygen -t rsa -b 4096 -C "[email protected]"
# Generate ED25519 key (recommended) ssh-keygen -t ed25519 -C "[email protected]"
# Generate with custom filename ssh-keygen -t ed25519 -f ~/.ssh/id_myserver
# Generate without passphrase (automation) ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_deploy ```
### Managing keys ```bash # Copy public key to server ssh-copy-id user@hostname
# Copy specific key ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
# Manual key copy cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> ~/.ssh/authorized_keys'
# Check key fingerprint ssh-keygen -lf ~/.ssh/id_rsa.pub
# Change key passphrase ssh-keygen -p -f ~/.ssh/id_rsa ```
### SSH agent ```bash # Start ssh-agent eval $(ssh-agent)
# Add key to agent ssh-add ~/.ssh/id_rsa
# List keys in agent ssh-add -l
# Remove key from agent ssh-add -d ~/.ssh/id_rsa
# Remove all keys ssh-add -D
# Set key lifetime (seconds) ssh-add -t 3600 ~/.ssh/id_rsa ```
## Port Forwarding & Tunneling
### Local port forwarding ```bash # Forward local port to remote ssh -L 8080:localhost:80 user@hostname # Access via: http://localhost:8080
# Forward to different remote host ssh -L 8080:database.example.com:5432 user@jumphost # Access database through jumphost
# Multiple forwards ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname ```
### Remote port forwarding ```bash # Forward remote port to local ssh -R 8080:localhost:3000 user@hostname # Remote server can access localhost:3000 via its port 8080
# Make service accessible from remote ssh -R 9000:localhost:9000 user@publicserver ```
### Dynamic port forwarding (SOCKS proxy) ```bash # Create SOCKS proxy ssh -D 1080 user@hostname
# Use with browser or apps # Configure SOCKS5 proxy: localhost:1080
# With Firefox firefox --profile $(mktemp -d) \ --preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080" ```
### Background tunnels ```bash # Run in background ssh -f -N -L 8080:localhost:80 user@hostname
# -f: Background # -N: No command execution # -L: Local forward
# Keep alive ssh -o ServerAliveInterval=60 -L 8080:localhost:80 user@hostname ```
## Configuration
### SSH config file (`~/.ssh/config`) ``` # Simple host alias Host myserver HostName 192.168.1.100 User admin Port 2222
# With key and options Host production HostName prod.example.com User deploy IdentityFile ~/.ssh/id_prod ForwardAgent yes # Jump host (bastion) Host internal HostName 10.0.0.5 User admin ProxyJump bastion
Host bastion HostName bastion.example.com User admin
# Wildcard configuration Host *.example.com User admin ForwardAgent yes # Keep connections alive Host * ServerAliveInterval 60 ServerAliveCountMax 3 ```
### Using config ```bash # Connect using alias ssh myserver
# Jump through bastion automatically ssh internal
# Override config options ssh -o "StrictHostKeyChecking=no" myserver ```
## File Transfers
### SCP (Secure Copy) ```bash # Copy file to remote scp file.txt user@hostname:/path/to/destination/
# Copy file from remote scp user@hostname:/path/to/file.txt ./local/
# Copy directory recursively scp -r /local/dir user@hostname:/remote/dir/
# Copy with specific port scp -P 2222 file.txt user@hostname:/path/
# Copy with compression scp -C large-file.zip user@hostname:/path/
# Preserve attributes (timestamps, permissions) scp -p file.txt user@hostname:/path/ ```
### SFTP (Secure FTP) ```bash # Connect to SFTP server sftp user@hostname
# Common SFTP commands: # pwd - Remote working directory # lpwd - Local working directory # ls - List remote files # lls - List local files # cd - Change remote directory # lcd - Change local directory # get file - Download file # put file - Upload file # mget *.txt - Download multiple files # mput *.jpg - Upload multiple files # mkdir dir - Create remote directory # rmdir dir - Remove remote directory # rm file - Delete remote file # exit/bye - Quit
# Batch mode sftp -b commands.txt user@hostname ```
### Rsync over SSH ```bash # Sync directory rsync -avz /local/dir/ user@hostname:/remote/dir/
# Sync with progress rsync -avz --progress /local/dir/ user@hostname:/remote/dir/
# Sync with delete (mirror) rsync -avz --delete /local/dir/ user@hostname:/remote/dir/
# Exclude patterns rsync -avz --exclude '*.log' --exclude 'node_modules/' \ /local/dir/ user@hostname:/remote/dir/
# Custom SSH port rsync -avz -e "ssh -p 2222" /local/dir/ user@hostname:/remote/dir/
# Dry run rsync -avz --dry-run /local/dir/ user@hostname:/remote/dir/ ```
## Security Best Practices
### Hardening SSH ```bash # Disable password authentication (edit /etc/ssh/sshd_config) PasswordAuthentication no PubkeyAuthentication yes
# Disable root login PermitRootLogin no
# Change default port Port 2222
# Use protocol 2 only Protocol 2
# Limit users AllowUsers user1 user2
# Restart SSH service sudo systemctl restart sshd ```
### Connection security ```bash # Check host key ssh-keygen -F hostname
# Remove old host key ssh-keygen -R hostname
# Strict host key checking ssh -o StrictHostKeyChecking=yes user@hostname
# Use specific cipher ssh -c aes256-ctr user@hostname ```
## Troubleshooting
### Debugging ```bash # Verbose output ssh -v user@hostname ssh -vv user@hostname # More verbose ssh -vvv user@hostname # Maximum verbosity
# Test connection ssh -T user@hostname
# Check permissions ls -la ~/.ssh/ # Should be: 700 for ~/.ssh, 600 for keys, 644 for .pub files ```
### Common issues ```bash # Fix permissions chmod 700 ~/.ssh chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub chmod 644 ~/.ssh/authorized_keys
# Clear known_hosts entry ssh-keygen -R hostname
# Disable host key checking (not recommended) ssh -o StrictHostKeyChecking=no user@hostname ```
## Advanced Operations
### Jump hosts (ProxyJump) ```bash # Connect through bastion ssh -J bastion.example.com [email protected]
# Multiple jumps ssh -J bastion1,bastion2 user@final-destination
# Using config (see Configuration section above) ssh internal # Automatically uses ProxyJump ```
### Multiplexing ```bash # Master connection ssh -M -S ~/.ssh/control-%r@%h:%p user@hostname
# Reuse connection ssh -S ~/.ssh/control-user@hostname:22 user@hostname
# In config: # ControlMaster auto # ControlPath ~/.ssh/control-%r@%h:%p # ControlPersist 10m ```
### Execute commands ```bash # Single command ssh user@hostname 'uptime'
# Multiple commands ssh user@hostname 'cd /var/log && tail -n 20 syslog'
# Pipe commands cat local-script.sh | ssh user@hostname 'bash -s'
# With sudo ssh -t user@hostname 'sudo command' ```
## Tips
- Use SSH keys instead of passwords - Use `~/.ssh/config` for frequently accessed hosts - Enable SSH agent forwarding carefully (security risk) - Use ProxyJump for accessing internal networks - Keep SSH client and server updated - Use fail2ban or similar to prevent brute force - Monitor `/var/log/auth.log` for suspicious activity - Use port knocking or VPN for additional security - Backup your SSH keys securely - Use different keys for different purposes
## Documentation
Official docs: https://www.openssh.com/manual.html Man pages: `man ssh`, `man ssh_config`, `man sshd_config`