Skip to content

Instantly share code, notes, and snippets.

@alphaolomi

alphaolomi/ssh.md

Created February 6, 2024 12:22
Show Gist options
  • Save alphaolomi/5f6fdbb26c97b06358ef9c3c04ff4433 to your computer and use it in GitHub Desktop.
Save alphaolomi/5f6fdbb26c97b06358ef9c3c04ff4433 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ssh.md

Basic SSH Commands

The following are fundamental SSH commands. Commit as many to memory as you can.

COMMAND DESCRIPTION
ssh Connect to a remote server
ssh pi@raspberry Connect to the device raspberry on the default SSH port 22 as user pi
ssh pi@raspberry -p 3344 Connect to the device raspberry on a specific port 3344 as user pi
ssh -i /path/file.pem [email protected] Connect to [email protected] via the key file /path/file.pem as user admin
ssh [email protected] 'ls -l' Execute remote command ls -l on 192.168.2.2 as user root
$ ssh [email protected] bash < script.sh Invoke the script script.sh in the current working directory spawning the SSH session to 192.168.3.3 as user user
ssh [email protected] "tar cvzf - ~/ffmpeg" > output.tgz Compress the ~/ffmpeg directory and download it from a server Best.local as user friend
ssh-keygen Generate SSH keys (follow the prompts)
ssh-keygen -F [ip/hostname] Search for some IP address or hostname from ~/.ssh/known_hosts (logged-in host)
ssh-keygen -R [ip/hostname] Remove some IP address or hostname from ~/.ssh/known_hosts (logged-in host)
ssh-keygen -f ~/.ssh/filename Specify file name
ssh-keygen -y -f private.key > public.pub Generate public key from private key
ssh-keygen -c -f ~/.ssh/id_rsa Change the comment of the key file ~/.ssh/id_rsa
ssh-keygen -p -f ~/.ssh/id_rsa Change passphrase of private key ~/.ssh/id_rsa
ssh-keygen -t rsa -b 4096 -C "[email protected]" Generate an RSA 4096-bit key with "[email protected]" as a comment:
-t: Type of key (rsa, ed25519, dsa, ecdsa)
-b: The number of bits in the key
-C: Provides a new comment
scp Copy files securely between servers
scp user@server:/folder/file.ext dest/ Copy from remote to local destination dest/
scp dest/file.ext user@server:/folder Copy from local to remote
scp user1@server1:/file.ext user2@server2:/folder Copy between two different servers
scp user@server:/folder/* . Copies from a server folder to the current folder on the local machine
scp -r Recursively copy entire directories
scp -r user@server:/folder dest/ Copy the entire folder to the local destination dest/
scp user@server:/folder/* dest/ Copy all files from a folder to the local destination dest/
scp -C Option to compress data
scp -v Option to print verbose info
scp -p Option to preserve the last modification timestamps of the transferred files
scp -P 8080 Option to connect to remote host port 8080
scp -B Option for batch mode and prevent you from entering passwords or passphrases
sftp Securely transfer files between servers
sftp -p Option to preserve the last modification timestamps of the transferred files
sftp -P 8080 Option to connect to remote host port 8080
sftp -r Recursively copy entire directories when uploading and downloading. SFTP doesn't follow symbolic links encountered in the tree traversal.

SSH Configurations and Options

Have you ever wondered how SSH remembers your login credentials for various machines? This section is a brief reference on how to do so.

COMMAND DESCRIPTION
man ssh_config Open OpenSSH SSH client configuration files. This manual lists all the OpenSSH parameters you can change.
cat /etc/ssh/ssh_config | less View your OpenSSH client system-wide configuration file
cat /etc/ssh/sshd_config | less View your OpenSSH server system-wide configuration file; the "d" stands for the server "daemon"
cat ~/.ssh/config | less View your SSH client user-specific configuration file
cat ~/.ssh/id_{type} | less View your SSH client private key; type is any of rsa, ed25519, dsa, ecdsa.
cat ~/.ssh/id_{type}.pub | less View your SSH client public key; type is any of rsa, ed25519, dsa, ecdsa.
cat ~/.ssh/known_hosts | less View your SSH client logged-in hosts
cat ~/.ssh/authorized_keys | less View your SSH client authorized login keys
ssh-agent Hold private SSH keys used for public key authentication (RSA, DSA, ECDSA, Ed25519)
ssh-agent -E fingerprint_hash               Specify the hash algorithm used when displaying key fingerprints. Valid fingerprint_hash options are sha256 (default) and md5.
ssh-agent -t lifetime Set up a maximum lifetime for identities/private keys, overwritable by the same setting in ssh-add. Examples of lifetime:
600 = 600 seconds (10 minutes)
23m = 23 minutes
1h45 = 1 hour 45 minutes
ssh-add Add SSH keys to the ssh-agent
ssh-add -l List your private keys cached by ssh-agent
ssh-add -t lifetime Set up a maximum lifetime for identities/private keys.
Examples of lifetime:
600 = 600 seconds (10 minutes)
23m = 23 minutes
1h45 = 1 hour 45 minutes
ssh-add -L List the public key parameters of all saved identities
ssh-add -D Delete all cached private keys
ssh-copy-id Copy, install, and configure SSH keys on a remote server
ssh-copy-id user@server Copy SSH keys to a server as a user
ssh-copy-id server1 Copy to some alias server server1 with the default login
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server Copy a specific key to a server as a user

Remote Server Management

The operating systems of SSH servers are mostly Unix/Linux, so once you've logged in to a server via SSH, the following commands are largely the same as their counterparts in Unix/Linux.

COMMAND DESCRIPTION
cd Change the current working directory
kill Stop a running process
ls List files and directories
mkdir Create a new directory
mv Move files or directories
nano Edit a file in the terminal using Nano
ps List running processes
pwd Display the current working directory
tail View the last few (10, by default) lines of a file
top Monitor system resources and processes
touch Create a new file or update the timestamp of an existing file
vim Edit a file in the terminal using Vim
exit Close the SSH session

Advanced SSH Commands

This table lists some complex SSH utilities that can help with network administration tasks: SSH File System (SSHFS), data compression, and X11 forwarding.

To conduct X11 forwarding over SSH, do these three things:

  1. Set up your client (~/.ssh/config) to forward X11 by setting these parameters:

    Host *`\
ForwardAgent yes\
ForwardX11 yes

  2. Set up your server (/etc/ssh/sshd_config) to allow X11 by setting these parameters:\

    X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no

  3. Set up X11 authentication on your server by installing xauth.

    COMMAND DESCRIPTION
    sshfs Mount a remote server's file system on a local directory. Remember to install this program onto your machine before use. Example installation commands:
    - sudo apt install sshfs # Ubuntu/Debian
    - sudo yum install fuse-sshfs # CentOS
    ssh -C hostname Compress SSH traffic to improve performance on slow connections. Alternatively, insert Compression yes into your SSH configuration files
    ssh -o "Compression yes" -v hostname An alternative method to compress SSH traffic to improve performance on slow connections. This is the same as inserting Compression yes into your SSH config files
    ssh -X user@server Enable X11 forwarding over SSH: forward graphical applications from a remote server as a user to a local machine.
    ssh -o ForwardX11=yes user@server Enable X11 forwarding over SSH: forward graphical applications from a remote server as a user to a local machine.
    ssh -x Disable X11 forwarding
    ssh -Y Enable trusted X11 forwarding. This option is riskier than ssh -X as it forwards the entire display of the SSH server to the client.

Tunneling

These SSH command line options create secure tunnels.

OPTIONS DESCRIPTION SYNTAX / EXAMPLE
-L Local port forwarding: forward a port on the local machine (SSH client) to a port on the remote machine (ssh_server as user), the traffic of which goes to a port on the destination machine.
The parameters local_port and remote_port can match.		 ssh user@ssh_server -L local_port:destination:remote_port
# Example ssh [email protected] -L 2222:10.0.1.5:3333
-J ProxyJump; ensure that traffic passing through the intermediate/bastion hosts is always encrypted end-to-end. ProxyJump is how you use bastion hosts to connect to a remote host with a single command. ssh -J proxy_host1 remote_host2
ssh -J user@proxy_host1 user@remote_host2
Multiple bastion hosts/jumps
ssh -J user@proxy_host1:port1,user@proxy_host2:port2 user@remote_host3
-R Remote port forwarding: forward a port remote_port on the remote machine (ssh_server as user) to a port on the local machine (SSH client), the traffic of which goes to a port destination_port on the destination machine. An empty remote means the remote SSH server will bind on all interfaces.
Additional SSH options in the example:
-N: don't execute remote commands; useful for dedicated port forwarding
-f: run SSH in the background.		 ssh -R [remote:]remote_port:destination:destination_port [user@]ssh_server

Example ssh -R 8080:192.168.3.8:3030 -N -f [email protected]
-D Set up a SOCKS Proxy to tunnel traffic from a remote_host on which you're the user to a local_port_number.
Additional SSH options in the example:
-q: quiet mode; don't output anything locally
-C: compress data in the tunnel, save bandwidth
-N: don't execute remote commands; useful for dedicated port forwarding
-f: run SSH in the background.		 ssh -D local_port_number user@remote_host
# Example ssh -D 6677 -q -C -N -f [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment