alphaolomi/ssh.md

## ssh.md

      
    Raw
  

              ssh.md
            
          
    Basic SSH Commands

The following are fundamental SSH commands. Commit as many to memory as you can.


COMMAND
DESCRIPTION


ssh
Connect to a remote server


ssh pi@raspberry
Connect to the device raspberry on the default SSH port 22 as user pi


ssh pi@raspberry -p 3344
Connect to the device raspberry on a specific port 3344 as user pi


ssh -i /path/file.pem admin@192.168.1.1
Connect to root@192.168.1.1 via the key file /path/file.pem as user admin


ssh root@192.168.2.2 'ls -l'
Execute remote command ls -l on 192.168.2.2 as user root


$ ssh user@192.168.3.3 bash < script.sh
Invoke the script script.sh in the current working directory spawning the SSH session to 192.168.3.3 as user user


ssh friend@Best.local "tar cvzf - ~/ffmpeg" > output.tgz
Compress the ~/ffmpeg directory and download it from a server Best.local as user friend


ssh-keygen
Generate SSH keys (follow the prompts)


ssh-keygen -F [ip/hostname]
Search for some IP address or hostname from ~/.ssh/known_hosts (logged-in host)


ssh-keygen -R [ip/hostname]
Remove some IP address or hostname from ~/.ssh/known_hosts (logged-in host)


ssh-keygen -f ~/.ssh/filename
Specify file name


ssh-keygen -y -f private.key > public.pub
Generate public key from private key


ssh-keygen -c -f ~/.ssh/id_rsa
Change the comment of the key file ~/.ssh/id_rsa


ssh-keygen -p -f ~/.ssh/id_rsa
Change passphrase of private key ~/.ssh/id_rsa


ssh-keygen -t rsa -b 4096 -C "my@email.com"
Generate an RSA 4096-bit key with "my@email.com" as a comment: 
-t: Type of key (rsa, ed25519, dsa, ecdsa) 
-b: The number of bits in the key 
-C: Provides a new comment


scp
Copy files securely between servers


scp user@server:/folder/file.ext dest/
Copy from remote to local destination dest/


scp dest/file.ext user@server:/folder
Copy from local to remote


scp user1@server1:/file.ext user2@server2:/folder
Copy between two different servers


scp user@server:/folder/* .
Copies from a server folder to the current folder on the local machine


scp -r
Recursively copy entire directories


scp -r user@server:/folder dest/
Copy the entire folder to the local destination dest/


scp user@server:/folder/* dest/
Copy all files from a folder to the local destination dest/


scp -C
Option to compress data


scp -v
Option to print verbose info


scp -p
Option to preserve the last modification timestamps of the transferred files


scp -P 8080
Option to connect to remote host port 8080


scp -B
Option for batch mode and prevent you from entering passwords or passphrases


sftp
Securely transfer files between servers


sftp -p
Option to preserve the last modification timestamps of the transferred files


sftp -P 8080
Option to connect to remote host port 8080


sftp -r
Recursively copy entire directories when uploading and downloading. SFTP doesn't follow symbolic links encountered in the tree traversal.


SSH Configurations and Options

Have you ever wondered how SSH remembers your login credentials for various machines? This section is a brief reference on how to do so.


COMMAND
DESCRIPTION


man ssh_config
Open OpenSSH SSH client configuration files. This manual lists all the OpenSSH parameters you can change.


cat /etc/ssh/ssh_config | less
View your OpenSSH client system-wide configuration file


cat /etc/ssh/sshd_config | less
View your OpenSSH server system-wide configuration file; the "d" stands for the server "daemon"


cat ~/.ssh/config | less
View your SSH client user-specific configuration file


cat ~/.ssh/id_{type} | less
View your SSH client private key; type is any of rsa, ed25519, dsa, ecdsa.


cat ~/.ssh/id_{type}.pub | less
View your SSH client public key; type is any of rsa, ed25519, dsa, ecdsa.


cat ~/.ssh/known_hosts | less
View your SSH client logged-in hosts


cat ~/.ssh/authorized_keys | less
View your SSH client authorized login keys


ssh-agent
Hold private SSH keys used for public key authentication (RSA, DSA, ECDSA, Ed25519)


ssh-agent -E fingerprint_hash              
Specify the hash algorithm used when displaying key fingerprints. Valid fingerprint_hash options are sha256 (default) and md5.


ssh-agent -t lifetime
Set up a maximum lifetime for identities/private keys, overwritable by the same setting in ssh-add. Examples of lifetime:
- 600 = 600 seconds (10 minutes)
- 23m = 23 minutes
- 1h45 = 1 hour 45 minutes


ssh-add
Add SSH keys to the ssh-agent


ssh-add -l
List your private keys cached by ssh-agent


ssh-add -t lifetime
Set up a maximum lifetime for identities/private keys. 
Examples of lifetime: 
- 600 = 600 seconds (10 minutes) 
- 23m = 23 minutes 
- 1h45 = 1 hour 45 minutes


ssh-add -L
List the public key parameters of all saved identities


ssh-add -D
Delete all cached private keys


ssh-copy-id
Copy, install, and configure SSH keys on a remote server


ssh-copy-id user@server
Copy SSH keys to a server as a user


ssh-copy-id server1
Copy to some alias server server1 with the default login


ssh-copy-id -i ~/.ssh/id_rsa.pub user@server
Copy a specific key to a server as a user


Remote Server Management

The operating systems of SSH servers are mostly Unix/Linux, so once you've logged in to a server via SSH, the following commands are largely the same as their counterparts in Unix/Linux.


COMMAND
DESCRIPTION


cd
Change the current working directory


kill
Stop a running process


ls
List files and directories


mkdir
Create a new directory


mv
Move files or directories


nano
Edit a file in the terminal using Nano


ps
List running processes


pwd
Display the current working directory


tail
View the last few (10, by default) lines of a file


top
Monitor system resources and processes


touch
Create a new file or update the timestamp of an existing file


vim
Edit a file in the terminal using Vim


exit
Close the SSH session


Advanced SSH Commands

This table lists some complex SSH utilities that can help with network administration tasks: SSH File System (SSHFS), data compression, and X11 forwarding.
To conduct X11 forwarding over SSH, do these three things:


Set up your client (~/.ssh/config) to forward X11 by setting these parameters:
Host *`\
ForwardAgent yes\
ForwardX11 yes


Set up your server (/etc/ssh/sshd_config) to allow X11 by setting these parameters:\
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no


Set up X11 authentication on your server by installing xauth.


COMMAND
DESCRIPTION


sshfs
Mount a remote server's file system on a local directory. Remember to install this program onto your machine before use. Example installation commands: 
- sudo apt install sshfs # Ubuntu/Debian
- sudo yum install fuse-sshfs # CentOS


ssh -C hostname
Compress SSH traffic to improve performance on slow connections. Alternatively, insert Compression yes into your SSH configuration files


ssh -o "Compression yes" -v hostname
An alternative method to compress SSH traffic to improve performance on slow connections. This is the same as inserting Compression yes into your SSH config files


ssh -X user@server
Enable X11 forwarding over SSH: forward graphical applications from a remote server as a user to a local machine.


ssh -o ForwardX11=yes user@server
Enable X11 forwarding over SSH: forward graphical applications from a remote server as a user to a local machine.


ssh -x
Disable X11 forwarding


ssh -Y
Enable trusted X11 forwarding. This option is riskier than ssh -X as it forwards the entire display of the SSH server to the client.


Tunneling

These SSH command line options create secure tunnels.


OPTIONS
DESCRIPTION
SYNTAX / EXAMPLE


-L
Local port forwarding: forward a port on the local machine (SSH client) to a port on the remote machine (ssh_server as user), the traffic of which goes to a port on the destination machine.
 The parameters local_port and remote_port can match.
ssh user@ssh_server -L local_port:destination:remote_port 
 # Example ssh root@192.168.0.1 -L 2222:10.0.1.5:3333


-J
ProxyJump; ensure that traffic passing through the intermediate/bastion hosts is always encrypted end-to-end. ProxyJump is how you use bastion hosts to connect to a remote host with a single command.
ssh -J proxy_host1 remote_host2 
ssh -J user@proxy_host1 user@remote_host2  
Multiple bastion hosts/jumps 
ssh -J user@proxy_host1:port1,user@proxy_host2:port2 user@remote_host3


-R
Remote port forwarding: forward a port remote_port on the remote machine (ssh_server as user) to a port on the local machine (SSH client), the traffic of which goes to a port destination_port on the destination machine.  An empty remote means the remote SSH server will bind on all interfaces. 
 Additional SSH options in the example: 
 -N: don't execute remote commands; useful for dedicated port forwarding 
 -f: run SSH in the background.
ssh -R [remote:]remote_port:destination:destination_port [user@]ssh_server 

 Example ssh -R 8080:192.168.3.8:3030 -N -f user@remote.host


-D
Set up a SOCKS Proxy to tunnel traffic from a remote_host on which you're the user to a local_port_number. 
Additional SSH options in the example: 
-q: quiet mode; don't output anything locally 
-C: compress data in the tunnel, save bandwidth 
-N: don't execute remote commands; useful for dedicated port forwarding 
-f: run SSH in the background.
ssh -D local_port_number user@remote_host 
# Example ssh -D 6677 -q -C -N -f me@192.168.5.5
COMMAND	DESCRIPTION
`ssh`	Connect to a remote server
`ssh pi@raspberry`	Connect to the device `raspberry` on the default SSH port 22 as user `pi`
`ssh pi@raspberry -p 3344`	Connect to the device `raspberry` on a specific port 3344 as user `pi`
`ssh -i /path/file.pem admin@192.168.1.1`	Connect to `root@192.168.1.1` via the key file `/path/file.pem` as user `admin`
`ssh root@192.168.2.2 'ls -l'`	Execute remote command `ls -l` on `192.168.2.2` as user `root`
`$ ssh user@192.168.3.3 bash < script.sh`	Invoke the script `script.sh` in the current working directory spawning the SSH session to `192.168.3.3` as user `user`
`ssh friend@Best.local "tar cvzf - ~/ffmpeg" > output.tgz`	Compress the `~/ffmpeg` directory and download it from a server `Best.local` as user `friend`
`ssh-keygen`	Generate SSH keys (follow the prompts)
`ssh-keygen -F [ip/hostname]`	Search for some IP address or hostname from `~/.ssh/known_hosts` (logged-in host)
`ssh-keygen -R [ip/hostname]`	Remove some IP address or hostname from `~/.ssh/known_hosts` (logged-in host)
`ssh-keygen -f ~/.ssh/filename`	Specify file name
`ssh-keygen -y -f private.key > public.pub`	Generate public key from private key
`ssh-keygen -c -f ~/.ssh/id_rsa`	Change the comment of the key file `~/.ssh/id_rsa`
`ssh-keygen -p -f ~/.ssh/id_rsa`	Change passphrase of private key `~/.ssh/id_rsa`
`ssh-keygen -t rsa -b 4096 -C "my@email.com"`	Generate an RSA 4096-bit key with "`my@email.com`" as a comment: `-t`: Type of key (`rsa, ed25519, dsa, ecdsa`) `-b`: The number of bits in the key `-C`: Provides a new comment
`scp`	Copy files securely between servers
`scp user@server:/folder/file.ext dest/`	Copy from remote to local destination `dest/`
`scp dest/file.ext user@server:/folder`	Copy from local to remote
`scp user1@server1:/file.ext user2@server2:/folder`	Copy between two different servers
`scp user@server:/folder/* .`	Copies from a server folder to the current folder on the local machine
`scp -r`	Recursively copy entire directories
`scp -r user@server:/folder dest/`	Copy the entire folder to the local destination `dest/`
`scp user@server:/folder/* dest/`	Copy all files from a folder to the local destination `dest/`
`scp -C`	Option to compress data
`scp -v`	Option to print verbose info
`scp -p`	Option to preserve the last modification timestamps of the transferred files
`scp -P 8080`	Option to connect to remote host port 8080
`scp -B`	Option for batch mode and prevent you from entering passwords or passphrases
`sftp`	Securely transfer files between servers
`sftp -p`	Option to preserve the last modification timestamps of the transferred files
`sftp -P 8080`	Option to connect to remote host port 8080
`sftp -r`	Recursively copy entire directories when uploading and downloading. SFTP doesn't follow symbolic links encountered in the tree traversal.
COMMAND	DESCRIPTION
`man ssh_config`	Open OpenSSH SSH client configuration files. This manual lists all the OpenSSH parameters you can change.
`cat /etc/ssh/ssh_config \| less`	View your OpenSSH client system-wide configuration file
`cat /etc/ssh/sshd_config \| less`	View your OpenSSH server system-wide configuration file; the "d" stands for the server "daemon"
`cat ~/.ssh/config \| less`	View your SSH client user-specific configuration file
`cat ~/.ssh/id_{type} \| less`	View your SSH client private key; `type` is any of `rsa, ed25519, dsa, ecdsa`.
`cat ~/.ssh/id_{type}.pub \| less`	View your SSH client public key; `type` is any of `rsa, ed25519, dsa, ecdsa`.
`cat ~/.ssh/known_hosts \| less`	View your SSH client logged-in hosts
`cat ~/.ssh/authorized_keys \| less`	View your SSH client authorized login keys
`ssh-agent`	Hold private SSH keys used for public key authentication (RSA, DSA, ECDSA, Ed25519)
`ssh-agent -E fingerprint_hash`	Specify the hash algorithm used when displaying key fingerprints. Valid `fingerprint_hash` options are `sha256` (default) and `md5`.
`ssh-agent -t lifetime`	Set up a maximum `lifetime` for identities/private keys, overwritable by the same setting in `ssh-add`. Examples of lifetime: - `600` = 600 seconds (10 minutes) - `23m` = 23 minutes - `1h45` = 1 hour 45 minutes
`ssh-add`	Add SSH keys to the `ssh-agent`
`ssh-add -l`	List your private keys cached by `ssh-agent`
`ssh-add -t lifetime`	Set up a maximum `lifetime` for identities/private keys. Examples of `lifetime`: - `600` = 600 seconds (10 minutes) - `23m` = 23 minutes - `1h45` = 1 hour 45 minutes
`ssh-add -L`	List the public key parameters of all saved identities
`ssh-add -D`	Delete all cached private keys
`ssh-copy-id`	Copy, install, and configure SSH keys on a remote server
`ssh-copy-id user@server`	Copy SSH keys to a `server` as a `user`
`ssh-copy-id server1`	Copy to some alias server `server1` with the default login
`ssh-copy-id -i ~/.ssh/id_rsa.pub user@server`	Copy a specific key to a `server` as a `user`
COMMAND	DESCRIPTION
`cd`	Change the current working directory
`kill`	Stop a running process
`ls`	List files and directories
`mkdir`	Create a new directory
`mv`	Move files or directories
`nano`	Edit a file in the terminal using Nano
`ps`	List running processes
`pwd`	Display the current working directory
`tail`	View the last few (10, by default) lines of a file
`top`	Monitor system resources and processes
`touch`	Create a new file or update the timestamp of an existing file
`vim`	Edit a file in the terminal using Vim
`exit`	Close the SSH session
COMMAND	DESCRIPTION
`sshfs`	Mount a remote server's file system on a local directory. Remember to install this program onto your machine before use. Example installation commands: - `sudo apt install sshfs` # Ubuntu/Debian - `sudo yum install fuse-sshfs` # CentOS
`ssh -C hostname`	Compress SSH traffic to improve performance on slow connections. Alternatively, insert `Compression yes` into your SSH configuration files
`ssh -o "Compression yes" -v hostname`	An alternative method to compress SSH traffic to improve performance on slow connections. This is the same as inserting `Compression yes` into your SSH config files
`ssh -X user@server`	Enable X11 forwarding over SSH: forward graphical applications from a remote `server` as a `user` to a local machine.
`ssh -o ForwardX11=yes user@server`	Enable X11 forwarding over SSH: forward graphical applications from a remote `server` as a `user` to a local machine.
`ssh -x`	Disable X11 forwarding
`ssh -Y`	Enable trusted X11 forwarding. This option is riskier than `ssh -X` as it forwards the entire display of the SSH server to the client.
OPTIONS	DESCRIPTION	SYNTAX / EXAMPLE
`-L`	Local port forwarding: forward a port on the local machine (SSH client) to a port on the remote machine (`ssh_server` as `user`), the traffic of which goes to a port on the `destination` machine. The parameters `local_port` and `remote_port` can match.	`ssh user@ssh_server -L local_port:destination:remote_port` # Example `ssh root@192.168.0.1 -L 2222:10.0.1.5:3333`
`-J`	ProxyJump; ensure that traffic passing through the intermediate/bastion hosts is always encrypted end-to-end. ProxyJump is how you use bastion hosts to connect to a remote host with a single command.	`ssh -J proxy_host1 remote_host2` `ssh -J user@proxy_host1 user@remote_host2` Multiple bastion hosts/jumps `ssh -J user@proxy_host1:port1,user@proxy_host2:port2 user@remote_host3`
`-R`	Remote port forwarding: forward a port `remote_port` on the remote machine (`ssh_server` as `user`) to a port on the local machine (SSH client), the traffic of which goes to a port `destination_port` on the `destination` machine. An empty `remote` means the remote SSH server will bind on all interfaces. Additional SSH options in the example: `-N`: don't execute remote commands; useful for dedicated port forwarding `-f`: run SSH in the background.	`ssh -R [remote:]remote_port:destination:destination_port [user@]ssh_server` Example `ssh -R 8080:192.168.3.8:3030 -N -f user@remote.host`
`-D`	Set up a SOCKS Proxy to tunnel traffic from a `remote_host` on which you're the `user` to a `local_port_number`. Additional SSH options in the example: `-q`: quiet mode; don't output anything locally `-C`: compress data in the tunnel, save bandwidth `-N`: don't execute remote commands; useful for dedicated port forwarding `-f`: run SSH in the background.	`ssh -D local_port_number user@remote_host` # Example `ssh -D 6677 -q -C -N -f me@192.168.5.5`