Virtually all Unix and Linux systems include the ssh command. This command is used to start the SSH client program that allows secure connection to the SSH server on a remote machine. The ssh command is used to log in to the remote machine, transfer files between the two machines, and execute commands on the remote machine.
SSH command on Linux
The ssh command provides a secure encrypted connection between two hosts over an insecure network. This connection can also be used for terminal access, file transfer and to tunnel other applications. X11 graphics applications can also be run securely via SSH from a remote location.
There are other SSH commands besides the client ssh. Each has its own page.
configures an authorized public key on a server
single sign-on ssh-add
add a key
sftp – file transfer client with command interface similar to FTP
a key pair for public key authentication ssh-copy-id:
ssh-agent: agent that will keep the private key for
– tool to
to the scp agent – file transfer client with command interface similar to RCP
OpenSSH Server Using the Linux client Linux typically uses the OpenSSH
client. The ssh command to log in to a remote machine is very simple. To log on to a remote computer named sample.ssh.com, type the following command at a shell prompt: ssh sample.ssh.com If this is your first time using ssh to connect to this remote computer, you will see a message such as: Unable to set host authenticity ‘sample.ssh.com
The fingerprint of the DSA key is 04:48:30:31:b0:f3:5a:9b:01:9d:b3:a7:38:e2:b1:0c. Are you sure you want to continue connecting (yes/no)?
Type yes to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts) as seen in the following message
: Warning: ‘sample.ssh.com’ (DSA) was permanently added to the list of known hosts. Each server has a host key, and the
previous question relates to verifying and storing the host key, so that the next time you connect to the server, you can verify that
it is really the same server.
After the connection to the server is established, the user is authenticated. Typically, it prompts for a password. For some servers, you may need to enter a one-time password generated by a special hardware token.
Once authentication has been accepted, it will be at the shell prompt for the remote machine.
a different user name
It is also possible to use a different user name on the remote computer by entering
the command as: ssh firstname.lastname@example.org
The above can also be expressed with the syntax:
ssh -l alternative-username sample.ssh.com Running
remote commands on the server
The ssh command is also often used to execute commands remotely on the remote machine without logging into a shell prompt. The syntax for this is
: ssh hostname command
, to run the command: ls /tmp/doc on the host sample.ssh.com,
type the following command at a
shell prompt: ssh sample.ssh.com ls /tmp/doc
After authenticating to the remote server, the contents of the remote directory are displayed and returned to the local shell prompt. -x Disables X11 forwarding.
SSH client configuration file The ssh
command reads its configuration from the ~/.ssh/config SSH client configuration file. For more information, see the SSH client configuration file page.
public key authentication
To configure passwordless public key authentication, you may want to create an SSH key and configure a authorized_keys file. See the pages on ssh-keygen and ssh-copy-id for more information.
Command-line options can be used to configure port forwarding. Local tracing means that a local port (on the client computer) is tunneled to an IP address and a port from the server. Remote forwarding means that a remote port (on the server computer) is forwarded to a particular IP address and port from the client computer. See the page on configuring port forwarding on how to configure ports.
OpenSSH also supports forwarding Unix domain sockets and IP packets from a tunnel device to establish a VPN (Virtual Private Network).
options Some of the most important command-line options for the OpenSSH client are:
-1 Use only version 1 of the protocol. -2 Use
only version 2 of the protocol
. -4 Use only IPv4 addresses. –
6 Use only IPv6 addresses
. -A Enable authentication agent connection forwarding.
-a Disable authentication agent connection forwarding
C Use data compression –
c cipher_spec Selects the encryption specification to encrypt the session
-D [bind_address:]port Dynamic port forwarding at the application level. This assigns a socket to listen to the port on the local side. When a connection is made to this port, the connection is forwarded over the secure channel, and then the application protocol is used to determine where to connect from the remote machine.
-E log_file Append debug logs to log_file instead of standard error.
-F configfile Specifies one configuration file per user. The default value for the per-user configuration file is ~/.ssh/config.
-g Allows remote hosts to connect to local forwarded ports.
-i identity_file A file from which the identity key (private key) is read for public key authentication.
-J [user@]host[:p ort] Connect to the destination host by first making an ssh connection to the pjump[(/iam/jump-host) host and then establishing TCP forwarding to the final destination from there. –
l login_name Specifies the user to log on to the remote computer
-p Port to connect to on the remote host
q Silent mode.
-V Display the version number.
-v Detailed mode.
-X Enables X11 forwarding.
A bit of
history SSH replaced several older commands and protocols in Unix and Linux in the 1990s. They include telnet, rlogin and rsh.
SSH runs on TCP/IP port 22. This is right between ftp and telnet, which are 20 years older. Read the story of how SSH obtained port 22.
The following video summarizes how and why SSH was originally developed.
History of SSH with Tatu Ylonen