(Last Updated On: March 22, 2018)

Hey all, welcome to ssh cheatsheet for Linux SysAdmins. This contains ssh commands you need for your daily administration of Linux Infrastructure.  SSH which is also referred to as Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network.

To start using different ssh command line options, follow this guide along and feel free to test all these commands. You can practice in Virtual environments like VirtualBox or VMware Workstation instead of running everything in the Production environment.

SSH via pem file ( private key)

$ ssh -i /path/to/file.pem [email protected]

A path to private key file follows after -i flag.

Connect to a non-standard  ssh port:

$ ssh -p 2222 [email protected]

Here, we’re connecting to ssh server running on port 2222. The port has to be allowed on the firewall.

Connect and forward the authentication agent

$ ssh -A [email protected]

-A is used to enable forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.

Connect and execute a command on a remote server:

At times you want to run a command on bash shell on a remote server. This is achieved by passing the command and its options after the server part.

$ ssh -t [email protected]'the-remote-command'

-t  is used to force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services.

As an example, let’s connect to a server and do a ping to, with a count of 3.

$ ssh outboundmx-01 'ping -c 3'
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=60 time=6.74 ms
64 bytes from icmp_seq=2 ttl=60 time=7.27 ms
64 bytes from icmp_seq=3 ttl=60 time=6.77 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 6.740/6.930/7.271/0.241 ms

SSH session will exit after executing specified commands.

Tunnel an X session over SSH:

ssh -X [email protected]

The -X option in ssh is used to enable X11 forwarding. This can also be specified on a per-host basis in a configuration file. X11 forwarding can be disabled using -x Disables option.

An example below will:

  • Redirect traffic with a tunnel between localhost (port 8080) and a remote
  • host (remote.example.com:5000) through a proxy (personal.server.com):
$ ssh -f -L 8080:remote.example.com:5000 [email protected] -N

-N  means do not execute a remote command. This is useful for just forwarding ports.

Launch a specific X application over SSH:

$ ssh -X -t [email protected] 'firefox'

This will launch firefox application and display UI on the local machine.

Create a SOCKS proxy tunnel

$ ssh -D 9999 [email protected]

This will create a SOCKS proxy on localhost and port  10000. The way this works is by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.

Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Note that only root can forward privileged ports.

SSH with data compression and encryption

To request compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and UNIX-domain connections, -C option is used. This is desirable when working with modems and other slow connections systems. Do not use this on faster networks since it will just slow things down.

The compression algorithm is the same used by gzip. -c is used to specify the cipher specification for encrypting the session. More than one listing is done by separating them with commas. Example

$ ssh [email protected] -C -c blowfish -X

-X –> Use an X session
-C –> Do data compression
-c –> Use blowfish encryption for ssh session

SSH copy files

An example below shows how to compress files on a remote server and copy to the local system by piping to tar. Compression and uncompression is done using tar command. This is useful if you don’t have scp or rsync which act as ssh clients.

$ ssh  [email protected] "cd ~/mydir; \
tar zcf - file1.txt file2.txt" | tar zxf -

# confirm if copied

$ ls file1.txt file2.txt

Force Publick key Copy to a remote server

You’re trying to copy ssh key but keeps getting a failure. You can force the copy using the commands:

$ SSH_OPTS='-F /dev/null' ssh-copy-id  [email protected]

Save private key passphrase

With ssh, you can configure authentication agent to save password so that you won’t have to re-enter your passphrase every time you use your SSH keys.

eval $(ssh-agent) # Start agent on demand
ssh-add # Add default key
ssh-add -l # List keys
ssh-add ~/.ssh/id_rsa # Add specific key
ssh-add -t 3600 ~/.ssh/id_rsa # Add with timeout
ssh-add -D # Drop keys

Mount folder/filesystem through SSH

Install SSHFS from https://github.com/libfuse/sshfs .

Installation and usage of SSHFS are covered on a different article:

Installing sshfs and using sshfs on Ubuntu / Fedora / Arch

This command will mount remote directory to the local machine.

sshfs [email protected]:/path/to/folder /path/to/mount/point

Once done, you can unmount directory using:

$ fusermount -u mountpoint

Read files using macs through SSH

Documentation is on Emacs mount Remote files

After installing Emacs, reading of the remote file is done using:

$  emacs /ssh:[email protected]:/path/to/file

Deleting IP address/hostname on ~/.ssh/known_hosts file.

Sometimes you want to copy ssh key to a remote server and you get a warning that the IP/hostname already exist in ~/.ssh/known_hosts, to remove the entry, use:

$ ssh-keygen -f .ssh/known_hosts -R  ip-or-hostname

Wrapping Up

Secure Shell (SSH) allows the exchange of data over a secure channel between two computers. This will act as an ultimate ssh cheatsheet for Linux SysAdmins. You can drop a comment for any commands you often used but not covered here, I’ll be happy to update.