A quick reference of SSH commands and options for daily Linux and Unix system administration. Covers connections, key management, tunneling, file transfers, config shortcuts, and troubleshooting.
Basic SSH Connections
Connect to a remote server:
# Connect as current user
ssh server.example.com
# Connect as a specific user
ssh [email protected]
# Connect with a specific private key
ssh -i ~/.ssh/id_ed25519 [email protected]
# Connect to a non-standard port
ssh -p 2222 [email protected]
# Connect with verbose output (debugging)
ssh -v [email protected]
ssh -vv [email protected] # more verbose
ssh -vvv [email protected] # maximum verbositySSH Key Generation and Management
Generate SSH key pairs for passwordless authentication:
# Generate Ed25519 key (recommended, fastest, most secure)
ssh-keygen -t ed25519 -C "admin@server"
# Generate RSA 4096-bit key (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "admin@server"
# Generate key with custom filename
ssh-keygen -t ed25519 -f ~/.ssh/myserver_key
# Generate key without passphrase (automation use only)
ssh-keygen -t ed25519 -f ~/.ssh/deploy_key -N ""Copy your public key to a remote server for passwordless login:
# Standard method
ssh-copy-id [email protected]
# Copy a specific key
ssh-copy-id -i ~/.ssh/myserver_key.pub [email protected]
# Copy to a non-standard port
ssh-copy-id -p 2222 [email protected]To change or update an SSH key passphrase:
ssh-keygen -p -f ~/.ssh/id_ed25519View the fingerprint of a key:
ssh-keygen -lf ~/.ssh/id_ed25519.pubSSH Agent and Key Caching
The SSH agent caches decrypted private keys so you enter the passphrase once per session:
# Start the agent
eval $(ssh-agent)
# Add default key (~/.ssh/id_ed25519 or ~/.ssh/id_rsa)
ssh-add
# Add a specific key
ssh-add ~/.ssh/myserver_key
# Add key with a timeout (seconds) - auto-removed after expiry
ssh-add -t 3600 ~/.ssh/id_ed25519
# List loaded keys
ssh-add -l
# Remove all keys from agent
ssh-add -DForward the agent to a remote server (allows hopping to other servers without copying keys):
ssh -A [email protected]SSH Config File (~/.ssh/config)
The SSH config file saves connection settings so you don’t type them every time. Create or edit ~/.ssh/config:
# Simple host alias
Host webserver
HostName 192.168.1.50
User admin
Port 2222
IdentityFile ~/.ssh/webserver_key
# Bastion/jump host setup
Host bastion
HostName bastion.example.com
User jumpuser
Host internal-db
HostName 10.0.1.100
User dbadmin
ProxyJump bastion
# Wildcard for all hosts in a domain
Host *.prod.example.com
User deploy
IdentityFile ~/.ssh/prod_key
StrictHostKeyChecking no
# Keep connections alive (prevent timeouts)
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
# Multiplexing - reuse connections
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600After configuring, connect with just the alias:
ssh webserver
ssh internal-dbFor a deeper dive, see our guide on managing SSH connections with the config file.
Remote Command Execution
Run a command on a remote server without opening an interactive shell:
# Run a single command
ssh admin@server 'uptime'
# Run multiple commands
ssh admin@server 'df -h && free -m'
# Run commands that need a TTY (e.g., sudo, top)
ssh -t admin@server 'sudo systemctl restart nginx'
# Run a local script on the remote server
ssh admin@server 'bash -s' < local_script.shExample - check disk usage on a remote host:
$ ssh admin@webserver 'df -h /'
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 50G 12G 36G 25% /File Transfer - SCP and SFTP
Copy files between local and remote systems using SCP:
# Copy local file to remote server
scp file.txt admin@server:/tmp/
# Copy remote file to local machine
scp admin@server:/var/log/syslog ./syslog.txt
# Copy entire directory recursively
scp -r /local/dir admin@server:/remote/dir
# SCP with non-standard port (uppercase -P)
scp -P 2222 file.txt admin@server:/tmp/
# Copy with bandwidth limit (in Kbit/s)
scp -l 5000 largefile.tar.gz admin@server:/data/For a complete reference, see using SCP on Linux to securely transfer files.
Use SFTP for interactive file transfer sessions:
# Start an SFTP session
sftp admin@server
# SFTP with non-standard port (uppercase -P)
sftp -P 2222 admin@server
# Common SFTP commands inside the session:
# put localfile.txt - Upload file
# get remotefile.txt - Download file
# ls - List remote files
# lls - List local files
# cd /remote/path - Change remote directory
# lcd /local/path - Change local directory
# mkdir dirname - Create remote directory
# rm filename - Delete remote file
# bye - Exit sessionCopy files over SSH using tar (useful when scp/rsync is unavailable):
# Compress and copy remote files to local machine
ssh admin@server "tar czf - /var/log/nginx/" | tar xzf - -C /tmp/
# Push local directory to remote server
tar czf - /local/dir/ | ssh admin@server "tar xzf - -C /remote/path/"SSH Port Forwarding and Tunnels
Local Port Forwarding (-L)
Forward a local port to a remote service. Access a remote service as if it were running locally:
# Forward local port 8080 to remote port 80
ssh -L 8080:localhost:80 admin@server
# Access a database behind a firewall
ssh -L 3306:db-server:3306 admin@bastion
# Run in background (-f) with no remote command (-N)
ssh -f -N -L 8080:internal-app:8080 admin@bastionAfter running, open http://localhost:8080 in your browser to access the remote service.
Remote (Reverse) Port Forwarding (-R)
Expose a local service to the remote server:
# Make local port 3000 available as port 9000 on the remote server
ssh -R 9000:localhost:3000 admin@server
# Run in background
ssh -f -N -R 9000:localhost:3000 admin@serverSOCKS Proxy (-D)
Create a SOCKS5 proxy for tunneling all traffic through the SSH server:
# Create SOCKS proxy on local port 9999
ssh -D 9999 admin@server
# Run in background
ssh -f -N -D 9999 admin@serverConfigure your browser to use localhost:9999 as a SOCKS5 proxy. All browser traffic routes through the SSH server. Both SOCKS4 and SOCKS5 protocols are supported.
For more tunnel patterns, see our guide on creating SSH tunnels on Linux.
Jump Hosts and ProxyJump
Access servers behind a bastion/jump host without intermediate shell sessions:
# Jump through a bastion to reach an internal server
ssh -J bastion.example.com [email protected]
# Multiple jumps (chain bastions)
ssh -J bastion1,bastion2 admin@internal-server
# With specific user and port on the jump host
ssh -J jumpuser@bastion:2222 [email protected]This replaces the older ProxyCommand method and is cleaner. Set it permanently in ~/.ssh/config with the ProxyJump directive.
X11 Forwarding
Run graphical applications on a remote server and display them locally:
# Enable X11 forwarding
ssh -X admin@server
# Trusted X11 forwarding (less restrictions, use with trusted servers)
ssh -Y admin@server
# Launch a specific application
ssh -X admin@server 'firefox'
ssh -X admin@server 'virt-manager'The remote server must have X11Forwarding yes in /etc/ssh/sshd_config and xauth installed.
SSH Multiplexing
Reuse a single TCP connection for multiple SSH sessions to the same host. Speeds up repeated connections and reduces authentication overhead:
# Create the socket directory
mkdir -p ~/.ssh/socketsAdd to ~/.ssh/config:
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600Check and manage multiplexed connections:
# Check connection status
ssh -O check admin@server
# Terminate a shared connection
ssh -O exit admin@serverSSH Escape Sequences
Escape sequences are entered after pressing Enter, then the tilde (~) character:
~. - Disconnect (kill frozen session)
~^Z - Suspend SSH session (background it)
~# - List forwarded connections
~& - Background SSH when waiting for connections to close
~? - Show all escape sequences
~C - Open SSH command line (add port forwards on the fly)
~~ - Send a literal tildeThe ~. escape is especially useful for killing a frozen SSH session when the remote host becomes unresponsive and Ctrl+C does nothing.
Mount Remote Filesystem with SSHFS
Mount a remote directory over SSH as a local filesystem using SSHFS:
# Mount remote directory
sshfs admin@server:/var/www /mnt/remote-www
# Mount with specific port
sshfs -p 2222 admin@server:/data /mnt/remote-data
# Mount with specific SSH key
sshfs -o IdentityFile=~/.ssh/mykey admin@server:/data /mnt/remote-data
# Unmount
fusermount -u /mnt/remote-wwwKnown Hosts Management
Manage the ~/.ssh/known_hosts file which stores server fingerprints:
# Remove a host entry (after server rebuild/IP change)
ssh-keygen -R server.example.com
ssh-keygen -R 192.168.1.50
# Scan and display a server's host keys
ssh-keyscan server.example.com
# Add a host key to known_hosts without connecting
ssh-keyscan -H server.example.com >> ~/.ssh/known_hostsFor more on managing host key checks, see how to disable SSH host key checking.
SSH Hardening Quick Reference
Key settings to change in /etc/ssh/sshd_config for production servers:
# Disable password authentication (use keys only)
PasswordAuthentication no
# Disable root login
PermitRootLogin no
# Restrict to specific users
AllowUsers admin deploy
# Change default port
Port 33000
# Disable empty passwords
PermitEmptyPasswords no
# Set login grace time
LoginGraceTime 30
# Limit authentication attempts
MaxAuthTries 3
# Disable X11 forwarding (if not needed)
X11Forwarding noAfter editing, validate and restart:
sudo sshd -t && sudo systemctl restart sshdTo change the SSH port on RHEL/Rocky Linux with SELinux, you also need to relabel the port with semanage. For an extra security layer, set up SSH two-factor authentication.
Troubleshooting SSH Connections
# Debug connection issues (verbose mode)
ssh -vvv admin@server
# Test SSH config syntax before restart
sudo sshd -t
# Check if sshd is listening
ss -tlnp | grep sshd
# Check SSH service status
systemctl status sshd
# View auth logs (RHEL/Rocky/Fedora)
sudo journalctl -u sshd -f
# View auth logs (Debian/Ubuntu)
sudo tail -f /var/log/auth.log
# Fix permissions (common cause of key auth failure)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/configQuick Reference Table
| Command | Description |
|---|---|
ssh user@host | Connect to remote host |
ssh -p 2222 user@host | Connect on custom port |
ssh -i key user@host | Connect with specific key |
ssh -J jump user@host | Connect via jump host |
ssh -L 8080:host:80 user@gw | Local port forward |
ssh -R 9000:localhost:3000 user@host | Reverse port forward |
ssh -D 9999 user@host | SOCKS proxy |
ssh -X user@host | X11 forwarding |
ssh -A user@host | Agent forwarding |
ssh user@host 'command' | Run remote command |
ssh-keygen -t ed25519 | Generate Ed25519 key |
ssh-copy-id user@host | Copy public key to server |
ssh-add | Add key to agent |
ssh-keyscan host | Fetch host public key |
ssh-keygen -R host | Remove host from known_hosts |
scp file user@host:/path | Copy file to remote |
scp user@host:/path file | Copy file from remote |
sftp user@host | Interactive file transfer |
sshfs user@host:/dir /mnt | Mount remote directory |
Conclusion
This cheatsheet covers the SSH commands used most frequently in day-to-day Linux administration. For production servers, always use key-based authentication, disable password login, and keep your SSH server updated to the latest version for security patches.
Related guides:
- Configure SSH Server on Rocky Linux 9 / AlmaLinux 9
- Install and Configure SSH Server on Ubuntu
- Disable SSH Reverse DNS Lookups in Linux/Unix
- Using rsync Command on Linux with Examples
- Automate SSH Login with Password using sshpass
