ssh

Connect to a remote server

$ ssh [username]@[remote_host]

$ ssh -i [path/to/key_file] [username]@[remote_host]

$ ssh [username]@10.0.0.1 -p [2222]

$ ssh [username]@[remote_host] -t [command] [command_arguments]

$ ssh -D [1080] [username]@[remote_host]

$ ssh -L [9999]:[example.org]:[80] -N -T [username]@[remote_host]

$ ssh -J [username]@[jump_host] [username]@[remote_host]

$ <Enter><~><.>

ssh [options] [user@]hostname [command]

Common invocation examples:
ssh user@hostname
ssh -p 2222 -i ~/.ssh/mykey user@hostname
ssh -L 8080:localhost:80 user@hostname
ssh -X user@hostname firefox
ssh -Nf user@hostname

-p port
    Specifies the port number to connect to on the remote host. The default is 22.

-i identity_file
    Selects a file from which the identity (private key) for public key authentication is read.

-l login_name
    Specifies the user to log in as on the remote machine. If not specified, the local username is used.

-v
    Verbose mode. Causes ssh to print debugging messages about its progress.

-X
    Enables X11 forwarding. Allows X applications to display on the local system.

-Y
    Enables trusted X11 forwarding. Similar to -X but with fewer security restrictions.

-L local_port:host:remote_port
    Local port forwarding. Specifies that the given local port on the client host is to be forwarded to the given host and port on the remote server side.

-R remote_port:host:local_port
    Remote port forwarding. Specifies that the given remote port on the server host is to be forwarded to the given host and port on the local client side.

-D [bind_address:]port
    Dynamic port forwarding. Specifies a local 'dynamic' application-level port forwarding, creating a SOCKS proxy.

-N
    Do not execute a remote command. Useful for just forwarding ports.

-f
    Requests ssh to go to background just before command execution. Useful when ssh is asked to forward ports.

-o option
    Can be used to give options in the format used in the configuration file, overriding default settings.

-A
    Enables authentication agent forwarding. Allows the use of a local ssh-agent for authentication to other remote hosts.

-C
    Requests compression of all data (including stdin, stdout, stderr data and X11 and TCP forwarding data).

The ssh (Secure Shell) command provides a secure and encrypted channel for remote network services. It is primarily used for logging into a remote computer, executing commands, and securely transferring files (often via related commands like scp or sftp). Unlike older protocols such as telnet or rlogin, ssh encrypts all traffic, including passwords, preventing eavesdropping, connection hijacking, and other attacks.

It supports various authentication methods, including password-based and the more secure public-key authentication, making it an essential tool for system administrators and developers alike for managing remote servers and networks. ssh can also be used for tunneling arbitrary network ports, allowing secure connections for other services.

Host Key Verification: When connecting to a new host, ssh will ask to verify the host's public key fingerprint. It is crucial to verify this fingerprint (e.g., by out-of-band communication) to prevent man-in-the-middle attacks. Once accepted, the key is stored in ~/.ssh/known_hosts.

Security of Private Keys: Private keys used for public-key authentication should always be protected with strong passphrases and kept secure, as compromise of a private key can grant unauthorized access to remote systems.

Firewall Considerations: ssh typically operates on TCP port 22. If firewalls are in place, this port (or a custom configured port) must be open for connections to be established.

ssh supports various methods to authenticate users. The most common are:
1. Password Authentication: User provides a password, which is encrypted before transmission. It's simple but can be vulnerable to brute-force attacks.
2. Public-Key Authentication: Uses a pair of cryptographic keys: a public key stored on the server (in ~/.ssh/authorized_keys) and a private key kept by the user. This method is generally more secure and convenient as it avoids sending passwords over the network.
3. Host-Based Authentication: Less common, relies on trusted host keys to authenticate, typically used in highly controlled environments.

ssh behavior can be customized through configuration files. The global configuration file is typically located at /etc/ssh/ssh_config, providing system-wide defaults. User-specific configurations are in ~/.ssh/config, which overrides global settings. These files allow users to define aliases for hosts, specify identity files, set default ports, and configure various connection options for different hosts or groups of hosts, simplifying complex connections and maintaining security policies.

The ssh protocol was originally designed by Tatu Ylönen in 1995 to replace insecure protocols like rsh, rlogin, and telnet, which transmitted passwords and data in plaintext. The initial version (SSH-1) quickly gained popularity due to its strong encryption capabilities.

Due to licensing concerns with the original software, the OpenSSH project was created in 1999 as a free and open-source implementation of the SSH protocol. OpenSSH is now the most widely used version, including the ssh client, sshd server, and other related utilities. It has played a pivotal role in securing internet communication for remote administration, version control systems, and secure data transfer across the globe.

sshd(8) - OpenSSH daemon, scp(1) - secure copy (remote file copy program), sftp(1) - secure file transfer program, ssh-keygen(1) - authentication key generation, management and conversion, ssh-agent(1) - authentication agent, ssh-add(1) - adds identities (private keys) to the authentication agent, ssh_config(5) - OpenSSH client configuration file, sshd_config(5) - OpenSSH daemon configuration file