CertTools Logo
CertTools

SSH Commands Reference

Essential SSH commands for key management and secure access

🔑 SSH Key Generation

Generate RSA key pair (4096-bit)

ssh-keygen -t rsa -b 4096 -C "[email protected]"

RSA 4096-bit is widely compatible and secure. The comment helps identify the key.

Generate Ed25519 key pair (recommended)

ssh-keygen -t ed25519 -C "[email protected]"

Ed25519 is faster, more secure, and uses smaller keys than RSA. Not supported on very old systems.

Generate ECDSA key pair

ssh-keygen -t ecdsa -b 521 -C "[email protected]"

ECDSA with 521-bit curve. Consider Ed25519 instead for better security.

Generate key with custom filename

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_github -C "github_key"

Generate key without passphrase (not recommended)

ssh-keygen -t ed25519 -N "" -C "automation_key"

Only use for automation where passphrase prompts aren't possible. Store securely.

🔧 SSH Key Management

Display public key

cat ~/.ssh/id_ed25519.pub

Copy public key to clipboard (macOS)

pbcopy < ~/.ssh/id_ed25519.pub

Copy public key to clipboard (Linux with xclip)

xclip -sel clip < ~/.ssh/id_ed25519.pub

Change key passphrase

ssh-keygen -p -f ~/.ssh/id_ed25519

Show key fingerprint

ssh-keygen -lf ~/.ssh/id_ed25519.pub

Displays the key fingerprint in SHA256 format by default.

Show key fingerprint in MD5 format

ssh-keygen -lf ~/.ssh/id_ed25519.pub -E md5

Show key fingerprint as ASCII art

ssh-keygen -lvf ~/.ssh/id_ed25519.pub

Convert OpenSSH key to PEM format

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Useful for compatibility with older systems or tools.

📤 Copying Keys to Servers

Copy public key to server (recommended)

ssh-copy-id [email protected]

Automatically adds your public key to the server's authorized_keys file.

Copy specific key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Copy key to server on non-standard port

ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 [email protected]

Manual method (if ssh-copy-id not available)

cat ~/.ssh/id_ed25519.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Set correct permissions on server

ssh [email protected] "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

🔐 Connecting to Servers

Basic SSH connection

ssh [email protected]

Connect with specific key

ssh -i ~/.ssh/id_ed25519 [email protected]

Connect to non-standard port

ssh -p 2222 [email protected]

Execute single command on remote server

ssh [email protected] "ls -la /var/www"

Connect with verbose output (debugging)

ssh -v [email protected]

Use -vv or -vvv for more verbose output.

Connect without checking host key

ssh -o StrictHostKeyChecking=no [email protected]

Use with caution - only for testing or dynamic environments.

Connect with compression

ssh -C [email protected]

Useful for slow connections or transferring large amounts of data.

🔀 Port Forwarding and Tunneling

Local port forwarding

ssh -L 8080:localhost:80 [email protected]

Access server's port 80 via local port 8080. Navigate to localhost:8080 in your browser.

Remote port forwarding

ssh -R 8080:localhost:3000 [email protected]

Makes your local port 3000 accessible on the remote server's port 8080.

Dynamic port forwarding (SOCKS proxy)

ssh -D 1080 [email protected]

Creates a SOCKS proxy on port 1080. Configure your browser to use localhost:1080 as SOCKS proxy.

Keep SSH session alive in background

ssh -f -N -L 8080:localhost:80 [email protected]

-f runs in background, -N doesn't execute remote commands.

Access internal network resource through jump host

ssh -L 5432:internal-db:5432 [email protected]

Access internal-db:5432 through the jump host on your local port 5432.

⚙️ SSH Configuration (~/.ssh/config)

Basic host configuration

Host myserver
    HostName server.example.com
    User myusername
    IdentityFile ~/.ssh/id_ed25519

Then connect with: ssh myserver

Host with non-standard port

Host myserver
    HostName server.example.com
    Port 2222
    User myusername

Jump host (bastion) configuration

Host bastion
    HostName bastion.example.com
    User jump_user

Host internal-server
    HostName 10.0.1.100
    User myusername
    ProxyJump bastion

Keep connections alive

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

Sends keepalive packets every 60 seconds to prevent connection timeout.

GitHub configuration

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519_github

Wildcard configuration for multiple similar hosts

Host *.example.com
    User myusername
    IdentityFile ~/.ssh/id_ed25519
    ForwardAgent yes

📁 File Transfer (SCP & SFTP)

Copy file to remote server

scp file.txt [email protected]:/path/to/destination/

Copy file from remote server

scp [email protected]:/path/to/file.txt ./

Copy directory recursively

scp -r /path/to/directory [email protected]:/path/to/destination/

Copy with specific SSH key

scp -i ~/.ssh/id_ed25519 file.txt [email protected]:/path/

Copy on non-standard port

scp -P 2222 file.txt [email protected]:/path/

Note: SCP uses uppercase -P, SSH uses lowercase -p

Copy between two remote servers

scp user1@server1:/path/file.txt user2@server2:/path/

Start SFTP session

sftp [email protected]

Interactive file transfer. Use get, put, ls, cd commands.

🔐 SSH Agent

Start SSH agent

eval "$(ssh-agent -s)"

Add key to SSH agent

ssh-add ~/.ssh/id_ed25519

Add key with timeout

ssh-add -t 3600 ~/.ssh/id_ed25519

Key will be removed from agent after 3600 seconds (1 hour).

List keys in agent

ssh-add -l

Remove all keys from agent

ssh-add -D

Add key to macOS keychain

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Stores passphrase in macOS Keychain so you don't need to enter it repeatedly.

🔒 Security & Troubleshooting

Check file permissions

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 600 ~/.ssh/authorized_keys

Incorrect permissions are a common cause of SSH authentication failures.

Remove host from known_hosts

ssh-keygen -R server.example.com

Useful when host key changes (e.g., after reinstalling server).

Test SSH connection

ssh -T [email protected]

Tests SSH connection to GitHub without opening a shell.

Check which key is being used

ssh -v [email protected] 2>&1 | grep "Offering public key"

Disable password authentication (server-side)

# Edit /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH service after editing: sudo systemctl restart sshd

Limit SSH access to specific users (server-side)

# Add to /etc/ssh/sshd_config
AllowUsers user1 user2 user3

💡 Common Use Cases

Set up SSH for GitHub

# Generate key
ssh-keygen -t ed25519 -C "[email protected]"

# Start agent and add key
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

# Copy public key
cat ~/.ssh/id_ed25519.pub
# Add to GitHub Settings > SSH Keys

# Test connection
ssh -T [email protected]

Access remote database through SSH tunnel

# Create tunnel
ssh -L 5432:localhost:5432 [email protected]

# In another terminal, connect to local port
psql -h localhost -p 5432 -U dbuser dbname

Mount remote directory locally (SSHFS)

# Mount
sshfs [email protected]:/remote/path /local/mount/point

# Unmount
fusermount -u /local/mount/point  # Linux
umount /local/mount/point         # macOS

Keep SSH session alive when closing terminal

# Use tmux or screen
ssh [email protected]
tmux
# Your work here
# Ctrl+b then d to detach
# Later: tmux attach to resume

Execute local script on remote server

ssh [email protected] 'bash -s' < local-script.sh