SSH, the Secure Shell
SSH is one of the protocols of the TCP/IP protocol suite found at the application layer (Layer 7) of the Open Systems Interconnection (OSI) network model. Officially specified in RFC 4251 (and later, several other RFCs) SSH functions in a way that is similar to telnet but is far more robust and capable. SSH lets you log in to other hosts, get a shell and execute commands on them (for more details, read up on the concept of the OS shell), and transfer files between hosts. The major difference between SSH and telnet as terminal emulation protocols is that SSH utilizes encryption and strong authentication while telnet transmits data (including passwords) in clear text, making it vulnerable to packet sniffing. SSH, in contrast, provides secure, reliable authentication and communication over data channels that might not be so trustworthy (such as the public Internet). Because the SSH protocol encrypts the communications between network devices, it decreases the chance of an attacker (possibly an internal user) sniffing traffic and obtaining sensitive data such as authentication credentials.
What is commonly called ‘SSH’ is actually a collection of utilities such as ssh, scp, slogin, and sftp. SSH can be used to effectively replace telnet in a manner almost invisible to users. However, in the background SSH sessions involve authentication, key exchange, encryption, and passphrase generation and storing, making SSH a complex protocol.
SSH version 1 was released in 1995; however, a few years later it was determined to be unreliable. SSHv1 is vulnerable to a well known exploit that allows an attacker to insert data into the communication stream, making it vulnerable to man-in-the-middle (MITM) attacks. In short, versions of SSH prior to v2.0 are not completely cryptographically safe, so they should not be used. Therefore this article will focus only on SSHv2. Bear in mind that if you see SSH version 1.99 installed, this means that the host supports both SSH v1.5 and v2 (see RFC 4253 for reference).
SSH uses the public key (asymmetric) cryptographic model which means that data encryption between hosts utilizes two keys: a public key to encrypt the data, and a private key to decrypt it. The asymmetric keys are used to authenticate the SSH server and client and then to negotiate a symmetric key. This symmetric key is utilized for data encryption.
SSH utilizes the following encryption symmetric algorithms: AES (aka Rijndael; default if supported), 3DES, Blowfish, Twofish, Arcfour/RC4, and Cast128-cbc. For asymmetric authentication it uses Diffie-Hellman or Digital Signature Algorithm (DSA), and for hashing it uses SHA or MD5. AES, 3DES, SHA-*, and DSA are all FIPS-validated. Note that SSH does not utilize any Public Key Infrastructure (PKI) like SSL does.
- How to use SSH
- Secure SSH servers
- Tunnel HTTP through SSH
- Forward graphical (X11) applications through SSH
- Further reference
- Recommended reading
- SSH command examples
- All SSH, SCP, and SFTP command line options
How SSH works
Since SSH works using the client/server networking model, the SSH service (or daemon) must be running on the host functioning as the server. On Linux this daemon is usually located in
/etc/init.d/ssh/, and the SSH daemon can be configured by editing the
/etc/ssh/sshd_config file. SSH servers listen for incoming SSH requests on port 22, so naturally this port will need to be open on any firewall that sits in front of the SSH server. Note: you can actually change the port that SSH daemon listens on by editing the ‘port’ parameter in the SSH configuration file and restarting the SSH daemon with the command
/etc/init.d/ssh restart. You can change it to an arbitrary high port number (such as 25250) but you will need to specify this port when you log in. Your login command would then be:
The most popular SSH server program is OpenSSH.
To compliment the SSH server, you will need an SSH client application installed on your computer. Most Linux distributions come with an SSH client (such as the OpenSSH client,
openssh-clients). For Windows there are many available but some of the more popular ones are PuTTY, Tera Term, Cygwin and WinSCP.
How to use SSH
The ssh and slogin commands are intended to replace rlogin, rsh, and telnet. The scp and sftp commands are intended to replace rcp and FTP (note that there is such a thing as FTP Over SSH which is not the same as SFTP, aka SSH over FTP). Luckily for FTP users, SFTP uses nearly the same commands (ls, get, put, etc.) as FTP.
When you attempt to log in to a remote host the first time via SSH, you will see a message like this:
When you continue, the server
ssh_server.domain.com will be added to your list of known hosts located in
/home/you/.ssh/known_hosts. You will then get prompted to enter valid credentials.
Should you decide that you want to use key-based authentication, you will need to generate a public key on your SSH client. When the public key is present on the server side and the matching private key is present on the client side, authentication is achieved and typing in the password is no longer required (if desired). However, for additional security the private key itself can be locked with a passphrase. On the client issue the command ssh-keygen –t dsa and when prompted, enter a long passphrase (such as a sentence that you can easily remember but is difficult for others to guess). Your public key will then be saved in encrypted format as
/home/you/.ssh/id_dsa.pub and your private key will go in
/home/you/.ssh/id_dsa . Now, copy the public key to the SSH server you want to connect to with the command:
Alternatively you could add the contents of
id_dsa.pub to the end of authorized keys on the remote SSH server with the command:
If the public key is still on your local host then the command would be:
Key-based encryption is an effective means at stopping brute force password attacks because unless the potential intruder has possession of your public key, he’s not going to get in.
After you log in to the SSH server, you’re probably going to want to transfer files to or from it. That’s where the scp commands comes in to play. Let’s say you have the file
linux-3.3-rc3.tar.bz2 in the directory
/home/you/software/ on your local computer, and you want to copy it to
/home/you/linux-kernel/ on the remote SSH server. Just enter the command:
As a security precaution, you might want to prevent root logins using SSH. This step can help mitigate the damage done if the root password is compromised. To access the server remotely as root, you would need to log in as a non-root user and then switch to root with the su – command. To disable direct root logins via SSH, you need to find the
PermitRootLogin parameter in the SSH configuration file and set it to
To disable SSHv1 on the SSH server, you can once again edit
/etc/ssh/sshd_config and change the line that says ‘protocol 2,1’ to ‘protocol 2’.
If you wish to configure a Cisco device running IOS to only accept SSH connections for remote administration, here are the steps to do so.
Secure SSH servers
Here are some basic steps to secure your SSH servers. For more detailed guides, see the ‘Securing SSH’ links in the Further Reference section of this page.
- Disable SSH logins as the root user (described above).
- Run the SSH service on a non-standard port (described above.
- Require SSH users to have passwords that are both complex and long (at least eight characters).
- Ensure that file permissions are set properly to prevent SSH users from accessing files which they are not supposed to. For example, you could put each user in his own group. Don’t grant that group access to any other files or directories (be aware that they will be able to access anything set to 777). Then you can set the appropriate permissions on all the files you want them to have access to using the chgrp command.
- Add known source IP addresses to a whitelist to lock down access control. See: /etc/hosts.deny and /etc/hosts.allow.
- Consider installing sshblack and Fail2ban for IPS functionality.
How to tunnel HTTP through SSH
SSH offers the ability to tunnel plain text protocols (such as HTTP for Web browsing) over an encrypted channel. What if you are on a computer at a remote location (work/library/hotel/etc) where Web browsing is curtailed and/or monitored, and there are some websites that you need to access that are blocked? With the help of your home PC you might be able to set up a more agreeable situation at the remote site.
1. Install and run the OpenSSH server on your Linux home computer. Configure the SSH daemon to run on a non-standard port such as 9009 or even 443 (this can be a critical step because the firewall at your remote location might block port 22 outbound). Then configure your home router or firewall to permit inbound traffic on the port number you chose. Need help with this? Visit PortForward.com.
If your home computer is Windows based, you can install the Windows version of OpenSSH. Then you need to run these three commands in succession in a command prompt:
2. At the remote location, enter this command on your Linux host:
If your PC at the remote location is Windows based, you’ll need to download PuTTY. Then view the ‘PuTTy for Windows XP’ section on this page for detailed instructions.
3. Open Firefox on the remote host (whether Linux or Windows) and configure it to use a SOCKSv5 proxy on localhost:8080. Go to Tools->Options-> Advanced->Network->Settings. Enter your home IP address and the port you chose in the ‘SOCKS Host’ line and make sure the SOCKSv5 radio button is selected.
4. Finally, enter
about:config in the Firefox address bar and hit Enter. Find
network.proxy.socks_remote_dns and change it to true (double-click on the line). This is to ensure that Firefox will resolve DNS queries over the proxy link and not with the default DNS settings of the remote location.
5. On the remote host, use Firefox to go to an IP address checking website such as ICanHazIP.com. You should see the IP address of your home computer (the one running OpenSSH in step 1).
6. If you get stuck, there are several links in the Further reference section that will probably straighten you out.
Forwarding graphical (X11) applications
If what you want is to ‘remote desktop’ into a host, SSH makes it possible to open and use graphical (X11) applications remotely. For example, you connect to the remote SSH server, enter the command ‘notepad.exe’ or ‘gedit’ and the text editor opens for you to work with not on your local computer but on the SSH server. What you need to do is find
sshd_config on the server and set it to
yes. On the client side,
ssh_config has to show
yes. Then you need issue a command using the -X switch, such as ssh -X firstname.lastname@example.org. Next you can issue the command startx to load the desktop environment.
The SSH protocol, its functionality, and its many uses are a deep subject. As this article shows, there are many ways SSH can be utilized and configured. Below you will find a collection of informative SSH articles that can play a role in furthering and improving your use of the protocol.
GNUwhatimsaying.com, How to test an SSH connection.
GNUwhatimsaying.com, How to keep your SSH sessions alive.
Doug Vitale Tech Blog, Use an SSH terminal in Firefox.
FreeSSHD.org, A free SSH server for Windows.
Linux-Tipps, Access the Kindle 3 with SSH via WiFi.
Macuyiko.com, Running A SSH honeypot with Kippo.
Pastebin.org, Log of credentials used during attempted unauthorized SSH logins.
SANS.org, A discussion of SSH Secure Shell ( 573 KB PDF).
SANS.org, Security implications of SSH (90 KB PDF).
SDF.org, Practice SSH with an online SSH shell.
Securityfocus.com, SSH exploit in ‘The Matrix Reloaded’.
Sshmenu.org, SSHMenu: a graphical interface for SSH.
Tecmint.com, 5 best practices to secure and protect SSH server.
UWaterloo.ca, How to run an SSH server on Windows Server 2003.
Xmodulo.com, How to set up VPN over SSH in Linux.
Dag.wieers.com, Tunneling SSH over HTTP(S).
IBM.com, SSH back doors.
Linuxers.org, Reverse SSH tunneling, bypassing firewalls and NAT.
Makeuseof.com, How to tunnel traffic with SSH.
Souptonuts.sourceforge.net, Breaking firewalls with OpenSSH and PuTTY.
Symantec.com, SSH port forwarding.
TOIC.org, Bypass firewalls with reverse SSH port forwarding.
TOIC.org, SSH port forwarding.
Vdomck.org, Reversing an SSH connection.
Cyberciti.biz, Top 20 OpenSSH Server Best Security Practices.
Debian-administration.org, Securing OpenSSH server and Secure SSH.
Farinspace.com, How to secure SSH login on your Linux server.
Fedoraresolved.org, Securing SSH.
IBM.com, Getting started with SSH security and configuration.
Kleppmann.com, Improving the security of your SSH private key files.
Major.io, Securing your SSH server.
Scottlinux.com, Use Google Authenticator for two-factor SSH authentication in Linux.
TheGeekStuff.com, 7 Default OpenSSH Security Options You Should Change.
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Chapter 15 of Security Power Tools from O’Reilly is a great reference to all things SSH.
SSH command examples
The standard command syntax for ssh is:
The standard command syntax for scp is:
The standard command syntax for sftp is:
|$ scp notes.txt user@ssh_server:~/
Copies the local file
$ scp user@ssh_server:~/notes.txt .
notes.txt from your home folder on the remote SSH server and puts it in your current location on the local computer (which is indicated by the final period).
$ scp /home/user/documents/info.doc username@ssh_server.domain.com:
Copies the file
info.doc to your home folder on the remote SSH server.
$ scp username@ssh_server.domain.com:info.doc info.doc
info.doc back to your local computer.
$ scp /home/doug/index.html doug@ssh_server.com: /var/www/htdocs/
Copies index.html from the local host to the SSH server.
$ scp info.doc username@ssh_server.domain.com reports/updated-info.doc
Copies info.doc from your local computer to the reports directory in your home folder on the SSH server and renames the file to updated-info.doc.
$ scp -r sales username@ssh_server.domain.com:
Recursively copies the folder ‘sales’ to your home directory on the SSH server.
$ ssh –p 6179 ssh_server.domain.com
Initiates an SSH session with ssh_server on the nonstandard port of 6179.
$ ssh-keygen -t dsa
Generates your public key.
$ ssh -X user@ssh_server ‘gedit’
Connects to ssh_server and executes the gedit text editor.
$ ssh username@ssh_server.domain.com
Connects to network host
ssh_server using the credentials provided.
# ssh root@ssh_server.domain.com ‘df -h’
Connects to network host
ssh_server as root and then shows file system info in human-readable format using the df -h command. Root logins via SSH will most likely have to first be enabled in the SSH daemon configuration file.
# ssh root@email@example.com ‘ps -ef | grep apache | grep -v grep | wc -l’ (or pgrep -c apache instead of grep apache | grep -v grep)
Connects to the SSH server as root and then pipes the process table to
grep apache. Useful for counting the number of Apache processes running on the server.
# ssh root@ssh_server.domain.com ‘top -b -n 1 | head -n 8’
Displays the server’s vital statistics and the processes utilizing the most CPU resources.
# ssh root@ssh_server.domain.com ‘who’
Displays who else is logged in to the SSH server.
$ ssh -l username -L 7979:target1:22 ssh_gateway
Opens an SSH connection to host ssh_gateway and redirects all connections to port 7979 on the local host to port 22 on host target11.
$ ssh –f –L 1110:localhost:110 firstname.lastname@example.org
Establishes a secure tunnel with the POP3 email server to retrieve mail from localhost:1110 instead of pop3mailserver.com:110. This command can work for SMTP (port 25) as well.
$ ssh -X -C user@ssh_server /path/application
Establishes a compressed connection to the remote host and forwards the application’s X-window content to the local host.
$ ssh -o ProxyCommand=”/home/user/bin/connect -S localhost:9050 %h %p” \ 10.0.0.23
Tunnels SSH through Tor, where ‘connect’ refers to connect.c, ‘localhost’ refers to the Tor server, and 10.0.0.23 is the server you want to connect to via SSH (source, page 95).
$ ssh -f -N -L 110:mailhost:110 user@mailhost
Binds SSH to the local port 110 and forwards to port 110 on the remote mail server named mailhost. After issuing this command configure your email client to connect to localhost port 110 (source, page 316).
All SSH, SCP, and SFTP command options
Sourced from the OpenSSH.org manual pages.
SSH command options
|ssh -1||Forces SSH to try protocol version 1 only.|
|ssh -2||Forces SSH to try protocol version 2 only.|
|ssh -4||Forces SSH to use IPv4 addresses only.|
|ssh -6||Forces SSH to use IPv6 addresses only.|
|ssh -a||Disables forwarding of the authentication agent connection.|
|ssh -A||Enables forwarding of the authentication agent connection.|
|ssh -b [bind_address]||Uses the address specified as the source address of the SSH connection. Obviously this is only useful on multihomed hosts with more than one IP address.|
|ssh -c [cipher]||Sets the cipher specification for session encryption. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is:
|ssh -C||Requests compression of all data.|
|ssh -D [bind_address:port]||Specifies a local ‘dynamic’ application-level port forwarding. This works by allocating a socket to listen to specified port on the local side, optionally bound to the [bind_address]. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.|
|ssh -e [escape_char]||Sets the escape character for sessions with a pty (default: `~’).|
|ssh -f||Requests SSH to go to the background just before command execution.|
|ssh -F [config_file]||Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (
|ssh -g||Allows remote hosts to connect to local forwarded ports.|
|ssh -i [identity_file]||Selects a file from which the identity (private key) for public key authentication is read. The default is
|ssh -I [pkcs11]||Specifies the PKCS#11 shared library that SSH should use to communicate with a PKCS#11 token providing the user’s private RSA key.|
|ssh -k||Disables forwarding (delegation) of GSSAPI credentials to the server.|
|ssh -K||Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server.|
|ssh -l [login_name]||Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file.|
|ssh -L [bind_address:port:remote_host:remote_port]||Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified [bind_address].|
|ssh -m [MAC_list]||Specifies a comma-separated list of MAC (message authentication code) algorithms for data integrity protection. Multiple algorithms. The default is:
|ssh -M||Places the SSH client into ‘master’ mode for connection sharing. When enabled, SSH will listen for connections on a control socket specified using the
|ssh -n||Redirects stdin from
|ssh -N||Does not execute a remote command; useful for just forwarding ports (SSHv2 only).|
|ssh -o [option]||Used to give options in the format used in
Specifies which address family to use when connecting. Valid family arguments are ‘any’, ‘inet’ (IPv4), and ‘inet6’ (IPv6).
BatchMode [yes | no]
If set to ‘yes’, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be ‘yes’ or ‘no’ (default).
Uses the specified address on the local machine as the source address of the SSH connection. This option does not work if UsePrivilegedPort is set to ‘yes’.
ChallengeResponseAuthentication [yes | no]
Specifies whether to use challenge-response authentication. The argument must be ‘yes’ or ‘no’ (default).
If this flag is set to ‘yes’ (default), SSH will additionally check the host IP address in the
Specifies the cipher to use for encrypting the session SSHv1 only.
Specifies the ciphers allowed for SSHv2 in order of preference. Multiple ciphers must be comma-separated. The
supported ciphers are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, and cast128-cbc. The default is:
Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is automatically set by scp and SFTP. The argument must be ‘yes’ or ‘no’ (default).
Enables or disables compression. The argument must be ‘yes’ or ‘no’ (default).
For SSHv1 only. Specifies the compression level to use if compression is enabled.
Specifies the number of connection tries (one per second) to make before exiting (default is 1). The argument must be an integer.
Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is really down or unreachable, not when it refuses the connection.
Enables the sharing of multiple sessions over a single network connection. When set to ‘yes’, SSH will listen for
connections on a control socket specified using the
Setting this to ‘ask’ will cause SSH to listen for control connections, but require confirmation using the
‘Auto’ and ‘autoask’ allow for opportunistic multiplexing (try to use a master connection but fall back to creating a new one if one does not already exist). ‘Autoask’ requires confirmation like ‘ask’.
Specifies the path to the control socket used for connection sharing as described in the
When used in conjunction with
Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets. By default,
the local port is bound in accordance with the
Setting this option to ‘yes’ in the global client configuration file
Sets the escape character (default:
Specifies whether SSH should terminate the connection if it cannot set up requested dynamic, tunnel, local, and remote port forwardings. The argument is either ‘yes’ or ‘no’ (default).
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must ‘yes’ or ‘no’ (default).
Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. The argument must be ‘yes’ or ‘no’ (default).
Specifies a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of
If this option is set to ‘yes’, remote X11 clients will have full access to the original X11 display. If this option is set to ‘no’ (default), remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the
Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, SSH binds local port forwardings to the loopback address, which prevents other remote hosts from connecting to forwarded ports.
Specifies one or more files to use for the global host key database, separated by white space. The default is
Specifies whether user authentication based on GSSAPI is allowed. The default is ‘no’. SSHv2 only.
Forwards (delegates) credentials to the server. The default is ‘no’. SSHv2 only.
Indicates that SSH should hash host names and addresses when they are added to
Specifies whether to try
Specifies the SSHv2 host key algorithms that the client wants to use in order of preference. The default for this option is:
Specifies an alias that should be used instead of the real hostname when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host.
Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. If the hostname contains the character sequence ‘
Specifies that SSH should only use the authentication identity files configured in the
Specifies a file from which the user’s DSA, ECDSA or DSA authentication identity is read. The default is
The file name may use the tilde syntax to refer to a user’s home directory or one of the following escape characters: ‘
Specifies the IPv4 type of service or DSCP class for connections. Accepted values are: ‘af11’, ‘af12’, ‘af13’, ‘af21’, ‘af22’, ‘af23’, ‘af31’, ‘af32’, ‘af33’, ‘af41’, ‘af42’, ‘af43’, ‘cs0’, ‘cs1’, ‘cs2’, ‘cs3’, ‘cs4’, ‘cs5’, ‘cs6’, ‘cs7’, ‘ef’, ‘lowdelay’, ‘throughput’, ‘reliability’, or a numeric value. This option may take one or two arguments, separated by white space. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is ‘lowdelay’ for interactive sessions and ‘throughput’ for non-interactive sessions.
Specifies whether to use keyboard interactive authentication. The argument must be ‘yes’ (default) or ‘no’.
Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: ‘bsdauth’, ‘pam’, or ‘skey’.
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is:
Specifies a command to execute on the local machine after successfully connecting to the SSH server. The command string extends to the end of the line, and is executed with the user’s shell. The following escape character substitutions will be performed: ‘
The command is run synchronously and does not have access to the session of the SSH that spawned it. It should not be used for interactive commands.
This directive is ignored unless
Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the
Gives the verbosity level that is used when logging messages from SSH. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is:
This option can be used if the home directory is shared across hosts. In this case
Specifies the number of password prompts before giving up. The argument to this keyword must be an integer (default is 3).
Specifies whether to use password authentication. The argument must be ‘yes’ (default) or ‘no’.
Allow local command execution via the
Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library should use to communicate with a PKCS#11 token providing the user’s private RSA key.
Specifies the port number to connect on the remote host. The default is port 22.
Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is:
Specifies the protocol versions SSH should support in order of preference. The possible values are ‘1’ and ‘2’ (default). Multiple versions must be comma-separated. When this option is set to ‘2,1’ SSH will try version 2 and fall back to version 1 if version 2 is not available.
Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user’s shell. In the command string, any occurrence of ‘
Specifies whether to try public key authentication (SSHv2 only). The argument to this keyword must be ‘yes’ (default) or ‘no’.
Specifies the maximum amount of data that may be transmitted before the session key is renegotiated (SSHv2 only). The argument is the number of bytes, with an optional suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between ‘1G’ and ‘4G’, depending on the cipher.
Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be [bind_address:port] and the second argument must be [host:hostport]. IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Privileged ports can be forwarded only when logging in as root on the remote machine.
If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.
Specifies whether to request a pseudo-tty for the session. The argument may be one of: ‘no’ (never request a TTY), ‘yes’ (always request a TTY when standard input is a TTY), ‘force’ (always request a TTY) or ‘auto’ (request a TTY when opening a login session). This option mirrors the -t and -T flags for SSH.
Specifies whether to try rhosts-based authentication with RSA host authentication. The argument must be ‘yes’ or ‘no’ (default). This option applies to SSHv1 only and requires SSH to be
Specifies whether to try RSA authentication. The argument to this keyword must be ‘yes’ (default) or ‘no’. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running.
Specifies which variables from the local environ should be sent to the server. Note that environment passing is only supported for SSHv2. The server must also support it, and the server must be configured to accept these environment variables. Refer to
Sets the number of server alive messages (default: 3) which may be sent without SSH receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, SSH will disconnect from the server, terminating the session. The server alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. This option applies to SSHv2 only.
Sets a timeout interval in seconds after which if no data has been received from the server, SSH will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server. This option applies to SSHv2 only.
If this flag is set to ‘yes’, SSH will never automatically add host keys to the
Specifies whether the host should send TCP keepalive messages to the other side. If they are sent, downtime of one of the hosts will be properly noticed. The arguments are ‘yes’ (default) and ‘no’.
Request TUN device forwarding between the client and the server. The argument must be ‘yes’, ‘point-to-point’ (layer 3), ‘ethernet’ (layer 2), or ‘no’ (default). Specifying ‘yes’ requests the default tunnel mode, which is ‘point-to-point’.
Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be [local_tun:remote_tun]. The devices may be specified by numerical ID or the keyword ‘any’, which uses the next available tunnel device. If
Specifies whether to use a privileged port for outgoing connections. The argument must be ‘yes’ or ‘no’ (default). If set to ‘yes’, SSH must be
Specifies the user to log in as. This can be useful when a different user name is used on different hosts. This saves the trouble of having to remember to give the user name on the command line.
Specifies one or more files to use for the user host key database, separated by white space. The default is
Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to ‘yes’, the client will implicitly trust keys that match a secure fingerprint from DNS. If this option is set to ‘ask’, information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the
If this flag is set to ‘yes’, an ASCII art representation of the remote host key fingerprint is printed in addition to the hex fingerprint string at login and for unknown host keys. If this flag is set to ‘no’ (default), no fingerprint strings are printed at login and only the hex fingerprint string will be printed for unknown host keys.
Specifies the full path name of the
|ssh -p [port]||Specifies the port to connect to on the remote host.|
|ssh -q||Enables quiet mode which causes most warning and diagnostic messages to be suppressed.|
|ssh -R [bind_address:port:host:hostport]||Specifies that the given port on the remote host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to [port] on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.
By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a [bind_address]. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote [bind_address] will only succeed if the server’s
|ssh -s||May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg., SFTP). The subsystem is specified as the remote command.|
|ssh -S [ctrl_path]||Specifies the location of a control socket for connection sharing, or the string ‘none’ to disable connection sharing. Refer to the descriptions of
|ssh -t||Forces pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine which can be very useful, e.g. when implementing menu services. Multiple -t options force TTY allocation, even if SSH has no local TTY.|
|ssh -T||Disables pseudo-tty allocation.|
|ssh -v||Enables verbose mode which causes SSH to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity (maximum is 3).|
|ssh -V||Displays the SSH version number.|
|ssh -w local_tun[:remote_tun]||Requests tunnel device forwarding with the specified tun devices between the client (
|ssh -W [host:port]||Requests that standard input and output on the client be forwarded to host on the given port over the secure channel. Implies -N, -T,
|ssh -x||Disables X11 forwarding.|
|ssh -X||Enables X11 forwarding.|
|ssh -y||Sends log information using the syslog system module. By default this information is sent to stderr.|
|ssh -Y||Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.|
SCP command options
|scp -1||Forces SCP to use SSHv1.|
|scp -2||Forces SCP to use SSHv2.|
|scp -3||Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. Note that this option disables the
|scp -4||Forces SCP to use IPv4 addresses only.|
|scp -6||Forces SCP to use IPv6 addresses only.|
|scp -B||Enables batch mode (prevents asking for passwords or passphrases).|
|scp -c [cipher]||Selects the cipher to use for encrypting the data transfer. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is:
|scp -C||Enables compression.|
|scp -F [ssh_config_file]||Specifies an alternative per-user configuration file for SSH.|
|scp -i [identity_file]||Selects the file from which the identity (private key) for public key authentication is read.|
|scp -l||Limits the bandwidth utilized in Kb/s.|
|scp -o [option]||Same as ssh -o above.|
|scp -p||Preserves modification times, access times, and modes from the original file.|
|scp -P [port]||Specifies the port to connect to on the remote host.|
|scp -q||Enables quiet mode which disables the progress meter as well as the warning and diagnostic messages from SSH.|
|scp -r||Recursively copies entire directories. Note that SCP also follows symbolic links encountered in the tree traversal.|
|scp -S [program]||Names the program to use for the encrypted connection. The program must understand SSH options.|
|scp -v||Enables verbose mode which causes SCP and SSH to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems.|
SFTP command options
|sftp -1||Specifies the use of SSHv1.|
|sftp -2||Specifies the use of SSHv2.|
|sftp -4||Forces SFTP to use IPv4 addresses only.|
|sftp -6||Forces SFTP to use IPv6 addresses only.|
|sftp -b [batch_file]||Batch mode; reads a series of commands from an input batch file instead of stdin.|
|sftp -B [buffer_size]||Specifies the size of the buffer that SFTP uses when transferring files (default is 32768 bytes).|
|sftp -c [cipher]||Selects the cipher to use for encrypting the data transfer. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is:
|sftp -C||Enables compression.|
|sftp -D [sftp_server_path]||Connects directly to a local SFTP server (rather than via SSH).|
|sftp -F [ssh_config_file]||Specifies an alternative per-user configuration file for SSH.|
|sftp -i [identity_file]||Selects the file from which the identity (private key) for public key authentication is read.|
|sftp -l [limit]||Limits the bandwidth utilized in Kb/s.|
|sftp -o [option]||Same as ssh -o above.|
|sftp -p||Preserves modification times, access times, and modes from the original files transferred.|
|sftp -P [port]||Specifies the port to connect to on the remote host.|
|sftp -r||Recursively copies entire directories when uploading and downloading. Note that SFTP does not follow symbolic links encountered in the tree traversal.|
|sftp -R [num_requests]||Specifies how many requests may be outstanding at any one time (default is 64 outstanding requests).|
|sftp -s [subsystem | sftp_server]||Specifies the SSHv2 subsystem or the path for an SFTP server on the remote host.|
|sftp -S [program]||Names the program to use for the encrypted connection. The program must understand SSH options.|
|sftp -v||Raises the logging level.|
|>cd [path]||Changes the current remote directory to the one specified in [path].|
|>chgrp [group] [path]||Changes group of file [path] to [group]. [grp] must be a numeric GID.|
|>chown [owner] [path]||Changes the owner of file [path] to [owner]. [owner] must be a numeric UID.|
|>df [path]||Displays usage information for the filesystem holding the current directory (or [path] if specified). This command is only supported on servers that implement the ‘email@example.com’ extension.|
|>df -h [path]||Displays usage information for the filesystem holding the current directory (or [path] if specified with the capacity information displayed using “human-readable” suffixes.|
|>df -i [path]||Displays usage information for the filesystem holding the current directory (or [path] if specified and requests display of inode information in addition to capacity information.|
|>get [remote_path] [local_path]||Retrieves the file specified in [remote_path] and stores it on the local host. If the [local_path] name is not specified, the file is given the same name it has on the remote host.|
|>get -p [remote_path] [local-path] or >get -P [remote_path] [local-path]||Retrieves the file specified in [remote_path], stores it on the local host, and full file permissions and access times are copied also.|
|>get -r [remote_path] [local-path]||Recursively retrieves the file specified in [remote_path] (along with all sub-directories and files) and stores it on the local host.|
|>help||Displays the help message.|
|>lcd [path||Changes the local directory to [path].|
|>lmkdir [path]||Creates the local directory specified by [path].|
|>ln [oldpath] [newpath]||Creates a hard link from [oldpath] to [newpath].|
|>ln -s [oldpath] [newpath]||Creates a symbolic link from [oldpath] to [newpath].|
|>lpwd||Displays the local working directory.|
|>ls [path]||Displays a directory listing of either the remote [path] specified or the current remote directory if [path] is not specified.|
|>ls -1 [path]||Displays a single columnar directory listing of either the remote [path] specified or the current remote directory if [path] is not specified.|
|>ls -a [path]||Displays a full directory listing (including hidden files) of either the remote [path] specified or the current remote directory if [path] is not specified.|
|>ls -f [path]||Displays a directory listing (without sorting) of either the remote [path] specified or the current remote directory if [path] is not specified.|
|>ls -h [path]||Displays a directory listing of either the remote [path] specified or the current remote directory using unit suffixes such as Byte, Kilobyte, Megabyte, Gigabyte, Terabyte, Petabyte, and Exabyte in order to reduce the number of digits to four or fewer using powers of 2 for sizes (K=1024, M=1048576, etc.).|
|>ls -l [path]||Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and also displays additional details including permissions and ownership information.|
|>ls -n [path]||Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) by producing a long listing with user and group information presented numerically.|
|>ls -r [path]||Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and reverses the sort order of the listing.|
|>ls -S [path]||Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and sorts the listing by file size.|
|>ls -t [path]||Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and sorts the listing by last modification time.|
|>lumask [umask]||Sets the local umask to
|>mkdir [path]||Creates the remote directory specified by [path].|
|>progress||Toggles the display of the progress meter.|
|>put [local_path] [remote_path]||Uploads the file specified in [local_path] and stores it on the remote host. If the [remote_path] name is not specified, the file is given the same name it has on the local machine.|
|>put -p [local_path] [remote_path] or put -P [local-path] [remote-path]||Uploads the file specified in [local_path] (along with full file permissions and access times) and stores it on the remote host. If the [remote_path] name is not specified, the file is given the same name it has on the local machine.|
|>put -r [local_path] [remote_path]||Recursively uploads the file specified in [local_path] (along with all subdirectories and files) and stores it on the remote host.|
|>pwd||Displays the remote working directory.|
|>rename [oldpath] [newpath]||Renames the remote file from [oldpath] to [newpath].|
|>rm [path]||Deletes the remote file specified by [path].|
|>rmdir [path]||Removes the remote directory specified by [path].|
|>symlink [oldpath] [newpath]||Creates a symbolic link from [oldpath] to [newpath].|
|>version||Displays the SFTP protocol version.|
|>!||Escapes to the local shell.|
|>! [command]||Executes [command] in the local shell.|
|>?||Prints the help message.|