SSH is one of the protocols of the
TCP/IP protocol suite found at the application layer (Layer 7) of the Open Systems Interconnection (
OSI) network model. Officially specified in
RFC 4251 (and later,
several other RFCs) SSH functions in a way that is similar to
telnet but is far more robust and capable. SSH lets you log in to other hosts, get a shell and execute commands on them (for more details, read up on the concept of the
OS shell), and transfer files between hosts. The major difference between SSH and telnet as terminal emulation protocols is that SSH utilizes encryption and strong authentication while telnet transmits data (including passwords) in clear text, making it vulnerable to packet sniffing. SSH, in contrast, provides secure, reliable authentication and communication over data channels that might not be so trustworthy (such as the public Internet). Because the SSH protocol encrypts the communications between network devices, it decreases the chance of an attacker (possibly an internal user) sniffing traffic and obtaining sensitive data such as authentication credentials.
What is commonly called ‘SSH’ is actually a collection of utilities such as
ssh,
scp,
slogin, and
sftp. SSH can be used to effectively replace telnet in a manner almost invisible to users. However, in the background SSH sessions involve authentication, key exchange, encryption, and passphrase generation and storing, making SSH a complex protocol.
SSH versions
SSH version 1 was released in 1995; however, a few years later it was determined to be unreliable. SSHv1 is vulnerable to a well known exploit that allows an attacker to insert data into the communication stream, making it vulnerable to man-in-the-middle (
MITM) attacks. In short, versions of SSH prior to v2.0 are not completely cryptographically safe, so they should not be used.
Therefore this article will focus only on SSHv2. Bear in mind that if you see SSH version 1.99 installed, this means that the host supports both SSH v1.5 and v2.
SSH encryption
SSH uses the public key (asymmetric) cryptographic model which means that data encryption between hosts utilizes two keys: a public key to encrypt the data, and a private key to decrypt it. The asymmetric keys are used to authenticate the SSH server and client and then to negotiate a symmetric key. This symmetric key is utilized for data encryption.
Simple example of public key cryptography
SSH utilizes the following encryption symmetric algorithms:
AES (aka Rijndael; default if supported),
3DES,
Blowfish,
Twofish,
Arcfour/RC4, and
Cast128-cbc. For asymmetric authentication it uses
Diffie-Hellman or Digital Signature Algorithm (
DSA), and for
hashing it uses SHA or MD5. AES, 3DES, SHA-*, and DSA are all
FIPS-validated. Note that SSH does not utilize any Public Key Infrastructure (
PKI) like
SSL does.
Jump to:How SSH works
Since SSH works using the client/server networking model, the SSH service (or daemon) must be running on the host functioning as the server. On Linux this daemon is usually located in
/etc/init.d/ssh
/, and the SSH daemon can be configured by editing the
/etc/ssh/sshd_config
file. SSH servers listen for incoming SSH requests on port 22, so naturally this port will need to be open on any firewall that sits in front of the SSH server.
Note: you can actually change the port that SSH daemon listens on by editing the ‘port’ parameter in the SSH configuration file and restarting the SSH daemon with the command
/etc/init.d/ssh restart
. You can change it to an arbitrary high
port number (such as 25250) but you will need to specify this port when you log in. Your login command would then be:
$ ssh -p 25250 user@ssh_serverThe most popular SSH server program is
OpenSSH.
To compliment the SSH server, you will need an SSH client application installed on your computer. Most Linux distributions come with an SSH client (such as the OpenSSH client,
openssh-clients
). For Windows there are many available but some of the more popular ones are
PuTTY,
Tera Term,
Cygwin and
WinSCP.
Encryption and authentication with SSH
How to use SSH
The
ssh and
slogin commands are intended to replace
rlogin,
rsh, and
telnet. The
scp and
sftp commands are intended to replace
rcp and
FTP (note that there is such a thing as
FTP Over SSH which is not the same as SFTP, aka SSH over FTP). Luckily for
FTP users, SFTP uses nearly the same commands (
ls,
get,
put, etc.) as FTP.
When you attempt to log in to a remote host the first time via SSH, you will see a message like this:
$ ssh ssh_server.domain.com
The authenticity of host 'ssh_server.domain.com' can't be established.
DSA key fingerprint is 85:68:4b:3a:bc:f3:7c:9b:01:5d:b8:03:38:e2:14:9c.
Are you sure you want to continue connecting (yes/no)?
When you continue, the server
ssh_server.domain.com
will be added to your list of known hosts located in
/home/you/.ssh/known_hosts
. You will then get prompted to enter valid credentials.
Should you decide that you want to use key-based authentication, you will need to generate a public key on your SSH client. When the public key is present on the server side and the matching private key is present on the client side, authentication is achieved and typing in the password is no longer required (if desired). However, for additional security the private key itself can be locked with a passphrase. On the client issue the command
ssh-keygen –t dsa and when prompted, enter a long passphrase (such as a sentence that you can easily remember but is difficult for others to guess). Your public key will then be saved in encrypted format as
/home/you/.ssh/id_dsa.pub
and your private key will go in
/home/you/.ssh/id_dsa
. Now, copy the public key to the SSH server you want to connect to with the command:
$ scp ~/.ssh/id_dsa.pub username@ssh_server.domain.com: .ssh/authorized_keys Alternatively you could add the contents of
id_dsa.pub
to the end of authorized keys on the remote SSH server with the command:
$ cat .ssh/id_dsa.pub | ssh [host] ‘cat >> ~/.ssh/authorized_keys’If the public key is still on your local host then the command would be:
$ cat ~/.ssh/id_dsa.pub | ssh ssh_server.domain.com ‘cat – >> ~/.ssh/authorized_keys’Key-based encryption is an effective means at stopping brute force password attacks because unless the potential intruder has possession of your public key, he’s not going to get in.
After you log in to the SSH server, you’re probably going to want to transfer files to or from it. That’s where the
scp commands comes in to play. Let’s say you have the file
linux-3.3-rc3.tar.bz2
in the directory
/home/you/software/
on your local computer, and you want to copy it to
/home/you/linux-kernel/
on the remote SSH server. Just enter the command:
$ scp ~/software/linux-3.3-rc3.tar.bz2 ~/software/linux-kernel/:As a security precaution, you might want to prevent root logins using SSH. This step can help mitigate the damage done if the root password is compromised. To access the server remotely as root, you would need to log in as a non-root user and then switch to root with the
su – command. To disable direct root logins via SSH, you need to find the
PermitRootLogin
parameter in the SSH configuration file and set it to
PermitRootLogin no
.
To disable SSHv1 on the SSH server, you can once again edit
/etc/ssh/sshd_config
and change the line that says ‘protocol 2,1’ to ‘protocol 2’.
If you wish to configure a Cisco device running IOS to only accept SSH connections for remote administration, here are the steps to do so.
Router(config)# ip ssh time-out 60
Router(config)# ip ssh authentication-retries 3
Router(config)# ip ssh version 2
Router(config)# access-list 101 remark Permit SSH access
Router(config)# access-list 101 permit tcp host 10.2.7.2 any eq 22 log
Router(config)# access-list 101 permit tcp host 10.2.7.3 any eq 22 log
Router(config)# access-list 101 deny ip any any log
Router(config)# line vty 0 4
Router(config-line)# access-class 101 in
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 9 0
How to tunnel HTTP through SSH
SSH offers the ability to tunnel plain text protocols (such as HTTP for Web browsing) over an encrypted channel. What if you are on a computer at a remote location (work/library/hotel/etc) where Web browsing is curtailed and/or monitored, and there are some websites that you need to access that are blocked? With the help of your home PC you might be able to set up a more agreeable situation at the remote site.
SSH port forwarding to port 6667. This can be done with ports 80 and 443 as well.
1. Install and run the OpenSSH server on your Linux home computer. Configure the SSH daemon to run on a non-standard port such as 9009 or even 443 (this can be a critical step because the firewall at your remote location might block port 22 outbound). Then configure your home router or firewall to permit inbound traffic on the port number you chose. Need help with this? Visit
PortForward.com.
If your home computer is Windows based, you can install the
Windows version of OpenSSH. Then you need to run these three commands in succession in a command prompt:
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd 2. At the remote location, enter this command on your Linux host:
$ ssh –p 9009 –N –g –D 8080 your_user_name@your_home_IP_addressIf your PC at the remote location is Windows based, you’ll need to download PuTTY. Then view the ‘PuTTy for Windows XP’ section on
this page for detailed instructions.
3. Open Firefox on the remote host (whether Linux or Windows) and configure it to use a SOCKSv5 proxy on localhost:8080. Go to
Tools->Options-> Advanced->Network->Settings. Enter your home IP address and the port you chose in the ‘SOCKS Host’ line and make sure the SOCKSv5 radio button is selected.
4. Finally, enter
about:config
in the Firefox address bar and hit Enter. Find
network.proxy.socks_remote_dns
and change it to
true (double-click on the line). This is to ensure that Firefox will resolve DNS queries over the proxy link and not with the default DNS settings of the remote location.
5. On the remote host, use Firefox to go to an IP address checking website such as
ICanHazIP.com. You should see the IP address of your home computer (the one running OpenSSH in step 1).
6. If you get stuck, there are several links in the
Further reference section that will probably straighten you out.
Forwarding graphical (X11) applications
If what you want is to ‘remote desktop’ into a host, SSH makes it possible to open and use graphical (
X11) applications remotely. For example, you connect to the remote SSH server, enter the command ‘notepad.exe’ or ‘gedit’ and the text editor opens for you to work with
not on your local computer but on the SSH server. What you need to do is find
X11Forwarding
in
sshd_config
on the server and set it to
yes
. On the client side,
ssh_config
has to show
ForwardAgent
,
ForwardX11
, and
ForwardX11Trusted
as
yes
. Then you need issue a command using the -X switch, such as
ssh -X user@server.company.com. Next you can issue the command
startx to load the desktop environment.
Further reference
The SSH protocol, its functionality, and its many uses are a deep subject. As this article shows, there are many ways SSH can be utilized and configured. Below you will find a collection of informative SSH articles that can play a role in furthering and improving your use of the protocol.
GNUwhatimsaying.com,
How to test an SSH connection.
GNUwhatimsaying.com,
How to keep your SSH sessions alive.
Linux-Tipps,
Access the Kindle 3 with SSH via WiFi.
SANS.org,
A discussion of SSH Secure Shell (PDF).
SANS.org,
Security implications of SSH (PDF).
Doug Vitale Tech Blog,
Use an SSH terminal in Firefox.
Pastebin.org,
Log of credentials used during attempted unauthorized SSH logins.
SDF.org,
Practice SSH with an online SSH shell.
Sshmenu.org,
SSHMenu: a graphical interface for SSH.
UWaterloo.ca,
How to run an SSH server on Windows Server 2003.
SSH tunnelingIBM.com,
SSH back doors.
Linuxers.org,
Reverse SSH tunneling, bypassing firewalls and NAT.
Makeuseof.com,
How to tunnel traffic with SSH.
Souptonuts.sourceforge.net,
Breaking firewalls with OpenSSH and PuTTY.
TOIC.org,
Bypass firewalls with reverse SSH port forwarding.
TOIC.org,
SSH port forwarding.
Vdomck.org,
Reversing an SSH connection.
Symantec.com,
SSH port forwarding.
SSH command examples
The standard command syntax for
ssh is:
$ssh [user@]hostname [command]
The standard command syntax for
scp is:
$ scp SourceFileName user@remote-host:directory/TargetFileName
$ scp user@remote-host:directory/SourceFileName TargetFileName
The standard command syntax for
sftp is:
$ sftp [user@]host[:file ...]
$ sftp [user@]host[:dir[/]]
$ scp notes.txt user@ssh_server:~/ Copies the local file notes.txt to the remote SSH server and puts it in your home folder there. $ scp user@ssh_server:~/notes.txt . Copies notes.txt from your home folder on the remote SSH server and puts it in your current location on the local computer (which is indicated by the final period). $ scp /home/user/documents/info.doc username@ssh_server.domain.com: Copies the file info.doc to your home folder on the remote SSH server. $ scp username@ssh_server.domain.com:info.doc info.doc Copies info.doc back to your local computer. $ scp /home/doug/index.html doug@ssh_server.com: /var/www/htdocs/ Copies index.html from the local host to the SSH server. $ scp info.doc username@ssh_server.domain.com reports/updated-info.doc Copies info.doc from your local computer to the reports directory in your home folder on the SSH server and renames the file to updated-info.doc. $ scp -r sales username@ssh_server.domain.com: Recursively copies the folder ‘sales’ to your home directory on the SSH server. $ ssh –p 6179 ssh_server.domain.com Initiates an SSH session with ssh_server on the nonstandard port of 6179. $ ssh-keygen -t dsa Generates your public key. $ ssh -X user@ssh_server ‘gedit’ Connects to ssh_server and executes the gedit text editor. $ ssh username@ssh_server.domain.com Connects to network host ssh_server using the credentials provided. # ssh root@ssh_server.domain.com ‘df -h’ Connects to network host ssh_server as root and then shows file system info in human-readable format using the df -h command. Root logins via SSH will most likely have to first be enabled in the SSH daemon configuration file. # ssh root@ssh_server@domain.com ‘ps -ef | grep apache | grep -v grep | wc -l’ (or pgrep -c apache instead of grep apache | grep -v grep) Connects to the SSH server as root and then pipes the process table to grep apache . Useful for counting the number of Apache processes running on the server. # ssh root@ssh_server.domain.com ‘top -b -n 1 | head -n 8′ Displays the server’s vital statistics and the processes utilizing the most CPU resources. # ssh root@ssh_server.domain.com ‘who’ Displays who else is logged in to the SSH server. $ ssh -l username -L 7979:target1:22 ssh_gateway Opens an SSH connection to host ssh_gateway and redirects all connections to port 7979 on the local host to port 22 on host target11. $ ssh –f –L 1110:localhost:110 user@pop3mailserver.com Establishes a secure tunnel with the POP3 email server to retrieve mail from localhost:1110 instead of pop3mailserver.com:110. This command can work for SMTP (port 25) as well. $ ssh -X -C user@ssh_server /path/application Establishes a compressed connection to the remote host and forwards the application’s X-window content to the local host. |
All SSH, SCP, and SFTP command options
Sourced from the
OpenSSH.org manual pages.
SSH command options | Description |
ssh -1 | Forces SSH to try protocol version 1 only. |
ssh -2 | Forces SSH to try protocol version 2 only. |
ssh -4 | Forces SSH to use IPv4 addresses only. |
ssh -6 | Forces SSH to use IPv6 addresses only. |
ssh -a | Disables forwarding of the authentication agent connection. |
ssh -A | Enables forwarding of the authentication agent connection. |
ssh -b [bind_address] | Uses the address specified as the source address of the SSH connection. Obviously this is only useful on multihomed hosts with more than one IP address. |
ssh -c [cipher] | Sets the cipher specification for session encryption. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour . |
ssh -C | Requests compression of all data. |
ssh -D [bind_address:port] | Specifies a local ‘dynamic’ application-level port forwarding. This works by allocating a socket to listen to specified port on the local side, optionally bound to the [bind_address]. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. |
ssh -e [escape_char] | Sets the escape character for sessions with a pty (default: `~’). |
ssh -f | Requests SSH to go to the background just before command execution. |
ssh -F [config_file] | Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config ) will be ignored. The default for the per-user configuration file is ~/.ssh/config . |
ssh -g | Allows remote hosts to connect to local forwarded ports. |
ssh -i [identity_file] | Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/id_dsa , ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for SSHv2. |
ssh -I [pkcs11] | Specifies the PKCS#11 shared library that SSH should use to communicate with a PKCS#11 token providing the user’s private RSA key. |
ssh -k | Disables forwarding (delegation) of GSSAPI credentials to the server. |
ssh -K | Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server. |
ssh -l [login_name] | Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. |
ssh -L [bind_address:port:remote_host:remote_port] | Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified [bind_address]. |
ssh -m [MAC_list] | Specifies a comma-separated list of MAC (message authentication code) algorithms for data integrity protection. Multiple algorithms. The default is: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96 . |
ssh -M | Places the SSH client into ‘master’ mode for connection sharing. When enabled, SSH will listen for connections on a control socket specified using the ControlPath argument in ssh_config . Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to ‘no’ (the default). |
ssh -n | Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when SSH is run in the background. A common trick is to use this to run X11 programs on a remote machine. For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi , and the X11 connection will be automatically forwarded over an encrypted channel. The SSH program will be put in the background. This does not work if SSH needs to ask for a password or passphrase; see also the -f option.) |
ssh -N | Does not execute a remote command; useful for just forwarding ports (SSHv2 only). |
ssh -o [option] | Used to give options in the format used in ssh_config . Valid options for ssh -o are: AddressFamily Specifies which address family to use when connecting. Valid family arguments are ‘any’, ‘inet’ (IPv4), and ‘inet6′ (IPv6). BatchMode [yes | no] If set to ‘yes’, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be ‘yes’ or ‘no’ (default). BindAddress [IP_address] Uses the specified address on the local machine as the source address of the SSH connection. This option does not work if UsePrivilegedPort is set to ‘yes’. ChallengeResponseAuthentication [yes | no] Specifies whether to use challenge-response authentication. The argument must be ‘yes’ or ‘no’ (default). CheckHostIP If this flag is set to ‘yes’ (default), SSH will additionally check the host IP address in the known_hosts file which allows SSH to detect if a host key changed due to DNS spoofing. If set to ‘no’, the check will not be executed. Cipher Specifies the cipher to use for encrypting the session SSHv1 only. Ciphers Specifies the ciphers allowed for SSHv2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, and cast128-cbc. The default is: aes128-ctr,aes192-ctr,aes256ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour . ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is automatically set by scp and SFTP. The argument must be ‘yes’ or ‘no’ (default). Compression Enables or disables compression. The argument must be ‘yes’ or ‘no’ (default). CompressionLevel For SSHv1 only. Specifies the compression level to use if compression is enabled. ConnectionAttempts Specifies the number of connection tries (one per second) to make before exiting (default is 1). The argument must be an integer. ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is really down or unreachable, not when it refuses the connection. ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to ‘yes’, SSH will listen for connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to ‘no’ (the default). These sessions will try to reuse the master instance’s network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist or is not listening. Setting this to ‘ask’ will cause SSH to listen for control connections, but require confirmation using the SSH_ASKPASS program before they are accepted. If the ControlPath cannot be opened, SSH will continue without connecting to a master instance. ‘Auto’ and ‘autoask’ allow for opportunistic multiplexing (try to use a master connection but fall back to creating a new one if one does not already exist). ‘Autoask’ requires confirmation like ‘ask’. ControlPath Specifies the path to the control socket used for connection sharing as described in the ControlMaster section above, or the string ‘none’ to disable connection sharing. In the path, ‘%L ‘ will be substituted by the first component of the local host name, ‘%l ‘ will be substituted by the local host name (including any domain name), ‘%h ‘ will be substituted by the target host name, ‘%n ‘ will be substituted by the original target host name specified on the command line, ‘%p ‘ the port, ‘%r ‘ by the remote login username, and ‘%u ‘ by the username of the user running SSH. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h , %p , and %r as these ensure that shared connections are uniquely identified. ControlPersist When used in conjunction with ControlMaster , specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to ‘no’, then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to ‘yes’, then the master connection will remain in the background indefinitely (until killed or closed via a mechanism such as the -O exit option). If set to a time in seconds, or a time in any of the formats documented in sshd_config , then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time. DynamicForward Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind address may be used to bind the connection to a specific address. The bind address of ‘localhost ‘ indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces. EnableSSHKeysign Setting this option to ‘yes’ in the global client configuration file /etc/ssh/ssh_config enables the use of the helper program ssh-keysign during HostbasedAuthentication . The argument must be ‘yes’ or ‘no’ (default). This option should be placed in the non-host-specific section. EscapeChar Sets the escape character (default: `~' ). The argument should be a single character, `^' followed by a letter, or ‘none’ to disable the escape character entirely (making the connection transparent for binary data). ExitOnForwardFailure Specifies whether SSH should terminate the connection if it cannot set up requested dynamic, tunnel, local, and remote port forwardings. The argument is either ‘yes’ or ‘no’ (default). ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must ‘yes’ or ‘no’ (default). ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. The argument must be ‘yes’ or ‘no’ (default). ForwardX11Timeout Specifies a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of sshd_config . X11 connections received by SSH after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed. ForwardX11Trusted If this option is set to ‘yes’, remote X11 clients will have full access to the original X11 display. If this option is set to ‘no’ (default), remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth token used for the session will be set to expire after 20 minutes and remote clients will be refused access after this time. GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, SSH binds local port forwardings to the loopback address, which prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that SSH should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ‘yes’ or ‘no’ (default). GlobalKnownHostsFile Specifies one or more files to use for the global host key database, separated by white space. The default is /etc/ssh/ssh_known_hosts , /etc/ssh/ssh_known_hosts2 . GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. The default is ‘no’. SSHv2 only. GSSAPIDelegateCredentials Forwards (delegates) credentials to the server. The default is ‘no’. SSHv2 only. HashKnownHosts Indicates that SSH should hash host names and addresses when they are added to ~/.ssh/known_hosts . These hashed names may be used normally by SSH and sshd , but they do not reveal identifying information should the file’s contents be disclosed. The default is ‘no’. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen . HostbasedAuthentication Specifies whether to try rhosts -based authentication with public key authentication. The argument must be ‘yes’ or ‘no’ (default). This option applies to SSHv2 only and is similar to RhostsRSAAuthentication . HostKeyAlgorithms Specifies the SSHv2 host key algorithms that the client wants to use in order of preference. The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss . If host keys are known for the destination host then this default is modified to prefer their algorithms. HostKeyAlias Specifies an alias that should be used instead of the real hostname when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host. HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. If the hostname contains the character sequence ‘%h ‘, then this will be replaced with the host name specified on the command line (this is useful for manipulating unqualified names). The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications). IdentitiesOnly Specifies that SSH should only use the authentication identity files configured in the ssh_config files, even if ssh-agent offers more identities. The argument to this keyword must be ‘yes’ or ‘no’ (default). This option is intended for situations where ssh-agent offers many different identities. IdentityFile Specifies a file from which the user’s DSA, ECDSA or DSA authentication identity is read. The default is ~/.ssh/id_dsa , ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for SSHv2. Additionally, any identities represented by the authentication agent will be used for authentication. SSH will try to load certificate information from the file name obtained by appending -cert.pub to the path of a specified IdentityFile . The file name may use the tilde syntax to refer to a user’s home directory or one of the following escape characters: ‘%d ‘ (local user’s home directory), ‘%u ‘ (local user name), ‘%l ‘ (local host name), ‘%h ‘ (remote host name) or ‘%r ‘ (remote user name). IPQoS Specifies the IPv4 type of service or DSCP class for connections. Accepted values are: ‘af11′, ‘af12′, ‘af13′, ‘af21′, ‘af22′, ‘af23′, ‘af31′, ‘af32′, ‘af33′, ‘af41′, ‘af42′, ‘af43′, ‘cs0′, ‘cs1′, ‘cs2′, ‘cs3′, ‘cs4′, ‘cs5′, ‘cs6′, ‘cs7′, ‘ef’, ‘lowdelay’, ‘throughput’, ‘reliability’, or a numeric value. This option may take one or two arguments, separated by white space. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is ‘lowdelay’ for interactive sessions and ‘throughput’ for non-interactive sessions. KbdInteractiveAuthentication Specifies whether to use keyboard interactive authentication. The argument must be ‘yes’ (default) or ‘no’. KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: ‘bsdauth’, ‘pam’, or ‘skey’. KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 . LocalCommand Specifies a command to execute on the local machine after successfully connecting to the SSH server. The command string extends to the end of the line, and is executed with the user’s shell. The following escape character substitutions will be performed: ‘%d ‘ (local user’s home directory), ‘%h ‘ (remote host name), ‘%l ‘ (local host name), ‘%n ‘ (host name as provided on the command line), ‘%p ‘ (remote port), ‘%r ‘ (remote user name) or ‘%u ‘ (local user name). The command is run synchronously and does not have access to the session of the SSH that spawned it. It should not be used for interactive commands. This directive is ignored unless PermitLocalCommand has been enabled. LocalForward Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ‘localhost’ indicates that the listening port be bound for local use only, while an empty address or ‘* ‘ indicates that the port should be available from all interfaces. LogLevel Gives the verbosity level that is used when logging messages from SSH. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. MACs Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96 . NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across hosts. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. However, this option disables host authentication for localhost . The argument to this keyword must be ‘yes’ or ‘no’. The default is to check the host key for localhost . NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer (default is 3). PasswordAuthentication Specifies whether to use password authentication. The argument must be ‘yes’ (default) or ‘no’. PermitLocalCommand Allow local command execution via the LocalCommand option or using the !command escape sequence in SSH. The argument must be ‘yes’ or ‘no’ (default). PKCS11Provider Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library should use to communicate with a PKCS#11 token providing the user’s private RSA key. Port Specifies the port number to connect on the remote host. The default is port 22. PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is: gssapi-with-mic,hostbased,publickey,keyboard-interactive,password . Protocol Specifies the protocol versions SSH should support in order of preference. The possible values are ’1′ and ’2′ (default). Multiple versions must be comma-separated. When this option is set to ’2,1′ SSH will try version 2 and fall back to version 1 if version 2 is not available. ProxyCommand Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user’s shell. In the command string, any occurrence of ‘%h ‘ will be substituted by the host name to connect, ‘%p ‘ by the port, and ‘%r ‘ by the remote user name. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an SSH server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to ‘none’ disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command. PubkeyAuthentication Specifies whether to try public key authentication (SSHv2 only). The argument to this keyword must be ‘yes’ (default) or ‘no’. RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated (SSHv2 only). The argument is the number of bytes, with an optional suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between ’1G’ and ’4G’, depending on the cipher. RemoteForward Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be [bind_address:port] and the second argument must be [host:hostport]. IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Privileged ports can be forwarded only when logging in as root on the remote machine. If the port argument is ’0′, the listen port will be dynamically allocated on the server and reported to the client at run time. If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is ‘*’ or an empty string, then the forwarding is requested to listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled. RequestTTY Specifies whether to request a pseudo-tty for the session. The argument may be one of: ‘no’ (never request a TTY), ‘yes’ (always request a TTY when standard input is a TTY), ‘force’ (always request a TTY) or ‘auto’ (request a TTY when opening a login session). This option mirrors the -t and -T flags for SSH. RhostsRSAAuthentication Specifies whether to try rhosts-based authentication with RSA host authentication. The argument must be ‘yes’ or ‘no’ (default). This option applies to SSHv1 only and requires SSH to be setuid root . RSAAuthentication Specifies whether to try RSA authentication. The argument to this keyword must be ‘yes’ (default) or ‘no’. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. SendEnv Specifies which variables from the local environ should be sent to the server. Note that environment passing is only supported for SSHv2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config for how to configure the server. The default is not to send any environment variables. ServerAliveCountMax Sets the number of server alive messages (default: 3) which may be sent without SSH receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, SSH will disconnect from the server, terminating the session. The server alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. This option applies to SSHv2 only. ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, SSH will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server. This option applies to SSHv2 only. StrictHostKeyChecking If this flag is set to ‘yes’, SSH will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. If this flag is set to ‘no’, SSH will automatically add new host keys to the user known hosts files. If this flag is set to ‘ask’ (default), new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and SSH will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. TCPKeepAlive Specifies whether the host should send TCP keepalive messages to the other side. If they are sent, downtime of one of the hosts will be properly noticed. The arguments are ‘yes’ (default) and ‘no’. Tunnel Request TUN device forwarding between the client and the server. The argument must be ‘yes’, ‘point-to-point’ (layer 3), ‘ethernet’ (layer 2), or ‘no’ (default). Specifying ‘yes’ requests the default tunnel mode, which is ‘point-to-point’. TunnelDevice Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be [local_tun:remote_tun]. The devices may be specified by numerical ID or the keyword ‘any’, which uses the next available tunnel device. If remote_tun is not specified, it defaults to ‘any’. The default is ‘any:any’. UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be ‘yes’ or ‘no’ (default). If set to ‘yes’, SSH must be setuid root . Note that this option must be set to ‘yes’ for RhostsRSAAuthentication with older servers. User Specifies the user to log in as. This can be useful when a different user name is used on different hosts. This saves the trouble of having to remember to give the user name on the command line. UserKnownHostsFile Specifies one or more files to use for the user host key database, separated by white space. The default is ~/.ssh/known_hosts , ~/.ssh/known_hosts2 . VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to ‘yes’, the client will implicitly trust keys that match a secure fingerprint from DNS. If this option is set to ‘ask’, information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. Insecure fingerprints will be handled as if this option were set to ‘ask’. The argument must be ‘yes’, ‘no’, (default) or ‘ask’. This option applies to SSHv2 only. VisualHostKey If this flag is set to ‘yes’, an ASCII art representation of the remote host key fingerprint is printed in addition to the hex fingerprint string at login and for unknown host keys. If this flag is set to ‘no’ (default), no fingerprint strings are printed at login and only the hex fingerprint string will be printed for unknown host keys. XAuthLocation Specifies the full path name of the xauth program. The default is /usr/X11R6/bin/xauth . |
ssh -p [port] | Specifies the port to connect to on the remote host. |
ssh -q | Enables quiet mode which causes most warning and diagnostic messages to be suppressed. |
ssh -R [bind_address:port:host:hostport] | Specifies that the given port on the remote host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to [port] on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine. By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a [bind_address]. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote [bind_address] will only succeed if the server’s GatewayPorts option is enabled. If the port argument is ’0′, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output. |
ssh -s | May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg., SFTP). The subsystem is specified as the remote command. |
ssh -S [ctrl_path] | Specifies the location of a control socket for connection sharing, or the string ‘none’ to disable connection sharing. Refer to the descriptions of ControlPath and ControlMaster for details. |
ssh -t | Forces pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine which can be very useful, e.g. when implementing menu services. Multiple -t options force TTY allocation, even if SSH has no local TTY. |
ssh -T | Disables pseudo-tty allocation. |
ssh -v | Enables verbose mode which causes SSH to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity (maximum is 3). |
ssh -V | Displays the SSH version number. |
ssh -w local_tun[:remote_tun] | Requests tunnel device forwarding with the specified tun devices between the client (local_tun ) and the server (remote_tun ). The devices may be specified by numerical ID or the keyword ‘any’, which uses the next available tunnel device. If remote_tun is not specified, it defaults to ‘any’. See also the Tunnel and TunnelDevice directives in ssh_config . If the Tunnel directive is unset, it is set to the default tunnel mode, which is ‘point-to-point’. |
ssh -W [host:port] | Requests that standard input and output on the client be forwarded to host on the given port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings and works with SSHv2 only. |
ssh -x | Disables X11 forwarding. |
ssh -X | Enables X11 forwarding. |
ssh -y | Sends log information using the syslog system module. By default this information is sent to stderr. |
ssh -Y | Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. |
SCP command options | Description |
scp -1 | Forces SCP to use SSHv1. |
scp -2 | Forces SCP to use SSHv2. |
scp -3 | Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. Note that this option disables the progress meter. |
scp -4 | Forces SCP to use IPv4 addresses only. |
scp -6 | Forces SCP to use IPv6 addresses only. |
scp -B | Enables batch mode (prevents asking for passwords or passphrases). |
scp -c [cipher] | Selects the cipher to use for encrypting the data transfer. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour . |
scp -C | Enables compression. |
scp -F [ssh_config_file] | Specifies an alternative per-user configuration file for SSH. |
scp -i [identity_file] | Selects the file from which the identity (private key) for public key authentication is read. |
scp -l | Limits the bandwidth utilized in Kb/s. |
scp -o [option] | Same as ssh -o above. |
scp -p | Preserves modification times, access times, and modes from the original file. |
scp -P [port] | Specifies the port to connect to on the remote host. |
scp -q | Enables quiet mode which disables the progress meter as well as the warning and diagnostic messages from SSH. |
scp -r | Recursively copies entire directories. Note that SCP also follows symbolic links encountered in the tree traversal. |
scp -S [program] | Names the program to use for the encrypted connection. The program must understand SSH options. |
scp -v | Enables verbose mode which causes SCP and SSH to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems. |
SFTP command options | Description |
sftp -1 | Specifies the use of SSHv1. |
sftp -2 | Specifies the use of SSHv2. |
sftp -4 | Forces SFTP to use IPv4 addresses only. |
sftp -6 | Forces SFTP to use IPv6 addresses only. |
sftp -b [batch_file] | Batch mode; reads a series of commands from an input batch file instead of stdin. |
sftp -B [buffer_size] | Specifies the size of the buffer that SFTP uses when transferring files (default is 32768 bytes). |
sftp -c [cipher] | Selects the cipher to use for encrypting the data transfer. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour . |
sftp -C | Enables compression. |
sftp -D [sftp_server_path] | Connects directly to a local SFTP server (rather than via SSH). |
sftp -F [ssh_config_file] | Specifies an alternative per-user configuration file for SSH. |
sftp -i [identity_file] | Selects the file from which the identity (private key) for public key authentication is read. |
sftp -l [limit] | Limits the bandwidth utilized in Kb/s. |
sftp -o [option] | Same as ssh -o above. |
sftp -p | Preserves modification times, access times, and modes from the original files transferred. |
sftp -P [port] | Specifies the port to connect to on the remote host. |
sftp -r | Recursively copies entire directories when uploading and downloading. Note that SFTP does not follow symbolic links encountered in the tree traversal. |
sftp -R [num_requests] | Specifies how many requests may be outstanding at any one time (default is 64 outstanding requests). |
sftp -s [subsystem | sftp_server] | Specifies the SSHv2 subsystem or the path for an SFTP server on the remote host. |
sftp -S [program] | Names the program to use for the encrypted connection. The program must understand SSH options. |
sftp -v | Raises the logging level. |
>bye | Quits SFTP. |
>cd [path] | Changes the current remote directory to the one specified in [path]. |
>chgrp [group] [path] | Changes group of file [path] to [group]. [grp] must be a numeric GID. |
>chown [owner] [path] | Changes the owner of file [path] to [owner]. [owner] must be a numeric UID. |
>df [path] | Displays usage information for the filesystem holding the current directory (or [path] if specified). This command is only supported on servers that implement the ‘statvfs@openssh.com’ extension. |
>df -h [path] | Displays usage information for the filesystem holding the current directory (or [path] if specified with the capacity information displayed using “human-readable” suffixes. |
>df -i [path] | Displays usage information for the filesystem holding the current directory (or [path] if specified and requests display of inode information in addition to capacity information. |
>exit | Quits SFTP. |
>get [remote_path] [local_path] | Retrieves the file specified in [remote_path] and stores it on the local host. If the [local_path] name is not specified, the file is given the same name it has on the remote host. |
>get -p [remote_path] [local-path] or >get -P [remote_path] [local-path] | Retrieves the file specified in [remote_path], stores it on the local host, and full file permissions and access times are copied also. |
>get -r [remote_path] [local-path] | Recursively retrieves the file specified in [remote_path] (along with all sub-directories and files) and stores it on the local host. |
>help | Displays the help message. |
>lcd [path | Changes the local directory to [path]. |
>lmkdir [path] | Creates the local directory specified by [path]. |
>ln [oldpath] [newpath] | Creates a hard link from [oldpath] to [newpath]. |
>ln -s [oldpath] [newpath] | Creates a symbolic link from [oldpath] to [newpath]. |
>lpwd | Displays the local working directory. |
>ls [path] | Displays a directory listing of either the remote [path] specified or the current remote directory if [path] is not specified. |
>ls -1 [path] | Displays a single columnar directory listing of either the remote [path] specified or the current remote directory if [path] is not specified. |
>ls -a [path] | Displays a full directory listing (including hidden files) of either the remote [path] specified or the current remote directory if [path] is not specified. |
>ls -f [path] | Displays a directory listing (without sorting) of either the remote [path] specified or the current remote directory if [path] is not specified. |
>ls -h [path] | Displays a directory listing of either the remote [path] specified or the current remote directory using unit suffixes such as Byte, Kilobyte, Megabyte, Gigabyte, Terabyte, Petabyte, and Exabyte in order to reduce the number of digits to four or fewer using powers of 2 for sizes (K=1024, M=1048576, etc.). |
>ls -l [path] | Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and also displays additional details including permissions and ownership information. |
>ls -n [path] | Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) by producing a long listing with user and group information presented numerically. |
>ls -r [path] | Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and reverses the sort order of the listing. |
>ls -S [path] | Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and sorts the listing by file size. |
>ls -t [path] | Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and sorts the listing by last modification time. |
>lumask [umask] | Sets the local umask to [umask] . |
>mkdir [path] | Creates the remote directory specified by [path]. |
>progress | Toggles the display of the progress meter. |
>put [local_path] [remote_path] | Uploads the file specified in [local_path] and stores it on the remote host. If the [remote_path] name is not specified, the file is given the same name it has on the local machine. |
>put -p [local_path] [remote_path] or put -P [local-path] [remote-path] | Uploads the file specified in [local_path] (along with full file permissions and access times) and stores it on the remote host. If the [remote_path] name is not specified, the file is given the same name it has on the local machine. |
>put -r [local_path] [remote_path] | Recursively uploads the file specified in [local_path] (along with all subdirectories and files) and stores it on the remote host. |
>pwd | Displays the remote working directory. |
>quit | Quits SFTP. |
>rename [oldpath] [newpath] | Renames the remote file from [oldpath] to [newpath]. |
>rm [path] | Deletes the remote file specified by [path]. |
>rmdir [path] | Removes the remote directory specified by [path]. |
>symlink [oldpath] [newpath] | Creates a symbolic link from [oldpath] to [newpath]. |
>version | Displays the SFTP protocol version. |
>! | Escapes to the local shell. |
>! [command] | Executes [command] in the local shell. |
>? | Prints the help message. |