Mastering SSH: Your Essential Command-Line Guide
Learn practical SSH commands for login, keys, file transfer, port forwarding, and reusable host configuration.
Mastering SSH: Your Essential Command-Line Guide
The Secure Shell (SSH) protocol gives you an encrypted way to log in to remote systems, run commands, and move files. If you manage servers, a few SSH command-line habits make your work faster and safer.
This guide covers the commands you will use most: remote login, key authentication, scp, sftp, local port forwarding, and ~/.ssh/config aliases.
Establishing Secure Remote Login
The most frequent use of SSH is securing a terminal connection to a remote server. The basic syntax is straightforward, but there are crucial options for enhanced security and usability.
Basic Connection Syntax
The standard command requires specifying the remote user and the host address (IP or domain name):
ssh [user]@[host]
# Example:
ssh [email protected]
Specifying a Non-Standard Port
For security reasons, many administrators change the default SSH port (Port 22). Use the -p flag to specify a different port number:
ssh -p 2222 [email protected]
Executing Single Remote Commands
SSH is not limited to opening an interactive shell. You can execute a single command on the remote server and have the output returned locally, which is extremely useful for scripting and quick checks.
# Run 'ls -l' on the remote server's /var/log directory
ssh user@host 'ls -l /var/log'
# Check the server's uptime
ssh user@host uptime
Managing Authentication with SSH Keys
Password authentication is often exposed to brute-force attacks. SSH keys use a private key on your machine and a public key on the remote server, so the server can verify you without receiving your password.
Generating Key Pairs
If you do not already have a key pair, you can generate one using ssh-keygen. It is best practice to use a strong passphrase to protect your private key.
ssh-keygen -t ed25519 -C "[email protected]"
RSA keys are still common, especially for older systems. For a new key on a modern OpenSSH setup, Ed25519 is usually the simpler default choice.
Copying the Public Key to the Server
The ssh-copy-id utility is the simplest way to install your local public key into the remote user’s ~/.ssh/authorized_keys file. You normally enter your password once, then future logins can use the key.
# Copies your default public key to the server and sets common permissions
ssh-copy-id user@host
Tip: Using the Private Key If your private key is not in the default location (
~/.ssh/id_rsa), you must use the-iflag to specify its path when connecting:ssh -i ~/.ssh/my_custom_key user@host
Secure File Transfers
SSH provides two primary tools for secure file transfer: scp (Secure Copy) and sftp (Secure File Transfer Protocol).
A. Using Secure Copy (scp)
scp is ideal for simple, quick, one-time file transfers, offering a command-line interface modeled after the standard Unix cp (copy) command.
Transferring Files Local to Remote
# Syntax: scp [local_file] [user]@[host]:/[remote_path]
scp deployment.tar.gz user@webserver:/var/www/uploads/
Transferring Files Remote to Local
# Syntax: scp [user]@[host]:/[remote_file] [local_path]
scp user@dbserver:/var/log/backup.sql .
Copying Directories Recursively
Use the -r flag to copy entire directory structures.
scp -r ~/project_files/ user@buildserver:/home/user/builds/
B. Using Secure File Transfer Protocol (sftp)
sftp establishes an interactive session, similar to a traditional FTP client, but secured via SSH. It is better suited for navigating remote directories, listing files, and performing multiple transfers within a single session.
Starting an sftp Session
sftp user@host
Common sftp Session Commands
| Command | Description |
|---|---|
ls |
List remote files |
lls |
List local files |
get filename |
Download a file from the remote server |
put filename |
Upload a file to the remote server |
cd /path/ |
Change remote directory |
lcd /path/ |
Change local directory |
quit |
Exit the sftp session |
SSH Tunneling with Local Port Forwarding
SSH tunneling, or port forwarding, allows you to encrypt connections for non-secure protocols or access services on an internal network via a jump host. The most common form is Local Port Forwarding.
Local Port Forwarding (-L)
Local forwarding routes traffic from a port on your local machine to a specified port on a remote host through the SSH server. This is useful for accessing internal databases, web interfaces, or proprietary services that are not directly exposed to the public internet.
Scenario: You want to access a private internal web server (accessible only from jumpbox) on port 80.
# Syntax: ssh -L [local_port]:[destination_host]:[destination_port] [user]@[jumpbox]
ssh -L 8080:internal-web.lan:80 user@jumpbox -N
-L 8080:internal-web.lan:80: Traffic arriving at your local machine on port 8080 is forwarded tointernal-web.lanon port 80, viajumpbox.-N: Tells SSH not to execute a remote command; it simply sets up the tunnel.
Once the connection is established, you can access the internal site by navigating your local browser to http://localhost:8080.
Improving Efficiency with the SSH Configuration File
Manually typing complex SSH commands, including custom ports, usernames, and key paths, is inefficient. The SSH configuration file (~/.ssh/config) allows you to define aliases and settings for frequently accessed servers.
Example Configuration (~/.ssh/config)
Create or edit the file ~/.ssh/config with the following structure:
# Server 1: Standard key, non-standard port
Host dev-web
HostName 10.0.0.50
User deployment_user
Port 2222
IdentityFile ~/.ssh/id_rsa_dev
# Server 2: Jumpbox access requiring key authentication
Host production-db
HostName 10.0.20.15
User sysadmin
IdentityFile ~/.ssh/prod_key
LocalForward 54320 127.0.0.1:5432
In that second example, ssh production-db opens a local port on your workstation. You can then point a PostgreSQL client at localhost:54320, and SSH carries the traffic to 127.0.0.1:5432 as seen from the remote host.
Connecting with Aliases
Once configured, connecting becomes dramatically simpler:
# Connects to 10.0.0.50 on port 2222 as deployment_user
ssh dev-web
# Connects and automatically sets up port forwarding (if configured)
ssh production-db
Key Takeaway
Start with ssh user@host, add key-based authentication, and move repeated options into ~/.ssh/config. Once those basics are solid, local forwarding with ssh -L gives you a controlled way to reach private services without exposing them directly to the network.