Mastering OpenSSH: Essential Commands, Configurations, and Security Tips

Introduction

The OpenSSH client binary is /usr/local/bin/ssh on Linux/Unix and \Program Files\OpenSSH\bin\ssh.exe on Windows. Most Linux distributions include ssh by default; otherwise install it with:

# Ubuntu and Debian
sudo apt install openssh-client

# CentOS and Fedora
sudo dnf install openssh-clients

After installation, verify the version with ssh -V:

$ ssh -V

Basic Usage

The most common use of ssh is to log into a remote server that runs an SSH daemon. The simplest login command is:

$ ssh hostname

hostname

may be a domain name, an IP address, or an internal host name. If you omit the username, the client uses the current local username. To specify a username, use either ssh user@hostname or the -l option: $ ssh -l username host The default port is 22; you can change it with -p:

$ ssh -p 8821 foo.com

Connection Process

When connecting to a server for the first time, ssh displays a warning with the server’s fingerprint and asks for confirmation (yes/no). The fingerprint is the hash of the server’s public key and is stored in ~/.ssh/known_hosts. Accepting the warning adds the fingerprint to this file, preventing the warning on subsequent connections.

The authenticity of host 'foo.com (192.168.121.111)' can't be established.
ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY.
Are you sure you want to continue connecting (yes/no)?

You can view a server’s public‑key fingerprint with:

$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
256 da:24:43:0b:2e:c1:3f:a1:84:13:92:01:52:b4:84:ff   (ECDSA)

Server Key Changes

If a server’s host key changes (e.g., after a reinstall), ssh aborts the connection and shows a warning similar to:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
... (additional warning text) ...
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:36

To trust the new key, remove the old entry with ssh-keygen -R hostname or edit ~/.ssh/known_hosts manually, then reconnect.

$ ssh-keygen -R hostname

Executing Remote Commands

After a successful login you obtain an interactive shell on the remote host. You can also run a single command without an interactive shell: $ ssh username@hostname command Example: $ ssh [email protected] cat /etc/hosts Commands that require an interactive terminal (e.g., emacs) must be run with -t:

# error
$ ssh remote.server.com emacs
emacs: standard input is not a tty

# works
$ ssh -t server.example.com emacs

Encryption Parameters

During the TLS‑style handshake the client advertises a list of cipher suites. A typical suite name looks like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and consists of protocol, key‑exchange algorithm, encryption algorithm, key length, mode, and hash function.

TLS – protocol

RSA – key‑exchange algorithm

AES – encryption algorithm

128 – key length

CBC – mode

SHA – hash function

The client sends a ClientHello with its supported suites; the server replies with a ServerHello selecting one.

SSH Command‑Line Options

Common options include:

-c cipher1,cipher2 – specify encryption algorithms (e.g., ssh -c blowfish,3des server.example.com).

-C – enable compression.

-d – set debug level (higher numbers give more output).

-D port – dynamic SOCKS proxy (port forwarding).

-f – run ssh in the background after authentication.

-F config_file – use an alternative configuration file.

-i identity_file – specify a private key (default ~/.ssh/id_dsa).

-l user – remote login name (same as user@host syntax).

-L local_port:target:remote_port – local port forwarding.

-m mac1,mac2 – choose MAC algorithms (e.g., ssh -m hmac-sha1,hmac-md5 server.example.com).

-o