Top 32 SSH Interview Questions Every Linux Cloud Engineer Must Master

In Linux cloud computing job interviews, SSH is a must‑know fundamental topic. Interviewers use SSH‑related questions to assess candidates' basic skills and security awareness. This article compiles 32 high‑frequency SSH interview questions with detailed answer guidance.

SSH High‑Frequency Interview Questions (From Easy to Hard)

I. Basic Concepts and Connection Management

Explain briefly what SSH is and its main purpose. Key points: Secure remote command‑line access, encryption, data integrity, multiple authentication methods.

Which port does SSH use by default? Why is changing the default port recommended? Key points: Default 22; changing reduces automated brute‑force attacks, adds security layer, mitigates zero‑day exploits.

Write the most basic SSH connection command for user ubuntu to host 192.168.1.100 . ssh [email protected] (add -p for non‑standard ports).

If the SSH service listens on a non‑standard port (e.g., 2022), how should the client connect? ssh -p 2022 username@server_ip When connecting to an SSH server for the first time, what prompt appears and what is its purpose? Prompt: Host key verification (yes/no). Purpose: Prevent man‑in‑the‑middle attacks by confirming the server’s fingerprint.

II. Authentication Mechanisms and Key Pairs

What are the two main authentication methods in SSH? Which is more secure and why? Answer: Password authentication and public‑key authentication; public‑key is more secure because it resists brute‑force attacks, never transmits secrets, and supports easier management.

Describe how an SSH key pair (public and private key) works. How should the private key be stored? Process: Generate a key pair, deploy the public key to ~/.ssh/authorized_keys, client uses private key to sign a challenge. Best practice: Set file permissions to 600, protect with a strong passphrase, store in a secure location, avoid sharing, rotate regularly, use an SSH agent.

How to generate an RSA key pair with ssh-keygen ?

ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/.ssh/my_rsa_key

Recommended modern alternative: ssh-keygen -t ed25519 -C "[email protected]" How to deploy a local public key to a remote server for password‑less login?

ssh-copy-id -i ~/.ssh/my_rsa_key.pub username@server_ip

Manual method:

cat ~/.ssh/my_rsa_key.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Ensure ~/.ssh is 700 and authorized_keys is 600.

In /etc/ssh/sshd_config , how to enforce key authentication and disable password authentication?

PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

What is an SSH Agent? What does it do and how to add a private key? Agent stores decrypted private keys in memory, allowing single‑time passphrase entry.

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/my_rsa_key

III. Server Configuration and Security

What are the main configuration files for the SSH server and client? Server: /etc/ssh/sshd_config. Client: /etc/ssh/ssh_config. User‑specific client config: ~/.ssh/config.

Besides changing the port and disabling password login, what other common server‑side security options exist?

# Disable root login
PermitRootLogin no
# Allow specific users
AllowUsers user1 user2
# Use only SSH‑2
Protocol 2
# Strong ciphers and key‑exchange
Ciphers [email protected],[email protected]
KexAlgorithms curve25519-sha256
# Limit authentication attempts
MaxAuthTries 3
LoginGraceTime 1m
# Disable DNS reverse lookup
UseDNS no
# Disable X11 forwarding
X11Forwarding no
# Enable fail2ban, firewall rules, etc.

How to prohibit root login via SSH? Add PermitRootLogin no to /etc/ssh/sshd_config, backup config, test with a normal user, then reload.

How to restrict SSH login to specific users or groups (e.g., admin )? Use AllowUsers admin or AllowGroups sshusers in sshd_config.

After modifying SSH configuration, how to apply changes without dropping existing connections? Use sudo systemctl reload sshd (graceful reload). restart would terminate sessions.

Explain the StrictModes option and risks of misconfiguration. When enabled (default yes), SSH checks permissions of ~/.ssh, authorized_keys, private keys, etc. Incorrect permissions (e.g., 777 on ~/.ssh) cause login failures.

IV. Advanced Usage and Tunneling

What is an SSH tunnel (port forwarding)? Distinguish local and remote forwarding. Local forwarding (-L): Forward traffic from a local port to a remote host/port. Remote forwarding (-R): Forward traffic from a remote port back to the local machine.

Create a local port forward from local 8080 to remote 192.168.10.20:80 . ssh -L 8080:192.168.10.20:80 username@jump_host Create a remote port forward so the remote server can access a local service ( localhost:3000 ).

ssh -R 8080:localhost:3000 username@remote_server

What are SCP and SFTP and how do they relate to SSH? Both are file‑transfer protocols built on SSH. SCP is a simple copy command; SFTP provides an interactive session with file‑management commands.

Upload a local file file.txt to a remote home directory using scp . scp file.txt username@server_ip:~/ Run a remote command without opening an interactive shell (e.g., ls /tmp ).

ssh username@server_ip "ls /tmp"

V. Troubleshooting and Performance Tuning

When you cannot connect via SSH, what is your troubleshooting approach?

Network check: ping, telnet server_ip 22, nc -zv server_ip 22.

Client diagnostics: ssh -vvv user@host, review ~/.ssh/config, try different ports.

Server status: systemctl status sshd, ss -tlnp | grep :22, firewall rules, SELinux status.

Log analysis: tail -f /var/log/auth.log or /var/log/secure, journalctl -u sshd -f.

Configuration validation: sshd -t, check PermitRootLogin, PasswordAuthentication, etc.

Resource checks: disk space, memory, process list, file permissions.

Why might an SSH connection be slow and how to optimize it?

Disable DNS reverse lookup: UseDNS no (server) or -o UseDNS=no (client).

Turn off GSSAPI: GSSAPIAuthentication no.

Prefer fast ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr.

Enable connection multiplexing: ControlMaster auto, ControlPersist 10m.

Enable compression for low‑bandwidth links: -C.

How to view SSH service connection status and login logs?

Active connections: ss -tpn | grep :22 or netstat -tpn | grep :22.

Current logged‑in users: who, w, users.

Authentication logs: tail -f /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS); also journalctl -u sshd -f.

Failed login monitoring with grep "Failed password" and tools like fail2ban.

What is the purpose of ~/.ssh/known_hosts and how to fix a "Host key verification failed" error after a server reinstall? The file stores trusted host fingerprints. Fix by removing the old entry: ssh-keygen -R server_ip or edit ~/.ssh/known_hosts, then reconnect to accept the new fingerprint.

Explain the purpose of ~/.ssh/config and give an example of using it to set an alias and default options. The file defines per‑host settings for the SSH client. Example:

Host myserver
    HostName 192.168.1.100
    User ubuntu
    Port 2222
    IdentityFile ~/.ssh/my_rsa_key

Then connect with ssh myserver.

VI. Deep Principles and Enterprise Scenarios

What are the two main SSH protocol versions and why is SSH‑2 recommended? SSH‑1 (obsolete, vulnerable to MITM, weak algorithms) and SSH‑2 (modern, strong key exchange, robust authentication, MAC integrity). All modern implementations default to SSH‑2.

Briefly describe the SSH‑2 handshake and key‑exchange process.

Protocol version exchange.

Algorithm negotiation (kex, cipher, MAC, compression).

Diffie‑Hellman (or curve25519) key exchange to derive a shared secret.

Server sends its host key; client verifies against known_hosts.

Client authenticates (password or public key).

Secure channel established for commands, port forwarding, etc.

How to use SSH in automation scripts without interactive password prompts? Use public‑key authentication (empty passphrase or ssh‑agent), configure BatchMode yes in ~/.ssh/config, or employ connection multiplexing. Avoid sshpass or expect.

In a large server cluster, how to centrally manage and distribute SSH keys? What challenges and risks does this entail?

Prefer SSH certificate authentication with a private CA ( ssh-keygen -s ca_key).

Use configuration management tools (Ansible, Puppet, Chef) to push authorized_keys.

Adopt dedicated key‑management platforms (HashiCorp Vault, Teleport, FreeIPA) for rotation, audit, and revocation.

Challenges: key sprawl, difficulty revoking access, audit complexity, rotation overhead, emergency response.

Best practices: enforce least‑privilege, regular key rotation, centralized logging, and incident response procedures.