Updated 6/10/2025
| ssh [options][host_user_name]@IP_Address or Host_Name [command] |
| -p port_number |
| -4 Allow Only IPv4 Addresses |
| -6 Allow Only IPv6 Addresses |
| -L Local Port Forwarding - Tunneling |
| -o Other options |
| Many Other |
The ease of logging into other computers via ssh, and updating them is main reason that I decided to learn Linux.
Ssh provides a secure encrypted connection between two hosts over an insecure network. It replaces telenet, which is inscure. The connection can also be used for terminal access, file transfers, and for tunneling other applications. Tunneling allows graphical applications, such as VNC, to be run over a secure network.
Ssh runs at TCP/IP port 22. If you do not provide a host_user_name, the client's user_name wil be used.
The first time you use ssh to connect to a remote machine, you will recieve a message similar to:
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
ED25519 key fingerprint is SHA256:+FzuXGgk1CJdQj123hmDFbcVZx1o71AjdGKod18q2ew.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
typing yes
Warning: Permanently added '192.168.0.6' (ED25519) to the list of known hosts.
This will add a host identifier to the client's known_host file at ~/.ssh/known_hosts. Similar to:
|1|0NC6d9tXk9Jg5AwwOEhJTVQ8I1s=|ZTLI9JuAdktLefpsScCFHFkPDLQ= ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIPSL0DfR8lai/+gLDEs2B30X452uzSWaxxw2rD676ROs
In the above "ED25519" is an encrypted EdDSA signature.
The client configuration is located at:
/etc/ssh/ssh_conig
A larger number of options can be set in this file:
Command line options take president over the configuration file. For example:
ssh -o StrickHostKeyChecking=no user_name@server_ip
will disable checking the file ".ssh/known_host" to see if the server's identification matches.
The SSH server configuration file is located at:
/etc/ssh/sshd_config
Some of the more popular setting, you can change are:
You can also allow or disallow users and groups:
Note that after the keyword, you need a Tab-key not a space. To list multiple users or groups seperatet them with a space.
After you modify the configuration file, you need to restart the service:
sudo systemctl restart sshd
In order to login via ssh, you have to specify a user name, hence this is only useful when you want to block a valid user from logging in remotely.
Passwordless authenication uses asymmetric cryptography. Two keys are generated. A private key and a public key. The public key is placed on the server. Anyone with the public key can encrypt data, but it can be read by someone with the private key. The possession of the private key is proof of the users identity. Private keys are called identify keys.
Only someone with the private key that corresponds to the public server key will be able to authenticate successfully.
Keys are generated by the client with ssh-keygen.
Private and public RSA (encryption) are generated with the command:
| ssh [options] ssh-keygen |
| -t type encrption algortithm |
| -b bit size of key |
If you do not use the -t option,it defaults to rsa. A popular type is ed25519.
ssh-keygen -t ed25519
Next, hit return for all of the promps. When prompted for a passphrase, do not enter one. Just hit return. Otherwize, you will have to enter the passphrase everytime you loggin
By default, both the private and public key will be stored in the ~/.ssh directory: id_rsa (private) and id_rsa.pub (public).
Now copy the public key to the remote host with the command:
ssh-copy-id -i $HOME/.ssh/id_rsa.pub host_user_name@your-remote-host
Appropricately change: host_user_name@your-remote_host
On the remote host, you will see a new file: ~/.ssh/authorized_keys.
You use this method when you have access to an SSH Server.
According to Debian' man page, the syntax is:
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
At the present, I'm not sure what the general defination of a socket is. Most of the articles that I have a read say that I socket is an IP with a port number.
For the present, we will only consider the first syntax without the optional bind_address. What are port, host, and hostport?
"Port" is an arbitary port on the local machine that is not a "well known" port ( a port above 1024).
According to reference [3], "host" depends on what machine the remote application is on. It the remote application is not on the same machine as the remote SSH server, the the syntax is:
ssh -L local_port:remote_address:remote_port user_name@ssh_server
However, if the remote application is on the same machine as the remote SSH server, the syntax is:
ssh -L local_port:localhost:remote_port user_name@ssh_server
In the later, localhost is referring to loop back IP address of the remote host that contains both the SSH Server and the Application Server.
The -L option is often used with the -N and -f options:
To kill the background process:
jobs
Get the job_number, and enter it in the command:
kill %job_number
To keep from getting a bind error such as:
bind [::1]:4444: Cannot assign requested address
Run the ssh command with the -4 option (only IPv4 address.
Without and with an encrypted tunnel use Tiger VNC to establish a VNC session with 192.168.1.25.
Open the Tiger VNC Viewer app. A diaglog box will appear prompting you for the vnc server. Enter:
192.168.1.25:5900
A second dialog box will appear prompting you for both the user_name and password. After entering them press the "Connect" button.
Establish a secure encrypted tunnel:
ssh -L 4444:localhost:5900 user_name@192.168.1.25
You will be prompted for user_name's password. After entering the password, will will get a command line prompt for host 192.168.1.25. This estiblishes the tunnel. Keep the tunnel session open.
Now open the Tiger VNC Viewer app. A diaglog box will appear prompting you for the vnc server. Enter:
localhost:4444
This time localhost is refering the local maching that is forwarding a port.
A second dialog box will open prompting you for both your user name and password. after entering them press the "Connect" button.
The only disadvantage of this method, is that it requires you to enter user_name's password twice.
The Wayland VNC Sever starts when Wayland starts, but Wayland does not start until the Desktop starts.
This means that if a user is already logged in, then you will be presented with the logged in user's desktop. This is regardless of what credential or user you vnc with.
If it is your own machine and you have two users, then you can reboot and then use VNC and the splash screen will appear, and you can chose a user to login with.
If wayland's vnc server is enabled and the current desktop is for a user with sudo privileges, then a user with non-sudo privileges can login via vnc, and he will receive the sudo user's desktop and privileges. What were they thinking !!!
| sftp [options] username@IP_address(or host_name) | |
| -P port_number | Captial P - Port to Connect to on Remote |
| -oPort=number | - Specify Port to Connect to on Remote |
| get [-afpR] remote-path [local-path] | |
| -R | # Recursive |
| -p | # preserve ownership and file properities |
| put [-afpR] local-path [remote-path] | |
| -R | # Recursive |
| -p | # preserve ownership and file properities |
"SFTP allows you to run a command using the local shell by adding an exclamation mark (!) before the command. This lets users run commands that aren't a part of the standard SFTP shell on the local system [].
Sshpass is a method of supplying the password on the same line with the command rather than waiting to be promted to enter a password. This allows you to ssh into a host from a batch file and execute commands on the host.
sshpass is not install by default. To install it:
sudo apt install sshpass
| sshpass | p'Password' | -o StrickHostKeyChecking=no | ssh | usernae@ip_address |
For example:
sshpass -p'123456' -o StrickHostIKeyChecking=no ssh bill@192.168.0.1
sshpass is used in my script that detects a power outage. The script logs into my NAS's (Synology) and exectutes a a "shutdown -h now" command.
