10 ssh Options for a Secure Shell for Safe Data Communication

A system administrator may have managed more than 1 servers. Then those servers may located in different places. Visiting the servers one by one may not the best way to manage them. Then a remote method can be an effective way to manage them. One of the common aplication for remote activity is SSH.

What is SSH

SSH or Secure Shell is a cryptographic network protocol. The data through this protocol will be encrypted to ensure that no one can read if the data leaked in the middle. To use SSH, the destination machine should have a SSH server application installed because SSH is a client-server model. SSH is usually used when you want to remote hosts in a secure way over the insecure network such as the Internet.

Installing SSH

Modern Linux should have installed SSH by default. If its not, we can install it manually. The easiest way to install SSH is through your Linux package manager.

On Debian / Ubuntu Linux based :

Install ssh-client

$ sudo apt-get install openssh-client

Install ssh-server

$ sudo apt-get install openssh-server

On RedHat / CentOS Linux based :

# yum install openssh-server openssh-clients

Once SSH is installed we can check it by typing ssh from your Linux console.

An ssh client

Using SSH

SSH provides a lot of options to be used. In this article we will cover some options that may useful in day-to-day operations.

1) Run SSH without no options

A common way to use SSH is without any options. Just type “ssh ”. Here’s a sample :

$ ssh

SSH connecti confirmation

When the first time you connect to destination host, ssh will confirm you about the authenticity of the destination host. If you answer No, then SSH will not continue while if you said Yes, SSH will continue.

Connecting to SSH

The next time you login into the same host, SSH will not ask you a confirmation. The authenticity oft the host by default is saved under /home/user/.ssh folder in every user.

2) Specify a username for login

By default, ssh will try to connect using active user as a username. On the previous command, ssh will try to login into the server using a username named pungki. This is because user pungki on the client side, is running ssh client.

What about if in the destination host, there is no user named pungki? Then you must supply a username that exist in the destination host. To specify the username from the beginning, use -l option

$ ssh -l leni

Ssh using -l option

We can also type like this :

$ ssh [email protected]

Another way to supply username

3) Specify the port

SSH default port is 22. Most modern Linux are open port 22. If you run ssh without defining a port, then ssh will direct the request via port 22.

But some system administrator may change the default SSH port. Let say that the port now is 1234. To contact that host, use -p option followed by SSH port.

$ ssh -p 1234

To change the port number, we need to modify the /etc/ssh/ssh_config.
Find the line :

Port 22

Change it into another port, for example above, is 1234. Then restart the SSH service.

4) Request compression on every data

With this option, all data which sent and received via SSH will be compressed. The data still encrypted. To use compression with SSH, use -C option.

$ ssh -C

This option will be useful if your connection is slow, such as using a modem. But when you are using a fast connection such as LAN or higher, than compression will be slow down your transfer rate.
The level of compression can be controlled using -o option followed by CompressionLevel option. But this option will only applied for SSH-1.

5) Define a cipher algorithm

SSH provides some cipher algorithms to be used. These algorithms can be seen inside /etc/ssh/ssh_config or ~/.ssh/config file (if exist).

SSH cipher configuration example

Let say you want to use blowfish algorithm for encrypting your SSH session. Then you can put this line into your /etc/ssh/ssh_config or ~/.ssh/config file :

Cipher blowfish

By default, SSH will use 3des algorithm

6) Turn on debug mode

For some reason, we may want to debug the SSH connection that we want to create. SSH provides -v option to do this.

$ ssh -v

debug ssh connection

7) Bind source address

If your client has more than 2 IP Address, you might not know which IP Address is used to create a connection to the SSH server.

More than 1 IP Address

To solve this situation, we can use -b option which will bind an IP Address to SSH connection. This IP Address will be used as the source address of the connection.

$ ssh -b -l leni

On the server side, we can check the established connection to the server using netstat. We see that connection is established.

Bind address using SSH

8) Change default configuration file

By default, ssh will use ssh configuration file which located in /etc/ssh/ssh_config. This file is applied to system wide. If you want to apply the particular setting to the specific user, you should put it in ~/.ssh/config file. If you don’t see it, you can create it.

Here’s a sample of a custom ssh_config. This config is located in /home/pungki directory.

Host 192.168.0.*
ForwardX11 yes
PasswordAuthentication yes
ConnectTimeout 10
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Protocol 2
HashKnownHosts yes

To use a specific config file, we can use -F option.

$ ssh -F /home/pungki/my_ssh_config

Specify your ssh_config

9) Use SSH X11 Forwarding

For some reason, you may want to display a X11 application on the server into your client computer. SSH provides -X option to do this. But in order to enable this feature, we need some preparation. Here are the settings

On the server side, you need to enable line ForwardX11 yes or X11Forward yes in /etc/ssh/ssh_config. Then restart your SSH server.

Then on the client side, type ssh -X [email protected] :

$ ssh -X [email protected]

Once you have logged on, you can check it by typing :

$ echo $DISPLAY

You should see something like


Then to run an application, just type the command of the application. Let say you want to run xclock application. Then type :

$ xclock

Use X11 Formading

When it runs, actually you are running the xclock application on the remote system, but display it on your local system.


11) Trusted X11 Forwarding

If you pretty sure that your network is secure, then you may want to use Trusted X11 Forwarding. This mean that the remote X11 clients will have full access to the original X11 display. To use this option, we can use -Y option.

$ ssh -Y [email protected]

SSH _Y for trusted connection


We believe that SSH is used in wide-range area. Security and flexibility is one of the SSH offers to the user. As usual, we can always type man ssh and man ssh_config to display its manual pages and explore more detail.

Pungki Arianto 10:08 am

About Pungki Arianto

Pungki , currently working as a Linux / Unix administrator for a banking company. He love to work in Linux / Unix since it's fun for him. He is also interested in information technology, information security and writing.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

1 Comment