Learn Uses of ssh Command in Linux With Examples

SSH is a popular, powerful, software-based approach to network security. It is used for logging into a remote machine and for executing commands on a remote machine. Whenever data is sent by a computer to the network, ssh will automatically encrypt it. It is designed and created to provide the best security when accessing another computer remotely. SSH server, by default, listens on the standard TCP port 22.

To use SSH, the destination machine should have a SSH server application installed because SSH is a client-server model.

In this guide, we will learn about SSH configuration, usage and options on Linux system to help you connect to a remote system.

Installing SSH

Modern Linux should have installed SSH by default. If it's not, we can install it manually. The easiest way to install SSH is through your Linux package manager.

On Debian / Ubuntu Linux

Install ssh-client

$ sudo apt-get install openssh-client

Install ssh-server

$ sudo apt-get install openssh-server

On RedHat / CentOS Linux

# yum install openssh-server openssh-clients

Once SSH is installed we can check it by typing ssh from your Linux console.

An ssh client

1) SSH Usage

Run SSH without no options

A common way to use SSH is without any options. Just type “ssh ”. Here’s a sample :

$ ssh 192.168.0.103

SSH connecti confirmation

When the first time you connect to a destination host, ssh will confirm you about the authenticity of the destination host. If you answer No, then SSH will not continue while if you said Yes, SSH will continue.

Connecting to SSH

The next time you login into the same host, SSH will not ask you a confirmation. The authenticity oft the host by default is saved under /home/user/.ssh folder in every user.

Specify a username for login

By default, ssh will try to connect using active user as a username. On the previous command, ssh will try to login into the server using a username named pungki. This is because user pungki on the client side, is running ssh client.

What about if in the destination host, there is no user named pungki? Then you must supply a username that exist in the destination host. To specify the username from the beginning, use -l option

$ ssh -l leni 192.168.0.103

Ssh using -l option

We can also type like this :

$ ssh [email protected]

Another way to supply username

Specify the port

SSH default port is 22. Most modern Linux has port 22 open. If you run ssh without defining a port, then ssh will direct the request via port 22.

But some system administrator may change the default SSH port. Let say that the port now is 1234. To contact that host, use -p option followed by SSH port.

$ ssh 192.168.0.103 -p 1234

To change the port number, we need to modify the /etc/ssh/ssh_config.
Find the line :

Port 22

Change it into another port, for example above, is 1234. Then restart the SSH service.

Request compression on every data

With this option, all data which sent and received via SSH will be compressed. The data still encrypted. To use compression with SSH, use -C option.

$ ssh -C 192.168.0.103

This option will be useful if your connection is slow, such as using a modem. But when you are using a fast connection such as LAN or higher, than compression will be slow down your transfer rate.
The level of compression can be controlled using -o option followed by CompressionLevel option. But this option will only applied for SSH-1.

Define a cipher algorithm

SSH provides some cipher algorithms to be used. These algorithms can be seen inside /etc/ssh/ssh_config or ~/.ssh/config file (if exist).

SSH cipher configuration example

Let say you want to use blowfish algorithm for encrypting your SSH session. Then you can put this line into your /etc/ssh/ssh_config or ~/.ssh/config file :

Cipher blowfish

By default, SSH will use 3des algorithm

Turn on debug mode

When we are not able to connect to the remote host, it is good to debug and find the exact error messages that causing the issue. Use the -v option for debugging the ssh client.

$ ssh -v 192.168.0.103

debug ssh connection

Bind source address

If your client has more than 2 IP Address, you might not know which IP Address is used to create a connection to the SSH server.

More than 1 IP Address

To solve this situation, we can use -b option which will bind an IP Address to SSH connection. This IP Address will be used as the source address of the connection.

$ ssh -b 192.168.0.200 -l leni 192.168.0.103

On the server side, we can check the established connection to the server using netstat. We see that 192.168.0.200 connection is established.

Bind address using SSH

Change the default configuration file

By default, ssh will use ssh configuration file which located in /etc/ssh/ssh_config. This file is applied to system wide. If you want to apply the particular setting to the specific user, you should put it in ~/.ssh/config file. If you don’t see it, you can create it.

Here’s a sample of a custom ssh_config. This config is located in /home/pungki directory.

Host 192.168.0.*
ForwardX11 yes
PasswordAuthentication yes
ConnectTimeout 10
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Protocol 2
HashKnownHosts yes

To use a specific config file, we can use -F option.

$ ssh -F /home/pungki/my_ssh_config 192.168.0.101

Specify your ssh_config

Use SSH X11 Forwarding

There are three types of port forwarding with SSH:

1. Local port forwarding : connections from the SSH client are forwarded via the SSH server, then to a destination server

2. Remote port forwarding : connections from the SSH server are forwarded via the SSH client, then to a destination server

3. Dynamic port forwarding : connections from various programs are forwarded via the SSH client, then via the SSH server, and finally to several destination servers

Local Port Forwarding

ssh -L 8080:172.18.19.23:80 -L 12345:172.18.19.20:80

This would forward two connections, one to 172.18.19.23, the other to 172.18.19.20. Pointing your browser at http://localhost:8080/ would download pages from 172.18.19.23, and pointing your browser to http://localhost:12345/ would download pages from 172.18.19.20.

Remote Port Forwarding

ssh -R 5900:localhost:5900 [email protected]

The -R option specifies remote port forwarding. For the duration of the SSH session, ec2-52-66-84-114.ap-south-1.compute.amazonaws.com would be able to access your desktop by connecting a VNC client to port 5900 on his computer (if you had set up a shared desktop)

Dynamic Port Forwarding

ssh -C -D 1001 [email protected]

The -D option specifies dynamic port forwarding. 1001 is the standard SOCKS port. Although you can use any port number, some programs will only work if you use 1001. -C enables compression, which speeds the tunnel up when proxying mainly text-based information (like web browsing), but can slow it down when proxying binary information (like downloading files).

Next, you would tell Firefox to use your proxy:

go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
check "Manual proxy configuration"
make sure "Use this proxy server for all protocols" is cleared
clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
enter "127.0.0.1" for "SOCKS Host"
enter "1001" (or whatever port you chose) for Port.

Forwarding GUI Programs

ssh -X [email protected]

Once the connection is made, type the name of your GUI program on the SSH command-line:

firefox &

Another example

ssh -X [email protected]

[[email protected] ~]$ xeyes &

Trusted X11 Forwarding

If you pretty sure that your network is secure, then you may want to use Trusted X11 Forwarding. This mean that the remote X11 clients will have full access to the original X11 display. To use this option, we can use -Y option.

$ ssh -Y [email protected]

SSH _Y for trusted connection

2) SSH Command Options

StrictHostKeyChecking

If you would like to bypass this verification step, you can set the "StrictHostKeyChecking" option to "no" on the command line.

This option disables the prompt and automatically adds the host key to the ~/.ssh/known_hosts file.

$ ssh -oport=922 -o "StrictHostKeyChecking=no" [email protected]

ConnectTimeout

for ip in ${IP} ; do
ssh -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10 -l ${USERNAME} ${SCRIPT_HOST} "${COMMAND} -i $ip || echo timeout" >> ./myscript.out
done

I'm executing a script connecting via password-less SSH on a remote host. I want to set a timeout, so that if the remote host is taking an infinite time to run, I want to comeout of that ssh session and continue other lines in my sh script.

BatchMode

If you use ssh -o “BatchMode yes”,  and password less connectivity is enable the command execute successfully on remote, else it will return error and continues.

Batch mode command execution using SSH — success case

ssh -o "batchmode=yes" [email protected] who

[Note: This will display the output of remote-host's who command]

Batch mode command execution using SSH — Failure case

$ ssh -o "batchmode=yes" [email protected] who
Permission denied (publickey,password).
[[email protected] ~]$

Note: If you didn’t use -o “BatchMode yes”, the above command would’ve asked for the password for my account on the remote host. This is the key difference in using the BatchMode yes option.

Bind IP Example

ssh -oPort=922 -oBindAddress=172.18.XX.X [email protected]

Find the version of the SSH command

We can find the version of SSH installed on the unix system using the -V option to the ssh.

ssh -V [email protected]

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

This is shown below:

-v option for run ssh command in Verbose mode.

Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity and the maximum is 3.

3) Configuration

There is two main configuration files for SSH.

~/.ssh/config ( Per-user's configuration file )

This file is used by the SSH client. this file must have strict permissions: read/write for the user, and not accessible by others. We use all parameter in this file for accessing another computer remotely. This files called client configuration files

[[email protected] ~]$ ls -lrt ~/.ssh/config
-rw-------. 1 shaha shaha 988 Jul 19 23:54 /home/shaha/.ssh/config
[[email protected] ~]$

/etc/ssh/ssh_config ( system-wide configuration file )

This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. all parameter defined in this file world-readable.

[[email protected] ~]# ls -rlt /etc/ssh/ssh_config
-rw-r--r--. 1 root root 2047 Apr 26 16:36 /etc/ssh/ssh_config
[[email protected] ~]#

SSH Config File options

The /etc/ssh/ssh_config file is the system-wide configuration file for Open SSH which allows you to set options
that modify the operation of the client programs. The file contains keyword-value pairs, one per line, with keywords being case insensitive.
Here are the most important keywords to configure your ssh for top security.

Edit the ssh_config file, vi /etc/ssh/ssh_config and add/or change, if necessary the following parameters:

# Site-wide defaults for various options

Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh yes
BatchMode yes
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
Port 922

Description of config file parameter

Host *

The option Host restricts all forwarded declarations and options in the configuration file to be only for those hosts that match one of the patterns given after the keyword. The pattern * means for all hosts up to the next Host keyword. With this option, you can set different declarations for different hosts in the same ssh_config file.

ForwardAgent no

The option ForwardAgent specifies which connection authentication agent if any should be forwarded to the remote machine.

ForwardX11 no

The option ForwardX11 is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to the remote machine. Since we setup a server and don't have GUI installed on it, we can safely turn this option off.

ssh -o "ForwardX11=no" [email protected]

RhostsAuthentication no

The option RhostsAuthentication specifies whether we can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.

ssh -o "RhostsAuthentication=no" [email protected]

RhostsRSAAuthentication no

The option RhostsRSAAuthentication specifies whether or not to try rhosts authentication in concert with RSA host authentication.

ssh -o "RhostsRSAAuthentication=no" [email protected]

RSAAuthentication yes

The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security on your sessions. RSA uses public and private keys pair created with the ssh-keygen1utility for authentication purposes.

ssh -o "RSAAuthentication=yes" [email protected]

PasswordAuthentication yes

The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security. This option must always be set to yes. this parameter protect your server connectivity to other
without password no one connect to server.

ssh -o "PasswordAuthentication=yes" [email protected]

FallBackToRsh no

The option FallBackToRsh specifies that if a connection with ssh daemon fails rsh should automatically be used instead. Recalling that rsh service is insecure, this option must always be set to no.

ssh -o "FallBackToRsh=no" [email protected]

UseRsh no

The option UseRsh specifies that rlogin/rsh services should be used on this host. As with the FallBackToRsh option, it must be set to no for obvious reasons.

ssh -o "UseRsh=no" [email protected]

BatchMode no

The option BatchMode specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. e.g. Scripts that use the scp command to make backups over the network.

ssh -o "BatchMode=no" [email protected]

CheckHostIP yes

The option CheckHostIP specifies whether or not ssh will additionally check the host IP address that connect to the server to detect DNS spoofing. It's recommended that you set this option to yes.

ssh -o "CheckHostIP=yes" [email protected]

StrictHostKeyChecking no

The option StrictHostKeyChecking specifies whether or not ssh will automatically add new host keys to the $HOME/.ssh/known_hosts file, or never automatically add new host keys to the host file. This option, when set to yes, provides maximum protection against Trojan horse attacks. One interesting procedure with this option is to set it to no at the beginning, allow ssh to add automatically all common hosts to the host file as they are connected to, and then return to set it to yes to take advantage of this feature.

ssh -o "StrictHostKeyChecking=no" [email protected]

IdentityFile ~/.ssh/identity

The option IdentityFile specifies an alternate RSA authentication identity file to read. Also, multiple identity files may be specified in the configuration file ssh_config.

Cipher blowfish

The option Cipher specifies what cipher should be used for encrypting sessios. The blowfish use 64-bit blocks and keys of up to 448 bits.

EscapeChar ~

The option EscapeChar specifies the session escape character for suspension.

Sample Configuration file for testing with parameter

We have create /export/oracle/db/config/ssh/config.922pw using multiple parameter for testing .

[[email protected]:~]$ cat /export/oracle/db/config/ssh/config.922pw

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

VerifyHostKeyDNS no
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

Host *

Host 172.23.6.117 172.23.XX 172.24.XX 172.24.XX 10.56.xx.xx
Protocol 2,1
Compression yes
CompressionLevel 7
IdentityFile /var/dcs_6.0/db/dcs/config/ssh/ssh_keys/id_rsa_ime_prod
CheckHostIP no
PreferredAuthentications publickey,keyboard-interactive,password
LogLevel ERROR
ForwardAgent no
ForwardX11 yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
Port 922
user cgi
Cipher blowfish
IgnoreUserKnownHosts yes
UserKnownHostsFile no
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
ServerAliveInterval 100
Compression yes
CompressionLevel 5
CheckHostIP no

When we try to connect remote server with our configuration files , all parameter call in ssh connectivity.
Please find the below out of ssh connectivity with config file .

[[email protected]:.ssh]$ ssh -F /export/oracle/db/config/ssh/config.922pw [email protected]
Last unsuccessful login: Fri Jul 15 12:10:33 WAT 2016 on ssh from 10.14.43.39
Last login: Fri Jul 15 14:55:14 WAT 2016 on ssh from 172.27.0.XX
[[email protected]:.ssh]$

As usual, we can always type man ssh and man ssh_config to display its manual pages and explore more detail.

Read Also:

Shaha Alam 3:00 am

About Shaha Alam

I have Over 4+ years Experience in Telecom domain as Software Engineer with application Support Engineer & AIX / Solaris / Unix / Linux System Admin , Shell Scripting, SQL,Oracle Database , ETL Tools Affirm (Connectiva ) , Mediation IME . Experience on Linux/Unix, Shell Scripting, TCP/IP, Networking Protocol, HTTPS, SMPP, Monitoring Basics. Experience in Vmware , DNS, MAIL, LDAP, NIS , Raid ,Zone , Tomcat , Apache ,AWS.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.