Powerful SSH Command Options with Examples on Linux

SSH is a popular, powerful, software-based approach to network security. It is used for logging into a remote machine and for executing commands on a remote machine. Whenever data is sent by a computer to the network, ssh will automatically encrypts it. It is designed and created to provide the best security when accessing another computer remotely. SSH server, by default, listens on the standard TCP port 22.

In this guide, we will discuss how to use SSH to connect to a remote system.

Basic Syntax

ssh ec2-user@52-66-84-114

Once you have connected to the server, Password prompt will asked for verification (if password less connectivity not established) for verify your identity , providing a password for connecting with a server.

Later, we will cover how to generate keys to use instead of passwords.

To exit back into your local session, simply type:

shaha@oc8535558703 ~]$ exit

There is two main configuration files for SSH .

1) ~/.ssh/config ( Per-user's configuration file )

This file is used by the SSH client. this file must have strict permissions: read/write for the user, and not accessible by others. We use all parameter in this file for accessing another computer remotely . This files called client configuration files

[shaha@oc8535558703 ~]$ ls -lrt ~/.ssh/config
-rw-------. 1 shaha shaha 988 Jul 19 23:54 /home/shaha/.ssh/config
[shaha@oc8535558703 ~]$

2) /etc/ssh/ssh_config ( system-wide configuration file )

This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. all parameter defined in this file world-readable.

[root@oc8535558703 ~]# ls -rlt /etc/ssh/ssh_config
-rw-r--r--. 1 root root 2047 Apr 26 16:36 /etc/ssh/ssh_config
[root@oc8535558703 ~]#

SSH Command Line Options


If you would like to bypass this verification step, you can set the "StrictHostKeyChecking" option to "no" on the command line.

This option disables the prompt and automatically adds the host key to the ~/.ssh/known_hosts file.

$ ssh -oport=922 -o "StrictHostKeyChecking=no" user@172.23.XX.XX


for ip in ${IP} ; do
ssh -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10 -l ${USERNAME} ${SCRIPT_HOST} "${COMMAND} -i $ip || echo timeout" >> ./myscript.out

I'm executing a script connecting via password-less SSH on a remote host. I want to set a timeout, so that if the remote host is taking an infinite time to run, I want to comeout of that ssh session and continue other lines in my sh script.


If you use ssh -o “BatchMode yes”,  and password less connectivity is enable the command execute successfully on remote, else it will return error and continues.

Batch mode command execution using SSH — success case

ssh -o "batchmode=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.com who

[Note: This will display the output of remote-host's who command]

Batch mode command execution using SSH — Failure case

$ ssh -o "batchmode=yes" ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com who
Permission denied (publickey,password).
[ec2-user@ip-172-31-13-103 ~]$

Note: If you didn’t use -o “BatchMode yes”, the above command would’ve asked for the password for my account on the remote host. This is the key difference in using the BatchMode yes option.

Bind IP Example

ssh -oPort=922 -oBindAddress=172.18.XX.X a2308078@41.223.XX.XX

SSH / OpenSSH / Port Forwarding

There are three types of port forwarding with SSH:

1. Local port forwarding : connections from the SSH client are forwarded via the SSH server, then to a destination server

2. Remote port forwarding : connections from the SSH server are forwarded via the SSH client, then to a destination server

3. Dynamic port forwarding : connections from various programs are forwarded via the SSH client, then via the SSH server, and finally to several destination servers

Local Port Forwarding

ssh -L 8080: -L 12345:

This would forward two connections, one to, the other to Pointing your browser at http://localhost:8080/ would download pages from, and pointing your browser to http://localhost:12345/ would download pages from

Remote Port Forwarding

ssh -R 5900:localhost:5900 ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com

The -R option specifies remote port forwarding. For the duration of the SSH session, ec2-52-66-84-114.ap-south-1.compute.amazonaws.com would be able to access your desktop by connecting a VNC client to port 5900 on his computer (if you had set up a shared desktop)

Dynamic Port Forwarding

ssh -C -D 1001 User@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com

The -D option specifies dynamic port forwarding. 1001 is the standard SOCKS port. Although you can use any port number, some programs will only work if you use 1001. -C enables compression, which speeds the tunnel up when proxying mainly text-based information (like web browsing), but can slow it down when proxying binary information (like downloading files).

Next you would tell Firefox to use your proxy:

go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
check "Manual proxy configuration"
make sure "Use this proxy server for all protocols" is cleared
clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
enter "" for "SOCKS Host"
enter "1001" (or whatever port you chose) for Port.

Forwarding GUI Programs

ssh -X User@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com

Once the connection is made, type the name of your GUI program on the SSH command-line:

firefox &

Another example

ssh -X ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com

[ec2-user@ip-172-31-13-103 ~]$ xeyes &

Enables trusted X11 forwarding. Trusted X11 forwarding are not subjected to the X11 SECURITY extension controls.


Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.

ssh -oport=922 "EC2_KEY_PAYER.pem" -v ec2-user@ec2-52-66-84-114

Use Configuration files from command line

ssh -F /export/oracle/db/config/ssh/config.922pw -f svwprd1b@172.23.XX.XX -t "rm /home/oracle11/work/datastage/testing_ssh"

If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored. The default for the per-user configuration file is ~/.ssh/config.

We can create any configuration file for ssh connectivity

It will read all configuration from config file & run in background , then execute command on remote server

ssh -F /var/dcs/db/confi/config.922 -f -N svwprd1b@172.24.X.70 -t "rm /svw/svwprd1b/work/svwprd1b/testing_ssh"

 -f puts ssh in background
 -N makes it not execute a remote command

Find version of the SSH command

We can find the version of SSH installed on the unix system using the -V option to the ssh.

ssh -V ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

This is shown below:

-v option for run ssh command in Verbose mode.

Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity and the maximum is 3.

Debugging the SSH Client

When we are not able to connect to the remote host, it is good to debug and find the exact error messages that causing the issue. Use the -v option for debugging the ssh client.

shaha@oc8535558703 ~]$ ssh -v ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ec2-52-66-84-114.ap-south-1.compute.amazonaws.com [] port 22.
debug1: Connection established.
debug1: identity file /home/shaha/.ssh/identity type -1
debug1: identity file /home/shaha/.ssh/identity-cert type -1
debug1: identity file /home/shaha/.ssh/id_rsa type 1
debug1: identity file /home/shaha/.ssh/id_rsa-cert type -1
debug1: identity file /home/shaha/.ssh/id_dsa type -1
debug1: identity file /home/shaha/.ssh/id_dsa-cert type -1
debug1: identity file /home/shaha/.ssh/id_ecdsa type -1
debug1: identity file /home/shaha/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2-52-66-84-114.ap-south-1.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /home/shaha/.ssh/known_hosts:35
debug1: ssh_rsa_verify: signature correct

SSH Config File options

The /etc/ssh/ssh_config file is the system-wide configuration file for Open SSH which allows you to set options
that modify the operation of the client programs. The file contains keyword-value pairs, one per line, with keywords being case insensitive.
Here are the most important keywords to configure your ssh for top security .

Edit the ssh_config file, vi /etc/ssh/ssh_config and add/or change, if necessary the following parameters:

# Site-wide defaults for various options

Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh yes
BatchMode yes
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
Port 922

Description of config file parameter

Host *

The option Host restricts all forwarded declarations and options in the configuration file to be only for those hosts that match one of the patterns given after the keyword. The pattern * means for all hosts up to the next Host keyword. With this option you can set different declarations for different hosts in the same ssh_config file.

ForwardAgent no

The option ForwardAgent specifies which connection authentication agent if any should be forwarded to the remote machine.

ForwardX11 no

The option ForwardX11 is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to the remote machine. Since we setup a server and don't have GUI installed on it, we can safely turn this option off.

ssh -o "ForwardX11=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

RhostsAuthentication no

The option RhostsAuthentication specifies whether we can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.

ssh -o "RhostsAuthentication=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

RhostsRSAAuthentication no

The option RhostsRSAAuthentication specifies whether or not to try rhosts authentication in concert with RSA host authentication.

ssh -o "RhostsRSAAuthentication=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

RSAAuthentication yes

The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security on your sessions. RSA uses public and private keys pair created with the ssh-keygen1utility for authentication purposes.

ssh -o "RSAAuthentication=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

PasswordAuthentication yes

The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security. This option must always be set to yes. this parameter protect your server connectivity to other
without password no one connect to server.

ssh -o "PasswordAuthentication=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

FallBackToRsh no

The option FallBackToRsh specifies that if a connection with ssh daemon fails rsh should automatically be used instead. Recalling that rsh service is insecure, this option must always be set to no.

ssh -o "FallBackToRsh=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

UseRsh no

The option UseRsh specifies that rlogin/rsh services should be used on this host. As with the FallBackToRsh option, it must be set to no for obvious reasons.

ssh -o "UseRsh=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co

BatchMode no

The option BatchMode specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. e.g. Scripts that use the scp command to make backups over the network.

ssh -o "BatchMode=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws

CheckHostIP yes

The option CheckHostIP specifies whether or not ssh will additionally check the host IP address that connect to the server to detect DNS spoofing. It's recommended that you set this option to yes.

ssh -o "CheckHostIP=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws

StrictHostKeyChecking no

The option StrictHostKeyChecking specifies whether or not ssh will automatically add new host keys to the $HOME/.ssh/known_hosts file, or never automatically add new host keys to the host file. This option, when set to yes, provides maximum protection against Trojan horse attacks. One interesting procedure with this option is to set it to no at the beginning, allow ssh to add automatically all common hosts to the host file as they are connected to, and then return to set it to yes to take advantage of this feature.

ssh -o "StrictHostKeyChecking=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws

IdentityFile ~/.ssh/identity

The option IdentityFile specifies an alternate RSA authentication identity file to read. Also, multiple identity files may be specified in the configuration file ssh_config.

Cipher blowfish

The option Cipher specifies what cipher should be used for encrypting sessios. The blowfish use 64-bit blocks and keys of up to 448 bits.

EscapeChar ~

The option EscapeChar specifies the session escape character for suspension.

Sample Configuration file for testing with parameter

We have create /export/oracle/db/config/ssh/config.922pw using multiple parameter for testing .

[shah@hostname:~]$ cat /export/oracle/db/config/ssh/config.922pw

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

VerifyHostKeyDNS no
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

Host *

Host 172.23.XX 172.24.XX 172.24.XX 10.56.xx.xx
Protocol 2,1
Compression yes
CompressionLevel 7
IdentityFile /var/dcs_6.0/db/dcs/config/ssh/ssh_keys/id_rsa_ime_prod
CheckHostIP no
PreferredAuthentications publickey,keyboard-interactive,password
LogLevel ERROR
ForwardAgent no
ForwardX11 yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
Port 922
user cgi
Cipher blowfish
IgnoreUserKnownHosts yes
UserKnownHostsFile no
StrictHostKeyChecking no
ServerAliveInterval 100
Compression yes
CompressionLevel 5
CheckHostIP no

When we try to connect remote server with our configuration files , all parameter call in ssh connectivity .
please find the below out of ssh connectivity with config file .

[user@hostname:.ssh]$ ssh -F /export/oracle/db/config/ssh/config.922pw user@172.27.3.XX.XX
Last unsuccessful login: Fri Jul 15 12:10:33 WAT 2016 on ssh from
Last login: Fri Jul 15 14:55:14 WAT 2016 on ssh from 172.27.0.XX

About Shaha Alam

I have Over 4+ years Experience in Telecom domain as Software Engineer with application Support Engineer & AIX / Solaris / Unix / Linux System Admin , Shell Scripting, SQL,Oracle Database , ETL Tools Affirm (Connectiva ) , Mediation IME . Experience on Linux/Unix, Shell Scripting, TCP/IP, Networking Protocol, HTTPS, SMPP, Monitoring Basics. Experience in Vmware , DNS, MAIL, LDAP, NIS , Raid ,Zone , Tomcat , Apache ,AWS.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.