The client of OpenSSH is the binary program ssh. Its location on Linux/Unix systems is
/usr/local/bin/ssh, and on Windows systems is
Linux systems generally come with ssh, if not, you need to install it.
# Ubuntu 和 Debian $ sudo apt install openssh-client # CentOS 和 Fedora $ sudo dnf install openssh-clients
After installation, you can use the
-V parameter to output the version number to check whether the installation is successful.
$ ssh -V
The most common use of ssh is to log in to the server, which requires the server to install and be running SSH server software.
The ssh login server command is as follows.
$ ssh hostname
In the above command,
hostname is the host name, which can be a domain name, an IP address or a host name inside the LAN. If the user name is not specified, the current user name of the client will be used as the login user name of the remote server. If you want to specify a user name, you can use the following syntax.
$ ssh user@hostname
In the above command, the user name and host name are written together, separated by
The user name can also be specified using the
-l parameter of
ssh. In this case, the user name and host name do not have to be written together.
$ ssh -l username host
ssh connects to port 22 of the server by default, and the
-p parameter can specify other ports.
$ ssh -p 8821 foo.com
The above command connects to port 8821 of the server
After ssh connects to the remote server, there is a verification process first to verify whether the remote server is an unfamiliar address.
If it is the first time to connect to a server, the command line will display a paragraph of text, indicating that the machine is not recognized, and reminding the user to confirm whether to connect.
The authenticity of host 'foo.com (192.168.121.111)' can't be established. ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY. Are you sure you want to continue connecting (yes/no)?
The above text tells the user that the fingerprint of the server
foo.com is unfamiliar, and allows the user to choose whether to continue the connection (enter yes or no).
The so-called "server fingerprint" refers to the hash value of the public key of the SSH server. Each SSH server has a unique pair of keys, which are used to communicate with the client, and the hash value of the public key can be used to identify the server.
The following command can view the fingerprint of a certain public key.
$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub 256 da:24:43:0b:2e:c1:3f:a1:84:13:92:01:52:b4:84:ff (ECDSA)
In the above example, the
ssh-keygen -l -f command will output the fingerprint of the public key
ssh will store the fingerprints of the public keys of all servers connected to this machine in the file
~/.ssh/known_hosts of this machine. Each time you connect to the server, use this file to determine whether it is an unfamiliar host (unknown public key).
After the above paragraph, enter
yes, the fingerprint of the current server can also be stored in the local
~/.ssh/known_hosts file, and the following prompt will be displayed. When you connect again in the future, the warning will no longer appear.
Warning: Permanently added 'foo.com (192.168.121.111)' (RSA) to the list of known hosts
Then, the client will establish a connection with the server. Then, ssh will ask the user to enter the password of the account to log in. After the user enters and verifies that the password is correct, you can log in to the shell of the remote server.
Server key change
Server fingerprints can prevent someone from pretending to be a remote host maliciously. If the key of the server is changed (for example, the SSH server is reinstalled), when the client connects again, the fingerprints of the public key will not match. At this time, the client will terminate the connection and display a warning message.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 77: a5: 69: 81: 9b: eb: 40: 76: 7b: 13: 04: a9: 6c: f4: 9c: 5d. Please contact your system administrator. Add correct host key in /home/me/.ssh/known_hosts to get rid of this message. Offending key in /home/me/.ssh/known_hosts:36
The above text means that the public key fingerprint of the host is not the same as the one stored in the
~/.ssh/known_hosts file, and it must be processed before connection can be made. At this time, you need to confirm what caused the change of the public key fingerprint, whether it was malicious hijacking, or the administrator changed the SSH server public key.
If the new public key is confirmed to be trustworthy and you need to continue the connection, you can execute the following command to delete the original public key fingerprint from the
$ ssh-keygen -R hostname
In the above command,
hostname is the name of the host whose public key has been changed.
In addition to using the above command, you can also manually modify the
known_hosts file to delete the public key fingerprint.
After deleting the original public key fingerprint, re-execute the ssh command to connect to the remote server, add the new fingerprint to the
known_hosts file, and you can successfully connect.
Execute remote commands
After the SSH login is successful, the user enters the command line environment of the remote host, and the prompt that he sees is the prompt of the remote host. At this time, you can enter the commands you want to execute on the remote host.
Another way to execute remote commands is to write the command directly after the
$ ssh username@hostname command
The above command will cause SSH to execute the command
command on the remote host immediately after a successful login.
Below is an example.
$ ssh email@example.com cat /etc/hosts
The above command will execute the command
cat /etc/hosts remotely immediately after the login is successful.
When using this syntax to execute commands, the ssh client does not provide an interactive Shell environment, but directly outputs the execution results of remote commands on the command line. However, some commands require an interactive Shell environment, in which case the
-t parameter should be used.
# Error $ ssh remote.server.com emacs emacs: standard input is not a tty # No error $ ssh -t server.example.com emacs
In the above code, the
emacs command requires an interactive Shell, so an error is reported. Only by adding the
-t parameter, ssh will allocate an interactive shell.
During the handshake phase of an SSH connection, the client must agree with the server on an encryption parameter set (cipher suite).
The encryption parameter set contains several different encryption parameters, which are connected by underscores. The following is an example.
Its meaning is as follows.
-TLS: Encrypted communication protocol -RSA: key exchange algorithm -AES: encryption algorithm -128: The strength of the encryption algorithm -CBC: Mode of encryption algorithm -SHA: Hash function for digital signature
The following is an example of a handshake message sent by the client to the server.
Handshake protocol: ClientHello Version: TLS 1.2 Random Client time: May 22, 2030 02:43:46 GMT Random bytes: b76b0e61829557eb4c611adfd2d36eb232dc1332fe29802e321ee871 Session ID: (empty) Cipher Suites Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256” Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA Suite: TLS_RSA_WITH_RC4_128_SHA Compression methods Method: null Extensions Extension: server_name Hostname: www.feistyduck.com Extension: renegotiation_info Extension: elliptic_curves Named curve: secp256r1 Named curve: secp384r1 Extension: signature_algorithms Algorithm: sha1/rsa Algorithm: sha256/rsa Algorithm: sha1/ecdsa Algorithm: sha256/ecdsa”
In the above handshake information (ClientHello), the
Cipher Suites field is that the client lists the optional encryption parameter set, and the server selects a parameter set it supports.
After the server is selected, it sends a response to the client.
Handshake protocol: ServerHello Version: TLS 1.2 Random Server time: Mar 10, 2059 02:35:57 GMT” Random bytes: 8469b09b480c1978182ce1b59290487609f41132312ca22aacaf5012 Session ID: 4cae75c91cf5adf55f93c9fb5dd36d19903b1182029af3d527b7a42ef1c32c80 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Compression method: null Extensions Extension: server_name Extension: renegotiation_info”
In the above response message (ServerHello), the
Cipher Suite field is the encryption parameter finally selected by the server.
ssh command line configuration items
The ssh command has many configuration items, modify its default behavior.
-c parameter specifies the encryption algorithm.
$ ssh -c blowfish,3des server.example.com # Or $ ssh -c blowfish -c 3des server.example.com
The above command specifies the encryption algorithm
-C parameter indicates compressed data transmission.
$ ssh -C server.example.com
-D parameter specifies the Socks listening port of the machine. All requests received on this port will be forwarded to the remote SSH host, also known as dynamic port forwarding. For details, please refer to the "Port Forwarding" chapter.
$ ssh -D 1080 server
The above command forwards all requests received on port 1080 of this machine to the server
-f parameter indicates that the SSH connection is running in the background.
-F parameter specifies the configuration file.
$ ssh -F /usr/local/ssh/other_config
The above command specifies the use of the configuration file
-i parameter is used to specify the private key, meaning "identity_file", and the default value is
~/.ssh/id_dsa. Note that the corresponding public key must be stored on the server, see the chapter "Key Login" for details.
$ ssh -i my-key server.example.com
-l parameter specifies the account name for remote login.
$ ssh -l sally server.example.com # Equivalent to $ ssh firstname.lastname@example.org
-L parameter sets local port forwarding, see the chapter "Port Forwarding" for details.
$ ssh -L 9999:targetServer:80 user@remoteserver
In the above command, all requests sent to the local
9999 port will be sent to the targetServer's port 80 through the
remoteserver, which is equivalent to directly connecting to the targetServer's port 80.
-m parameter specifies the algorithm for verifying data integrity (message authentication code, MAC for short).
$ ssh -m hmac-sha1,hmac-md5 server.example.com
The above command specifies the data verification algorithm as
-N parameter is used for port forwarding, which means that the established SSH is only used for port forwarding and cannot execute remote commands. This can provide security. For details, see the chapter "Port Forwarding".
-o parameter is used to specify a configuration command.
$ ssh -o "Keyword Value"
For example, the configuration file has the following content.
User sally Port 220
-o parameter, the above two configuration commands can be passed in from the command line.
$ ssh -o "User sally" -o "Port 220" server.example.com
When using the equal sign, the configuration command does not need to be written in quotation marks, but there can be no spaces before and after the equal sign.
$ ssh -o User=sally -o Port=220 server.example.com
-p parameter specifies the server port that the SSH client connects to.
$ ssh -p 2035 server.example.com
The above command connects to port 2035 of the server.
-q parameter indicates quiet mode, without outputting any warning messages to the user.
$ ssh –q foo.com root’s password:
The above command uses the
-q parameter and only outputs the prompt that requires the user to enter the password.
-R parameter specifies remote port forwarding, see the chapter "Port Forwarding" for details.
$ ssh -R 9999:targetServer:902 local
The above command needs to be executed on the springboard server. Specify the local computer
local to listen to its own port 9999. All requests sent to this port will be redirected to port 902 of the targetServer.
-t parameter provides an interactive shell when ssh runs remote commands directly.
$ ssh -t server.example.com emacs
** - v **
-v parameter displays detailed information.
$ ssh -v server.example.com
-v can be repeated multiple times to indicate the level of detail of the information, such as
$ ssh -vvv server.example.com # Or $ ssh -v -v -v server.example.com
The above command will output the most detailed connection information.
** - V **
-V parameter outputs the version of the ssh client.
$ ssh –V ssh: SSH Secure Shell 3.2.3 (non-commercial version) on i686-pc-linux-gnu
The above command output the local ssh client version is
SSH Secure Shell 3.2.3.
-X parameter means to open the X window for forwarding.
$ ssh -X server.example.com
-1 parameter specifies the SSH 1 protocol to be used.
-2 parameter specifies the use of SSH 2 protocol.
$ ssh -2 server.example.com
-4 specifies the use of IPv4 protocol, which is the default value.
$ ssh -4 server.example.com
-6 specifies the use of IPv6 protocol.
$ ssh -6 server.example.com
Client configuration file
The global configuration file of the SSH client is
/etc/ssh/ssh_config, and the user's personal configuration file is in
~/.ssh/config, which has a higher priority than the global configuration file.
In addition to configuration files, the
~/.ssh directory also contains some personal key files and other files. Below are some of the common files.
~/.ssh/id_ecdsa: the user's ECDSA private key. -
~/.ssh/id_ecdsa.pub: The user's ECDSA public key. -
~/.ssh/id_rsa: RSA private key for SSH protocol version 2. -
~/.ssh/id_rsa.pub: RSA public key for SSH protocol version 2. -
~/.ssh/identity: RSA private key used for SSH protocol version 1. -
~/.ssh/identity.pub: RSA public key used for SSH protocol version 1. -
~/.ssh/known_hosts: Contains the fingerprint of the public key of the SSH server.
The user's personal configuration file
~/.ssh/config can list the respective connection parameters according to different servers, so that there is no need to enter repeated parameters every time you log in. Below is an example.
Host * Port 2222 Host remoteserver HostName remote.example.com User neo Port 2112
In the above code,
Host * means it takes effect for all hosts, and the following
Port 2222 means that the default connection port of all hosts is 2222, so there is no need to specify the port when logging in. The indentation here is not necessary, just for visually, easy to identify the settings for different hosts.
Host remoteserver means that the following settings are only effective for the host
remoteserver is just an alias. The specific host is specified by the
HostName command. The two items
Port represent the user name and port respectively. The
Port here will override the
Port setting in the
Host * section above.
In the future, when logging in to
remote.example.com, as long as the
ssh remoteserver command is executed, the parameters specified in the config file will be automatically applied.
The configuration format of a single host is as follows.
$ ssh remoteserver # Equivalent to $ ssh -p 2112 email@example.com
The value of the
Host command can use wildcards. For example,
Host * means a setting that is valid for all hosts, and
Host *.edu means a setting that is only valid for the host whose first-level domain name is
.edu. Their settings can be overridden by the settings of a single host.
Configuration command syntax
Each line in the ssh client configuration file is a configuration command. A space or an equal sign can be used between the configuration command and the corresponding value.
Compression yes # Equivalent to Compression = yes
Lines beginning with
# represent comments and will be ignored. Blank lines are equivalent to comments.
Main configuration commands
The following are some of the main configuration commands of the ssh client and their sample values.
AddressFamily inet: Indicates that only IPv4 protocol is used. If it is set to
inet6, it means that only IPv6 protocol is used.
BindAddress 192.168.10.235: Specify the IP address of the machine (if the machine has multiple IP addresses).
CheckHostIP yes: Check whether the IP address of the SSH server matches the public key database.
Ciphers blowfish,3des: Specify the encryption algorithm.
Compression yes: Whether to compress the transmission signal.
ConnectionAttempts 10: The maximum number of attempts when the client connects.
ConnectTimeout 60: When the client connects, if the server does not reply within the specified number of seconds, the connection attempt will be terminated.
DynamicForward 1080: Specify the dynamic forwarding port.
GlobalKnownHostsFile /users/smith/.ssh/my_global_hosts_file: Specify the location of the global public key database file.
Host server.example.com: Specify the domain name or IP address of the connection. It can also be an alias and supports wildcards. All configurations after the
Hostcommand are for the host until the next
HostKeyAlgorithms ssh-dss,ssh-rsa: Specify the key algorithm, the priority is from high to low.
HostName myserver.example.com: In the case of using an alias in the
HostNamespecifies the domain name or IP address.
IdentityFile keyfile: Specify the private key file.
LocalForward 2001 localhost:143: Specify local port forwarding.
LogLevel QUIET: Specify the log level of detail. If set to
QUIET, most warnings and prompts will not be output.
MACs hmac-sha1,hmac-md5: Specify the data verification algorithm.
NumberOfPasswordPrompts 2: The maximum number of attempts for the user to enter the wrong password when the password is logged in.
PasswordAuthentication no: Specify whether to support password login. However, here is only the client prohibition, the real prohibition needs to be set on the SSH server.
Port 2035: Specify the SSH server port that the client connects to.
PreferredAuthentications publickey, hostbased, password: Specify the priority of various login methods.
Protocol 2: Supported SSH protocol version, multiple versions are separated by commas.
PubKeyAuthentication yes: Whether to support key login. This is only the client setting, and the corresponding setting is also required on the SSH server.
RemoteForward 2001 server:143: Specify remote port forwarding.
SendEnv COLOR: The environment variable name sent by the SSH client to the server. Multiple environment variables are separated by spaces. The value of the environment variable is copied from the current environment of the client.
ServerAliveCountMax 3: If there is no response from the server, how many times the client sends the
keepalivesignal before disconnecting. The default value of this item is 3.
ServerAliveInterval 300: After the client establishes a connection, if it does not receive a message from the server within a given number of seconds, the client sends a
keepalivemessage to the server. If you do not want the client to send, this item is set to
yesmeans strict check. If the server public key is unknown or changed, the connection is refused.
nomeans that if the server public key is unknown, it will be added to the client public key database. If the public key changes, the client public key database will not be changed, and a warning will be output and the connection is still allowed to continue.
ask(default value) means to ask the user whether to continue.
TCPKeepAlive yes: Whether the client periodically sends
keepaliveinformation to the server.
User userName: Specify the account name for remote login.
UserKnownHostsFile /users/smith/.ssh/my_local_hosts_file: Specify the location of the current user's
known_hostsfile (server public key fingerprint list).
VerifyHostKeyDNS yes: Whether to check the DNS record of the SSH server to confirm whether the public key fingerprint is consistent with the save in the