7 min read
Secure Shell (SSH) is a cryptographic network protocol used for an encrypted connection between a client and a server. The ssh client creates a secure connection to the SSH server on a remote machine. The encrypted connection can be used to execute commands on the server, X11 tunneling, port forwarding, and more.
There are a number of SSH clients available, both free and commercial, with OpenSSH being the most widely used client. It is available on all major platforms, including Linux, OpenBSD, Windows, and macOS.
This article explains how to use the OpenSSH command-line client (
ssh) to login to a remote machine and run commands or perform other operations.
Installing OpenSSH Client
The OpenSSH client program is called
ssh and can be invoked from the terminal. The OpenSSH client package also provides other SSH utilities such as
that are installed alongside the
Installing OpenSSH Client on Linux
OpenSSH client is preinstalled on most Linux distributions by default. If your system doesn’t have the ssh client installed, you can install it using your distribution package manager.
Installing OpenSSH on Ubuntu and Debian
sudo apt update
sudo apt install openssh-client
Installing OpenSSH on CentOS and Fedora
sudo dnf install openssh-clients
Installing OpenSSH Client on Windows 10
Most Windows users are using Putty to connect to a remote machine over SSH. However, the latest versions of Windows 10 include an OpenSSH client and server. Both packages can be installed via the GUI or PowerShell.
To find the exact name of the OpenSSH package, type the following command:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
The command should return something like this:
Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent
Once you know the package name install it by running:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
On success the output will look something like this:
Path : Online : True RestartNeeded : False
Installing OpenSSH Client on macOS
macOS ships with the OpenSSH client installed by default.
How to Use the
The following requirements must be met to be able to login into a remote machine via SSH:
- An SSH server must be running on the remote machine.
- The SSH port must be open in the remote machine firewall.
- You must know the username and the password of the remote account. The account needs to have proper privileges for remote login.
The basic syntax of the
ssh command is as follows:
ssh [OPTIONS] [USER@]:HOST
To use the
ssh command, open your Terminal or PowerShell and type
ssh followed by the remote hostname:
When you connect to a remote machine through SSH for the first time, you will see a message like below.
The authenticity of host 'ssh.linuxize.com (192.168.121.111)' can't be established. ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY. Are you sure you want to continue connecting (yes/no)?
Each host has a unique fingerprint that is stored in the
yes to store the remote fingerprint, and you’ll be prompted to enter your password.
Warning: Permanently added 'ssh.linuxize.com' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password:
Once you enter the password, you will be logged into the remote machine.
When the username is not given, the
ssh command uses the current system login name.
To log in as a different user, specify the username and the host in the following format:
The username can also be specified with the
ssh -l username hostname
By default, when no port is given, the SSH client will try to connect to the remote server on port 22. On some servers, administrators are changing the default SSH port to add an extra layer of security to the server by reducing the risk of automated attacks.
To connect on a non-default port, use the
-p option to specify the port:
ssh -p 5522 username@hostname
If you are experiencing authentication or connection issues, use the
-v option to tell
ssh to print debugging messages:
ssh -v username@hostname
To increase the level of verbosity, use
ssh command accepts a number of options.
For a complete list of all options read the
ssh man page by typing
man ssh in your terminal.
SSH Config File
If you are connecting to multiple remote systems over SSH on a daily basis, you’ll find that remembering all of the remote IP addresses, different usernames, non-standard ports, and various command-line options is difficult, if not impossible.
The OpenSSH client reads the options set in the per-user configuration file (
~/.ssh/config). In this file, you can store different SSH options for each remote machine you connect to.
A sample SSH config is shown below:
Host dev HostName dev.linuxize.com User mike Port 4422
When you invoke the ssh client by typing
ssh dev, the command will read the
~/.ssh/config file and use the connection details specified for the dev host. In this example,
ssh dev is equivalent to the following:
ssh -p 4422 email@example.com
For more information, check the article on SSH config file .
Public Key Authentication
The SSH protocol supports various authentication mechanisms.
The public key-based authentication mechanism allows you to log in to the remote server without having to type your password .
This method works by generating a pair of cryptographic keys that are used for authentication. The private key is stored on the client device, and the public key is transferred to each remote server that you want to log in to. The remote server must be configured to accept key authentication.
If you already don’t have SSH key pair on your local machine, you can generate one by typing:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
You will be asked to type a secure passphrase. Whether you want to use a passphrase, it’s up to you.
Once you have your key pair, copy the public key to the remote server:
Enter the remote user password, and the public key will be appended to the remote user
Once the key is uploaded, you can log in to the remote server without being prompted for a password.
By setting a key-based authentication, you can simplify the login process and increase the overall server security.
SSH tunneling or SSH port forwarding is a method of creating an encrypted SSH connection between a client and a server machine through which services ports can be relayed.
SSH forwarding is useful for transporting network data of services that use an unencrypted protocol, such as VNC or FTP, accessing geo-restricted content, or bypassing intermediate firewalls. Basically, you can forward any TCP port and tunnel the traffic over a secure SSH connection.
There are three types of SSH port forwarding:
Local Port Forwarding
Local port forwarding allows you to forward a connection from the client host to the SSH server host and then to the destination host port.
To create a local port forwarding, pass the
-L option to the
ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION_HOST:DESTINATION_PORT -N -f username@hostname
The -f option tells the
ssh command to run in the background and
-N not to execute a remote command.
Remote Port Forwarding
Remote port forwarding is the opposite of local port forwarding. It forwards a port from the server host to the client host and then to the destination host port.
-R option tells
ssh to create a remote port forwarding:
ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT -N -f username@hostname
Dynamic Port Forwarding
Dynamic port forwarding creates a SOCKS proxy server that allows communication across a range of ports.
To create a dynamic port forwarding (SOCKS) pass the
-D option to the ssh client:
ssh -D [LOCAL_IP:]LOCAL_PORT -N -f username@hostname
For more detailed information and step-by-step instruction, check the article on How to Set up SSH Tunneling (Port Forwarding) .
To connect to a remote server via SSH, use the
ssh command followed by the remote username and hostname (
Knowing how to use the
ssh command is essential for managing remote servers.
If you have any questions, please leave a comment below.