Skip to content

SSH commands#

Once you've loaded a terminal emulator, you'll now have access to the ssh series of commands. The ones that interest us are:

  • ssh
  • ssh-keygen
  • ssh-add
  • scp

Note

On Windows, these commands are technically ssh.exe, ssh-keygen.exe, and so on. You're OK to omit the .exe from these commands as they're in the $PATH variable for your user and the whole system. We covered environment variables in a previous section.

Let's explore each option.

ssh#

This is the main command you'll use to connect to remote systems (or local Virtual Machines) via the SSH protocol. Its syntax is simple:

1
2
3
4
5
6
7
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
       [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
       [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
       [-i identity_file] [-J [user@]host[:port]] [-L address]
       [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
       [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
       [-w local_tun[:remote_tun]] destination [command]

1
2
3
4
5
ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name]
[-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

Even though the presentation of how ssh works on Windows is different to that on macOS, your usage is likely to be so simple (even later on in your career) that the differences aren't really of concern.

Here are two of the common commands you're going to use:

  1. ssh <user>@<host>
  2. ssh <user>@<host> -p <port>
  3. ssh <user>@<host> -p <port> -i <ssh-key-file>

The <user> field is going to be the username you'll use to connect to the remote system. In the case of an Ubuntu Server, that's very likely going to be ubuntu, but not always. In AWS, I've seen ec2-user used on RedHat Enterprise Linux and admin in Debian. In our case it's ubuntu, however.

The <host> can be a DNS hostname like ssh.my-server.com or an IP address, both IPv4 and IPv6 are supported.

Sometimes the default port isn't 22. In the case of VM, we've had to forward port 2222 on our host machine to 22 on the guest OS (Ubuntu). This means you'll be connecting via 2222 and not 22.

We'll cover the use of -i below, when we get to authenticating via SSH keypairs. In short, it simply tells the SSH client to reference a particular SSH key identity when trying to authenticate with an SSH keypair.

ssh-keygen#

This command lets us generate SSH keypairs for use in SSH keypair authentication. Here's the command syntax:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]
              [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]
   ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]
               [-P old_passphrase]
   ssh-keygen -i [-f input_keyfile] [-m key_format]
   ssh-keygen -e [-f input_keyfile] [-m key_format]
   ssh-keygen -y [-f input_keyfile]
   ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
   ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
   ssh-keygen -B [-f input_keyfile]
   ssh-keygen -D pkcs11
   ssh-keygen -F hostname [-lv] [-f known_hosts_file]
   ssh-keygen -H [-f known_hosts_file]
   ssh-keygen -R hostname [-f known_hosts_file]
   ssh-keygen -r hostname [-g] [-f input_keyfile]
   ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
   ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines]
              [-j start_line] [-K checkpt] [-W generator]
   ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
              [-n principals] [-O option] [-V validity_interval]
              [-z serial_number] file ...
   ssh-keygen -L [-f input_keyfile]
   ssh-keygen -A [-f prefix_path]
   ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
              file ...
   ssh-keygen -Q -f krl_file file ...
   ssh-keygen -Y check-novalidate -n namespace -s signature_file
   ssh-keygen -Y sign -f key_file -n namespace file ...
   ssh-keygen -Y verify -f allowed_signers_file -I signer_identity
            -n namespace -s signature_file [-r revocation_file]

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-m key_format] [-f input_keyfile]
ssh-keygen -e [-m key_format] [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-f known_hosts_file] [-l]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-J num_lines] [-j start_line] [-K checkpt] [-W generator]
ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ...
ssh-keygen -Q -f krl_file file ...

To keep this simple for the time being, I suggest you simply run ssh-keygen and follow the prompts. We'll do this below when we discuss SSH keypair authentication.

ssh-agent and ssh-add#

The SSH agent is a process/service that you run on your local system. It keeps track of SSH keypair passwords, so that you can provide the password once and then use the key repeatedly without having to retype it. This is useful if you're running a lot of commands and need to use your key over and over again. After some inactivity, the key's password can be expired from the cache, forcing you to supply it again.

Because of the complexity with setting up the SSH Agent on Windows, macOS and Linux, we will not cover running this system. The reader and explore this item themselves, and probably should, as it's an interesting exercise and you will learn a lot.

The ssh-add command will "add" a password protected SSH key to your SSH Agent, after you provide the password. From that point onwards, the SSH Agent will then respond to SSH authentication requests, after you've connected to a server, with your SSH keys (without you having to provide the password.)

scp#

Copying files to a remote system can be done in so many different ways. One way is to use the "secure copy" command, or scp, to transfer the file over an SSH connection. This is quite a common practice. Here is the command syntax:

1
2
3
usage: scp [-346BCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]
        [-J destination] [-l limit] [-o ssh_option] [-P port]
        [-S program] source ... target

1
2
scp [-12346BCEpqrv] [-c cipher] [-F ssh_config] [-i identity_file] [-l limit] [-o ssh_option] [-P port] [-S program] [[user@]host1:]file1 ...
    [[user@]host2:]file2

The simple way of doing this is: scp <user>@<host>:remote_file local_file. This will transfer/copy the remote files to the local system. You can reverse this with by doing scp local_file <user>@<host>:remote_file, which will copy local_file to the remote system and call it remote_file.