Secure Shell Getting started with Secure Shell

30% OFF - 9th Anniversary discount on Entity Framework Extensions until December 15 with code: ZZZANNIVERSARY9


The SSH (Secure Shell) is a cryptographic protocol for point-to-point communication over the insecure network (Internet). It obsoletes the old protocols used in the old days (rlogin, rsh, telnet).

It is commonly used to connect to remote servers, virtual machines or containers in data center or in your private cloud (google compute engine, AWS, ...). But it is also commonly used in conjunction with git for accessing and updating your repository securely and easy using public keys instead of passwords.

It should also mention any large subjects within ssh, and link out to the related topics. Since the Documentation for ssh is new, you may need to create initial versions of those related topics. TODO


VersionRelease notesRelease Date
OpenSSH 7.3p1Latest version2016-08-01
OpenSSH 7.2p22016-03-09
OpenSSH 7.1p22016-01-14
OpenSSH 7.12015-08-21
OpenSSH 7.02015-11-08
OpenSSH 6.92015-07-01
OpenSSH 6.82015-03-18

Adding your public key to the list of server user's authorized keys

In order to ssh into a server your identity's public key has to be added to the list of trusted keys. Most commonly this is done per-user:

ssh-copy-id -i ~/.ssh/<identity>.pub <user>@<hostname>

Which can be also done manually:

cat ~/.ssh/<identity>.pub | ssh <user>@<hostname> 'cat >> ~/.ssh/authorized_keys'

After doing that you should be able to log in without need to provide user's password when passing the identity file to the ssh call.

Config File

OpenSSH config files are used for configuration that should be applied every time the ssh client is run. Most command line options are possible to put in the config files.

OpenSSH uses configuration from the following sources in order:

  1. Command line options
  2. User's configuration file ~/.ssh/config
  3. System wide configuration file /etc/ssh/ssh_config

Configuration options are listed one by one in the config files.

# This is a comment.

# Parameter can be specified like this, separated with white space.
StrictHostKeyChecking ask

# Or parameter key and value may be separated with white space and =.  
ForwardX11 = yes

# The parameter value can be quoted if it contains white space.    
IdentityFile "/file system/path with/white space"

The full list of possible config parameters is available here.

One of the most useful features of the config file is that it can be sectioned based on host name or address. In this way you can have different configurations for different hosts.

# Based on host name.    

    User user1

    User user2

# Or wildcard matching name or ip.

Host * 10.201.4.?
    User user3

Connecting from script using password

When you really need to script ssh connection, piping the password into the ssh command does not work (echo passw0rd | ssh host ). It is because the password is not read from standard input, but directly from TTY (teleprinter, teletypewriter, Teletype for historical reasons).

But there is sshpass tool which works around this problem. It can read the password from parameter, file or environment variable. But note that none of these options does not satisfy the security requirements for a passwords!

$ sshpass -p passw0rd ssh host
$ sshpass -f /secret/filename ssh host
$ SSHPASS=passw0rd sshpass -e ssh host

The command line options can be seen by other users in ps (during runtime it is masked, but not during start time and you can't rely on it):

... 23624  6216 pts/5    Ss   Aug30   0:00  \_ /bin/bash
... 12812  1988 pts/5    S+   08:50   0:00  |   \_ sshpass -p passw0rd ssh host
... 45008  5796 pts/15   Ss+  08:50   0:00  |       \_ ssh host

Note, that environemnet variables of a process are also accessible by other processes on the system using /proc/PID/environ file.

Finally, storing the password in the file might look like the best possible idea, but still using keys as described in the other examples is preferred way to use ssh .

Creating your SSH key

You can create your ssh key using ssh-keygen, it's a program that is part of the ssh installation. To do so just run it and follow the instructions on screen.

Here's an example:

$ ssh-keygen
Generating public/private rsa key pair.

The default directory where you ssh key pair will be saved is inside the .ssh folder in your home directory (you can change this by specifying a valid path) and the default name for the keypair is id_rsa for the private key and for the public key:

Enter file in which to save the key (/home/nasreddine/.ssh/id_rsa): /home/my_folder/my_ssh_key

You can protect your SSH key from unauthorized use by entering a password. This is optional but it's recommended that you use a passphrase. Note that, like with any other command program, when entering your passphrase it will not show anything on screen but it is being recorded:

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Once you enter your passphrase ssh-keygen will generate a key and save it to the path you chose:

Your identification has been saved in /home/my_folder/my_ssh_key.
Your public key has been saved in /home/my_folder/

We're done. Now our ssh key is ready for use.

enter image description here

How to SSH into a machine

In order to login to a user's account on machine with SSH you can use the command ssh username@ip_address . It will ask for a password. If you type the correct password, you will be connected to the shell of that user on that machine. Otherwise it will prompt for the password again.

For example

root@dev10:~# ssh root@
root@'s password: 
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-31-generic x86_64)
Last login: Fri Jul 22 18:33:27 2016 from

If you want to use a specific ssh key to connect to a machine, use ssh -i /path/to/ssh_secret_key username@host

When you are connecting to a machine for the very first time, it will ask you to verify the fingerprint of the target machine. This is a security mechanism for avoiding a man-in-the-middle attack. You can see the fingerprint of the target machine by issuing this command in the target machine.

ssh-keygen -l -E md5 -f /etc/ssh/

You can type "yes" if both are same. It will proceed to password prompt.


root@dev10:~# ssh root@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is dd:a3:de:cd:5b:01:cd:0b:b6:bc:b3:09:c2:c8:1a:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
root@'s password: 

Last login: Fri Jul 22 17:45:09 2016 from

Installation or Setup

Free version of SSH protocol implementation, OpenSSH is available in all the Linux distributions. It consists of the server and client packages.


On Debian-based Linux, you can install openssh using

# apt-get install openssh-server openssh-client

On RHEL/CentOS you need to use yum :

# yum install openssh-server openssh-clients

Current Fedora is using dnf instead of yum .

On Arch Linux, use pacman:

# pacman -S openssh

On OSX, the openssh should be already installed.

If you want to use more recent version, you need to install the openssh from brew:

# brew install openssh --with-brewed-openssl --with-keychain-support

TODO Instructions for Windows


The openssh client does not need any special setup and is ready to use just after installation. You can try that running ssh remote , where the remote is the remote host running ssh server.

The openssh server is usually started after the installation and default setup is applied. If not, you can start it on systemd based systems using

On Debian-based Linux with systemd:

# systemctl start ssh

On RHEL/CentOS/Fedora and Arch Linux:

# systemctl start sshd

Or on upstart systems using

# service sshd start


The openssh have configuration files under /etc/ssh/ . The client is also reading client configuration in ~/.ssh/config . The server is using a file sshd_config , which contains most of the default values and contains simple key-value pairs. Example:

Protocol 2
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
Subsystem    sftp    /usr/libexec/openssh/sftp-server


If you have set a long passphrase and do not wish to keep entering it every time you want to connect to the server, you can use SSH-Agent to store your passphrase while you are logged in on your computer.

Start the ssh-agent in the background:

eval "$(ssh-agent -s)"
# Agent pid 59566

And add your key to the ssh-agent, you will be prompted to enter your passphrase:

ssh-add ~/.ssh/
# Enter passphrase for /home/osaka/.ssh/ 
# Identity added: /home/osaka/.ssh/ (/home/osaka/.ssh/

Done. Now connect with ssh and you should not have to enter your passphrase. You can extend this by using programs like gnome-keyring/seahorse, keychain and other key managers.

Got any Secure Shell Question?