SSH Cheat Sheet

Basic Connection

# Connect to host
ssh user@192.168.1.1

# Custom port
ssh -p 2222 user@192.168.1.1

# With private key
ssh -i ~/.ssh/id_rsa user@192.168.1.1

# Disable host key checking (testing only)
ssh -o StrictHostKeyChecking=no user@192.168.1.1

# Verbose (debug connection issues)
ssh -v user@192.168.1.1
ssh -vvv user@192.168.1.1

Key Management

# Generate key pair (Ed25519 — preferred)
ssh-keygen -t ed25519 -C "comment" -f ~/.ssh/keyname

# Generate RSA key (4096-bit)
ssh-keygen -t rsa -b 4096 -C "comment"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@host
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 user@host

# Manual copy (if ssh-copy-id not available)
cat ~/.ssh/id_ed25519.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# List loaded keys
ssh-add -l

# Add key to agent
ssh-add ~/.ssh/id_ed25519

# Change key passphrase
ssh-keygen -p -f ~/.ssh/id_ed25519

SSH Tunneling

# Local port forwarding
# Access remote service via local port
ssh -L 8080:localhost:80 user@host
# Now: curl http://localhost:8080 → host:80

# Remote port forwarding
# Expose local service on remote host
ssh -R 9090:localhost:3000 user@host
# Now: remote host port 9090 → your port 3000

# Dynamic port forwarding (SOCKS5 proxy)
ssh -D 1080 user@host
# Use with: proxychains, browser SOCKS5 proxy

# Jump host / ProxyJump
ssh -J jumphost user@targethost
ssh -J user1@jump:22 user2@internal

# Keep tunnel alive
ssh -N -L 8080:localhost:80 user@host
# -N = no command, just tunnel

SSH Config File (`~/.ssh/config`)

# Basic host alias
Host myserver
    HostName 192.168.1.1
    User john
    Port 2222
    IdentityFile ~/.ssh/id_ed25519

# Jump host configuration
Host internal
    HostName 10.0.0.5
    User admin
    ProxyJump jumphost

Host jumphost
    HostName jump.example.com
    User ubuntu

# Global settings
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    AddKeysToAgent yes

File Transfer

# Upload file
scp file.txt user@host:/remote/path/

# Download file
scp user@host:/remote/file.txt /local/path/

# Recursive copy
scp -r /local/dir user@host:/remote/

# Custom port
scp -P 2222 file.txt user@host:/path/

# Rsync over SSH
rsync -avz -e "ssh -p 2222" /local/ user@host:/remote/

Hardening `sshd_config`

# Key settings to change in /etc/ssh/sshd_config

Port 2222                        # Non-default port
PermitRootLogin no               # Disable root login
PasswordAuthentication no        # Keys only
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AllowUsers john admin            # Whitelist users
MaxAuthTries 3
LoginGraceTime 30
X11Forwarding no
AllowTcpForwarding no            # Disable if tunneling not needed
ClientAliveInterval 300
ClientAliveCountMax 2

# Restart after changes
systemctl restart ssh

Useful Options

Flag	Description
`-N`	No remote command (tunnels only)
`-f`	Background after auth
`-C`	Enable compression
`-A`	Forward SSH agent
`-X`	Forward X11 display
`-q`	Quiet mode
`-o`	Set config option inline