---
name: ssh-essentials
description: Essential SSH commands for secure remote access, key management, tunneling, and file transfers.
homepage: https://www.openssh.com/
metadata: {"clawdbot":{"emoji":"🔐","requires":{"bins":["ssh"]}}}
---
# SSH Essentials
Secure Shell (SSH) for remote access and secure file transfers.
## Basic Connection
### Connecting
```bash
# Connect with username
ssh user@hostname
# Connect to specific port
ssh user@hostname -p 2222
# Connect with verbose output
ssh -v user@hostname
# Connect with specific key
ssh -i ~/.ssh/id_rsa user@hostname
# Connect and run command
ssh user@hostname 'ls -la'
ssh user@hostname 'uptime && df -h'
```
### Interactive use
```bash
# Connect with forwarding agent
ssh -A user@hostname
# Connect with X11 forwarding (GUI apps)
ssh -X user@hostname
ssh -Y user@hostname # Trusted X11
# Escape sequences (during session)
# ~. - Disconnect
# ~^Z - Suspend SSH
# ~# - List forwarded connections
# ~? - Help
```
## SSH Keys
### Generating keys
```bash
# Generate RSA key
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
# Generate ED25519 key (recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"
# Generate with custom filename
ssh-keygen -t ed25519 -f ~/.ssh/id_myserver
# Generate without passphrase (automation)
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_deploy
```
### Managing keys
```bash
# Copy public key to server
ssh-copy-id user@hostname
# Copy specific key
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
# Manual key copy
cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> ~/.ssh/authorized_keys'
# Check key fingerprint
ssh-keygen -lf ~/.ssh/id_rsa.pub
# Change key passphrase
ssh-keygen -p -f ~/.ssh/id_rsa
```
### SSH agent
```bash
# Start ssh-agent
eval $(ssh-agent)
# Add key to agent
ssh-add ~/.ssh/id_rsa
# List keys in agent
ssh-add -l
# Remove key from agent
ssh-add -d ~/.ssh/id_rsa
# Remove all keys
ssh-add -D
# Set key lifetime (seconds)
ssh-add -t 3600 ~/.ssh/id_rsa
```
## Port Forwarding & Tunneling
### Local port forwarding
```bash
# Forward local port to remote
ssh -L 8080:localhost:80 user@hostname
# Access via: http://localhost:8080
# Forward to different remote host
ssh -L 8080:database.example.com:5432 user@jumphost
# Access database through jumphost
# Multiple forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname
```
### Remote port forwarding
```bash
# Forward remote port to local
ssh -R 8080:localhost:3000 user@hostname
# Remote server can access localhost:3000 via its port 8080
# Make service accessible from remote
ssh -R 9000:localhost:9000 user@publicserver
```
### Dynamic port forwarding (SOCKS proxy)
```bash
# Create SOCKS proxy
ssh -D 1080 user@hostname
# Use with browser or apps
# Configure SOCKS5 proxy: localhost:1080
# With Firefox
firefox --profile $(mktemp -d) \
--preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080"
```
### Background tunnels
```bash
# Run in background
ssh -f -N -L 8080:localhost:80 user@hostname
# -f: Background
# -N: No command execution
# -L: Local forward
# Keep alive
ssh -o ServerAliveInterval=60 -L 8080:localhost:80 user@hostname
```
## Configuration
### SSH config file (`~/.ssh/config`)
```
# Simple host alias
Host myserver
HostName 192.168.1.100
User admin
Port 2222
# With key and options
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_prod
ForwardAgent yes
# Jump host (bastion)
Host internal
HostName 10.0.0.5
User admin
ProxyJump bastion
Host bastion
HostName bastion.example.com
User admin
# Wildcard configuration
Host *.example.com
User admin
ForwardAgent yes
# Keep connections alive
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
```
### Using config
```bash
# Connect using alias
ssh myserver
# Jump through bastion automatically
ssh internal
# Override config options
ssh -o "StrictHostKeyChecking=no" myserver
```
## File Transfers
### SCP (Secure Copy)
```bash
# Copy file to remote
scp file.txt user@hostname:/path/to/destination/
# Copy file from remote
scp user@hostname:/path/to/file.txt ./local/
# Copy directory recursively
scp -r /local/dir user@hostname:/remote/dir/
# Copy with specific port
scp -P 2222 file.txt user@hostname:/path/
# Copy with compression
scp -C large-file.zip user@hostname:/path/
# Preserve attributes (timestamps, permissions)
scp -p file.txt user@hostname:/path/
```
### SFTP (Secure FTP)
```bash
# Connect to SFTP server
sftp user@hostname
# Common SFTP commands:
# pwd - Remote working directory
# lpwd - Local working directory
# ls - List remote files
# lls - List local files
# cd - Change remote directory
# lcd - Change local directory
# get file - Download file
# put file - Upload file
# mget *.txt - Download multiple files
# mput *.jpg - Upload multiple files
# mkdir dir - Create remote directory
# rmdir dir - Remove remote directory
# rm file - Delete remote file
# exit/bye - Quit
# Batch mode
sftp -b commands.txt user@hostname
```
### Rsync over SSH
```bash
# Sync directory
rsync -avz /local/dir/ user@hostname:/remote/dir/
# Sync with progress
rsync -avz --progress /local/dir/ user@hostname:/remote/dir/
# Sync with delete (mirror)
rsync -avz --delete /local/dir/ user@hostname:/remote/dir/
# Exclude patterns
rsync -avz --exclude '*.log' --exclude 'node_modules/' \
/local/dir/ user@hostname:/remote/dir/
# Custom SSH port
rsync -avz -e "ssh -p 2222" /local/dir/ user@hostname:/remote/dir/
# Dry run
rsync -avz --dry-run /local/dir/ user@hostname:/remote/dir/
```
## Security Best Practices
### Hardening SSH
```bash
# Disable password authentication (edit /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yes
# Disable root login
PermitRootLogin no
# Change default port
Port 2222
# Use protocol 2 only
Protocol 2
# Limit users
AllowUsers user1 user2
# Restart SSH service
sudo systemctl restart sshd
```
### Connection security
```bash
# Check host key
ssh-keygen -F hostname
# Remove old host key
ssh-keygen -R hostname
# Strict host key checking
ssh -o StrictHostKeyChecking=yes user@hostname
# Use specific cipher
ssh -c aes256-ctr user@hostname
```
## Troubleshooting
### Debugging
```bash
# Verbose output
ssh -v user@hostname
ssh -vv user@hostname # More verbose
ssh -vvv user@hostname # Maximum verbosity
# Test connection
ssh -T user@hostname
# Check permissions
ls -la ~/.ssh/
# Should be: 700 for ~/.ssh, 600 for keys, 644 for .pub files
```
### Common issues
```bash
# Fix permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
# Clear known_hosts entry
ssh-keygen -R hostname
# Disable host key checking (not recommended)
ssh -o StrictHostKeyChecking=no user@hostname
```
## Advanced Operations
### Jump hosts (ProxyJump)
```bash
# Connect through bastion
ssh -J bastion.example.com user@internal.local
# Multiple jumps
ssh -J bastion1,bastion2 user@final-destination
# Using config (see Configuration section above)
ssh internal # Automatically uses ProxyJump
```
### Multiplexing
```bash
# Master connection
ssh -M -S ~/.ssh/control-%r@%h:%p user@hostname
# Reuse connection
ssh -S ~/.ssh/control-user@hostname:22 user@hostname
# In config:
# ControlMaster auto
# ControlPath ~/.ssh/control-%r@%h:%p
# ControlPersist 10m
```
### Execute commands
```bash
# Single command
ssh user@hostname 'uptime'
# Multiple commands
ssh user@hostname 'cd /var/log && tail -n 20 syslog'
# Pipe commands
cat local-script.sh | ssh user@hostname 'bash -s'
# With sudo
ssh -t user@hostname 'sudo command'
```
## Tips
- Use SSH keys instead of passwords
- Use `~/.ssh/config` for frequently accessed hosts
- Enable SSH agent forwarding carefully (security risk)
- Use ProxyJump for accessing internal networks
- Keep SSH client and server updated
- Use fail2ban or similar to prevent brute force
- Monitor `/var/log/auth.log` for suspicious activity
- Use port knocking or VPN for additional security
- Backup your SSH keys securely
- Use different keys for different purposes
## Documentation
Official docs: https://www.openssh.com/manual.html
Man pages: `man ssh`, `man ssh_config`, `man sshd_config`Help answer questions about Catholicism accurately
Analyze budget vs actual
Push decisions to Arbiter Zebu for async human review.
Create, validate, and publish Agent Skills following