The Secure Shell (SSH) protocol uses cryptography to make a secure link between a client and a server. The ssh client makes it possible to connect to an SSH server on a remote machine in a safe way. You can send commands to the server, set up an X11 tunnel, forward ports, and more through this safe channel.
OpenSSH is the most widely used SSH client, but there are many others, both free and paid, that can be used as well. It works with a lot of different systems, like Linux, OpenBSD, Windows, and macOS.
In this article, you will learn how to use the OpenSSH command-line client (ssh) to log into a remote machine and do several things on it.
Installing OpenSSH Client
The terminal can run the OpenSSH client application ssh. Along with ssh, the OpenSSH client package includes scp and sftp.
The majority of Linux distributions come with the OpenSSH client installed by default. You can use your distribution’s package management to install the ssh client if it isn’t already on your system.
on Ubuntu and Debian
sudo apt update
sudo apt install openssh-client
on CentOS and Fedora
sudo dnf install openssh-clients
on Windows 10
The majority of Windows users connect to distant machines using SSH using Putty. The most recent iterations of Windows 10 do, however, come with an OpenSSH client and server. Both packages can be installed using PowerShell or the GUI.
Write the following command to discover the precise name of the OpenSSH package:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
This is the kind of result you should get from the command:
Name : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent
The package can be installed once its name has been determined by typing:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
If all goes well, the result will look like this:
Online : True
RestartNeeded : False
Installing OpenSSH Client on macOS
OpenSSH client is installed on macOS by default.
How to Use the ssh Command
To log into a remote machine using SSH, you must meet the following requirements:
- On the remote machine, an SSH server must be running.
- The remote machine’s firewall must have the SSH port open.
- You must know the remote account’s username and password. For remote login, the account needs to have the rights it needs.
The ssh command has this basic syntax:
ssh [OPTIONS] [[email protected]]:HOST
To use the ssh command, launch Terminal or PowerShell and enter ssh followed by the remote hostname:
When you initially connect to a remote machine using SSH, you will see the notice shown below.
The authenticity of host 'ssh.pcplanet.com (10.0.5.99)' can't be established.
ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY.
Are you sure you want to continue connecting (yes/no)?
The /.ssh/known hosts file contains a fingerprint for each host.
If you want to save the remote fingerprint, enter your password after you press agree.
Warning: Permanently added 'ssh.pcplanet.com' (ECDSA) to the list of known hosts.
[email protected]'s password:
Once you enter the password, you will be logged into the remote machine.
When the username is not given, the ssh command uses the current system login name.
To log in as a different user, specify the username and the host in the following format:
ssh [email protected]
The username can also be specified with the -l option:
ssh -l username hostname
By default, when no port is given, the SSH client will try to connect to the remote server on port 22. On some servers, administrators are changing the default SSH port to add an extra layer of security to the server by reducing the risk of automated attacks.
To connect on a non-default port, use the -p option to specify the port:
ssh -p 5522 [email protected]
If you are experiencing authentication or connection issues, use the -v option to tell ssh to print debugging messages:
ssh -v [email protected]
To increase the level of verbosity, use -vv or -vvv.
The ssh command accepts a number of options.
For a complete list of all options read the ssh man page by typing man ssh in your terminal.
SSH Config File
If you are connecting to multiple remote systems over SSH on a daily basis, you’ll find that remembering all of the remote IP addresses, different usernames, non-standard ports, and various command-line options is difficult, if not impossible.
The OpenSSH client reads the options set in the per-user configuration file (~/.ssh/config). In this file, you can store different SSH options for each remote machine you connect to.
A sample SSH config is shown below:
When you type ssh xyz to start the ssh client, it will read the /.ssh/config file and use the connection information for the dev host. ssh xyz is the same as the following in this case:
ssh -p 4422 [email protected]
For more information, check the article on SSH config file .
Public Key Authentication
Several ways of proving your identity can be used with the SSH protocol.
The public key-based authentication system lets you log in to the remote server without having to type in your password.
For this method to work, a pair of cryptographic keys that are used for authentication must be made. The client device stores the private key, and the public key is sent to each remote server where you want to log in. The remote server needs to be set up to accept authentication with a key.
If you don’t already have an SSH key pair on your local machine, you can make one by typing:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
A password or passphrase will be required. It’s up to you if you want to use a passphrase or not.
If you already have your key pair and the remote server’s public key:
ssh-copy-id [email protected]
The public key will be added to the remote user authorized keys file after the remote user password is entered.
You won’t need to enter a password to access the remote server once the key has been uploaded.
Setting up key-based authentication will make login easier and boost server security in general.
An encrypted SSH connection between a client and server system is possible with the help of SSH tunneling or SSH port forwarding.
SSH forwarding is helpful for accessing geo-restricted content, getting through intermediary firewalls, and transmitting network data for services like VNC or FTP that use an unencrypted protocol. In essence, you can tunnel communication over any TCP port using a secure SSH connection.
SSH port forwarding comes in three different varieties:
Local Port Forwarding
A connection initiated on a client host can be forwarded to an SSH server host and from there to the desired host port using local port forwarding.
To have the ssh client construct a local port forwarding, you must use the -L option.
ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION_HOST:DESTINATION_PORT -N -f [email protected]
By default, the ssh command will prompt for a remote command to perform, but you can tell it not to do so using the -f and -N options.
Remote Port Forwarding
In contrast to local port forwarding, remote port forwarding occurs through a network. The port on the server host is forwarded to the port on the client host, and then on to the port on the destination host.
With the -R option, ssh is instructed to open a forwarded port on a remote host.
ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT -N -f [email protected]
Dynamic Port Forwarding
In order to facilitate communication over many ports, a SOCKS proxy server is set up automatically when dynamic port forwarding is enabled.
Use the ssh client’s -D option to set up dynamic port forwarding (SOCKS):
ssh -D [LOCAL_IP:]LOCAL_PORT -N -f [email protected]
To establish an SSH connection to a remote server, use ssh followed by the remote username and hostname (ssh [email protected]).
In order to administer remote servers, familiarity with the ssh command is required.
Just post a remark below if you have any inquiries.