create SSH key

ssh-keygen -q -b 4096 -f ~/.ssh/id_rsa -N '' -C "${USER}@$(hostname -f)"

Load SSH key

eval $(ssh-agent) && ssh-add
ssh-add ~/.ssh/foo-key2

Copy public key to server (/home/foo/.ssh/authorized_keys)

# copy between remote hosts
ssh cat /root/.ssh/ | ssh 'cat >> /root/.ssh/authorized_keys -'

show log

journalctl -u ssh
tail -f /var/log/auth.log
journalctl _COMM=sshd -f
# configuration
~/.ssh/config: user configuration
/etc/ssh/ssh_config: system-wide client configuration
/etc/ssh/sshd_config: system-wide server configurtion


ssh \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyChecking=no \

Configuraton ~/.ssh/config

Include config.d/*
Host 10.*
User root
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
# exclude hosts
Host * ! !192.168.0.? !*.local
Host 192.168.0.*
User foo
BatchMode yes
EscapeChar none
Compression yes
CheckHostIp no
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
    KexAlgorithms +diffie-hellman-group1-sha1
# jump host
  ProxyCommand ssh root@ -W %h:%p
  ForwardAgent yes
# batch mode (disable password authentification
-o PasswordAuthentication=no -o KbdInteractiveAuthentication=no -o ChallengeResponseAuthentication=no
-o BatchMode=yes
-o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5
scp -i ~/ssh_bkp/ ~/.ssh/
cat ~/ssh_bkp/ | ssh -i ~/ssh_bkp/id_rsa 'cat >> .ssh/authorized_keys'
ssh -i ~/ssh_bkp/id_rsa
cat ssh-keygen --if /tmp/ >> ~/.ssh/authorized_keys
# port forward
sudo ssh -L 80: -p 222 -N -i /home/${USER}/.ssh/id_rsa
ssh -L user@host


-N do not execute a remote command
-f run in background
-C compression
-o ConnectTimeout=3
-o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
-o ControlMaster=yes # permament connection
-o ServerAliveInterval=15


# force password authentication
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no foo@<ip-address>

# test
Host mysql.tunnel
  User ssh_username
  LocalForward 3307
 User ec2-user
 UserKnownHostsFile /dev/null
Host X01 X02 ...
     User my_username
     Compression yes
     Ciphers arcfour,blowfish-cbc
     Protocol 2
     ControlMaster auto
     ControlPath ~/.ssh/%r@%h:%p
  LocalForward 3307
#  SendEnv LANG LC_*
  #HostKeyAlgorithms ssh-rsa
# reverse tunnel
ssh -fN -R 2222:localhost:22
# connect back from$ ssh me@localhost -p 2222
# SSH config options
ForwardAgent yes
IdentitiesOnly yes
 IdentityFile /home/foo/.ssh/id_rsa
Host *
ForwardAgent yes
SendEnv LANG LC_*
StrictHostKeyChecking no
# add defatult domain
Host *
 HostName %h
 USER user
Host *
 USER user
    BatchMode yes
# ssh forwarding to sudo
sudo -E -s
echo "Defaults env_keep+=SSH_AUTH_SOCK" >> /etc/sudoers.d/ssh
service sudo restart
# test if SSH agent is running
env | grep SSH_AGENT_PID
# starts SSH agent
eval $(ssh-agent)  
# remote X window with bash login
ssh -X USER@REMOTE_HOST -C /bin/bash -l -c "COMMAND"
# socket forward
ssh -N -D 8080 root@
chromium-browser --proxy-server="socks5://localhost:8080"
?? --proxy-server="https=proxyip:8443;http=proxyip:8080"

Enamble DNS forward in Firefox:
network.proxy.socks_remote_dns: true

# port forward
ssh -N -L 8080: root@
# ssh forward to mailserver
# cat /etc/hosts
sudo  ssh  -L -L -i /home/foo/.ssh/id_rsa -N

deny SSH user

# /etc/ssh/sshd_config
DenyUsers foo
Match User test
PasswordAuthentication no
Host *
  ServerAliveInterval 30
LogLevel ERROR

Removes host keys from ~/.ssh/known_hosts by hostname or IP

ssh-keygen -R

Update SSH know hosts

ssh-keyscan -t rsa  web{1..5} >> ~/.ssh/known_hosts

Forward webserver over SSH

# on client
#echo "GatewayPorts yes" >> /etc/ssh/sshd_config
echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config
service ssh restart
# on server
ssh -o StrictHostKeyChecking=no -N -R 80: -R 443:

Get hostkey

ssh-keyscan SERVER
SendEnv no


RemoteForward 80
LocalForward 1521
GatewayPorts no
# forward proxy
# ~/.ssh/config.d/vm
Host 10.0.1.*
User ubuntu
RemoteForward 3128
https_proxy=http://localhost:3128 wget -O-
# double forward
ssh -A -R 10080:forward_from.tld:80 user@forward_to.tld "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 80:localhost:10080 localhost"
# Forward DB port by SSH tunnel and make public accessible
ssh -A -R 10080:localhost:3306 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 3306:localhost:10080 localhost"
# Forward port 80 from to
ssh -A -R 12345: "ssh -o UserKnoHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 8080:localhost:12345 localhost"
# copy block device over network with SSH
dd if=/dev/sdc | ssh -C user@host dd of=/dev/sdc
cat file | ssh -e none remote-host 'cat > file'
# show SSH status
systemctl status ssh


# on SSH VPN server
sudo sed -i 's/#GatewayPorts .*/GatewayPorts yes/g' /etc/ssh/sshd_config
sudo service ssh restart
# on SSH VPN client
sudo ssh \
  -i /home/foo/.ssh/id_rsa \
  -o PermitLocalCommand=yes \
  -o LocalCommand="sudo ifconfig tun0 pointopoint netmask; sudo route add -net gw netmask" \
  -o ServerAliveInterval=60 \
  -w 0:0 -p 22022 \
  'sudo ifconfig tun0 pointopoint netmask; echo tun0 ready'
# v2
# client
sudo ip tuntap add dev tun0 mode tun
sudo ip link set tun0 up
sudo ip addr add peer dev tun0
# sever
sudo ip tuntap add dev tun0 mode tun
sudo ip link set tun0 up
sudo ip addr add peer dev tun0
sudo ip tuntap del dev tun0 mode tun
sudo ip tuntap del dev tap0 mode tap

Workarround / Fix

# slow ssh login
systemctl restart systemd-logind
# fix "mesg: ttyname failed: Inappropriate ioctl for device" by force pseudo-tty allocation
ssh -t "bash -l /path/to/cmd"
ssh -tt 'bash -l -c "sqlplus system/oracle @/tmp/query1.sql"'
# sshfs
sshfs -o ServerAliveInterval=15 /mnt 
# /etc/ssh/sshd_config
Match User oli
   GatewayPorts yes
# resolve dns on localhost
ProxyCommand ssh -W $(dig +short %h):%p


ssh -J
# multiple jumphost
ssh -J user1@host1:port1,user2@host2:port2 user3@host3


# scp with sshpass
sshpass -p <PASSWORD> scp <USER>@<HOST>:~/htdocs/*.gz /mnt/backup/

Create new key on client

#ssh-keygen -t rsa 
#(confirm with 3x with enter to leave passphrase empty)
ssh-keygen -q -f ~/.ssh/id_rsa -N ''
# Copy public key to server
ssh-copy-id ${USER}@
# Test login
ssh -v ${USER}@
# Login with private key
ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER
# Import own ssh key by using previous / master ssh key
cat ~/.ssh/ | ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER 'cat >> .ssh/authorized_keys'

OPTIONAL: Disable password login on server

Execute commands remotely using SSH

ssh ${HOST} < ~/bin/

Access internal Git server over temporary SSH tunnel from public VM

# @www1 VM
cat /home/local/.ssh/config 
Port 2222
#@workstation or deployment VM
ssh -R "git -C /var/www/html pull"

SSH Server with Two-Factor Authentication

Multi line command

ssh foo@example << EOF
 cat /etc/resolv.conf
ssh foo@example << '
 cat /etc/resolv.conf

Fix slow SSH login

systemctl restart systemd-logind

Fix Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1
# virtual serial port
# text console


ssh-keygen -L -f .ssh/


# list avaiable cipher
ssh -Q cipher

<strong>Block access</strong>
sudo ufw deny from ${IP_FROM} port 22
sudo iptables -I INPUT -s ${IP_FROM} -p tcp --dport ssh -j DROP