knowledge/technology/applications/network/SSH.md

---
aliases:
  - OpenSSH
website: https://www.openssh.com/
obj: application
repo: https://github.com/openssh/openssh-portable
rev: 2024-08-26
---

# SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

Examples of services that can use SSH are [Git](../../dev/Git.md), [rsync](../cli/rsync.md) and X11 forwarding. Services that always use SSH are SCP and SFTP.

An SSH server, by default, listens on the standard [TCP](../../internet/TCP.md) port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including [macOS](../../macos/macOS.md), GNU/[Linux](../../linux/Linux.md), Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.

## Client
### Usage
Creating a SSH key:
```shell
ssh-keygen
```

Connecting to a server
```shell
ssh -p port user@server-address
```

Port forwarding:
```shell
# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host
```

Copying files (works with [rsync](../cli/rsync.md) as well):
```shell
scp -r files remote:/path
```

Copy ssh key to host:
```shell
ssh-copy-id user@remote
```

Pipes work too over SSH:
```shell
ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'
```

Use a jump host:
```shell
ssh -J jump_server remote
```

Forward port to remote using [systemd](../../linux/systemd/Systemd.md) service:
```ini
[Unit]
Description=SSH Port Forwarding
After=network.target
After=systemd-resolved.service

[Service]
User=<USER>
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
Restart=always
StartLimitInterval=0
StartLimitBurst=0
RestartSec=30s

[Install]
WantedBy=multi-user.target
```

### Configuration
Client can be configured by the file `~/.ssh/config`
```
# global options
User user

# host-specific options
Host myserver
    Hostname server-address
    Port     port
    IdentityFile ~/.ssh/id_rsa
    User you
    ProxyJump host
    ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy
```

With this configuration the client command can be redacted to
```shell
ssh myserver
```

Corkscrew is a additional programm to tunnel SSH through [HTTP](../../internet/HTTP.md) proxies:
```shell
`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`
```

## Server
`sshd` is the OpenSSH server daemon, configured with `/etc/ssh/sshd_config` and managed by `sshd.service`. Whenever changing the configuration, use `sshd` in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.
```shell
sshd -t
```

### Configuration
Set address and port:
```
ListenAddress 0.0.0.0
Port 22
```

Limit users:
```
AllowUsers user1 user2
DenyUser user3 user4
```

To allow access only for some groups:
```
AllowGroups group1 group2
DenyGroups group3 group4
```

Disable password authentification:
```
PasswordAuthentication no
PermitEmptyPasswords no
```

Disable root login:
```
PermitRootLogin no
PermitRootLogin prohibit-password
```

Allow port forwarding:
```
AllowTcpForwarding yes
```

Allow only certain commands:
```
ForceCommand command
```

Limit port forwarding:
```
PermitListen host:port
PermitOpen host:port
```

Set [environment variables](../../linux/Environment%20Variables.md) in the session:
```
SetEnv KEY=VALUE
```

User-based settings (everything here only applies to `user1`):
```
Match User user1
    PasswordAuthentication no
    AllowTcpForwarding yes
```

#### `authorized_keys`
The `~/.ssh/authorized_keys` file is used to enable passwordless authentication using SSH keys. You can specify multiple allowed SSH keys one per line. The syntax is:
```
[options] key_type key [user@host]
```

Example:
```
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7V4+1E...
```

Common Options:
- `command="command_to_run"`: Restricts the key to only execute a specific command. The SSH session will automatically execute this command upon login, and the user won't get an interactive shell.
- `from="hostname_or_ip_address"`: Limits the use of the key to a specific hostname or IP address, or a range of addresses.
- `no-port-forwarding`: Disables port forwarding for the key.
- `no-agent-forwarding`: Disables SSH agent forwarding for the key.
- `no-X11-forwarding`: Disables X11 forwarding for the key.
- `no-pty`: Disables the allocation of a pseudo-terminal for the key. This means the user won't get an interactive shell session.
- `permitopen="host:port"`: Restricts port forwarding to a specific host and port.
- `environment="VAR=value"`: Sets environment variables for the session when the key is used to log in.

Options are comma-seperated if you want to specify multiple.

#### `.ssh/rc`
The `~/.ssh/rc` file is a script that can be executed automatically whenever an SSH session is established. This can be configured globally with `/etc/ssh/sshrc`.