create SSH key

ssh-keygen -q -b 4096 -f ~/.ssh/id_rsa -N '' -C "${USER}@$(hostname -f)"

Load SSH key

ssh-add ~/.ssh/foo-key2

Copy public key to server (/home/foo/.ssh/authorized_keys)

# copy between remote hosts
ssh cat /root/.ssh/ | ssh 'cat >> /root/.ssh/authorized_keys -'

show log

journalctl -u ssh
tail -f /var/log/auth.log
journalctl _COMM=sshd -f
# configuration
~/.ssh/config: user configuration
/etc/ssh/ssh_config: system-wide client configuration
/etc/ssh/sshd_config: system-wide server configurtion

Configuration ~/.ssh/config

Host 10.*
User root
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
# exclude hosts
Host * ! !192.168.0.? !*.local
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@
# jump host
  ProxyCommand ssh root@ -W %h:%p
  ForwardAgent yes
    KexAlgorithms +diffie-hellman-group1-sha1
Host 192.168.0.*
User foo
BatchMode yes
EscapeChar none
Compression yes
 UserKnownHostsFile /dev/null
 StrictHostKeyChecking no
# batch mode (disable password authentification
-o PasswordAuthentication=no -o KbdInteractiveAuthentication=no -o ChallengeResponseAuthentication=no
-o BatchMode=yes
-o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5
scp -i ~/ssh_bkp/ ~/.ssh/
cat ~/ssh_bkp/ | ssh -i ~/ssh_bkp/id_rsa 'cat >> .ssh/authorized_keys'
ssh -i ~/ssh_bkp/id_rsa
cat ssh-keygen --if /tmp/ >> ~/.ssh/authorized_keys
# port forward
sudo ssh -L 80: -p 222 -N -i /home/${USER}/.ssh/id_rsa
ssh -L user@host


-N do not execute a remote command
-f run in background
-C compression
-o ConnectTimeout=3
-o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
-o ControlMaster=yes # permament connection
-o ServerAliveInterval=15


# force password authentication
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no foo@<ip-address>

# test
Host mysql.tunnel
  User ssh_username
  LocalForward 3307
 User ec2-user
 UserKnownHostsFile /dev/null
Host X01 X02 ...
     User my_username
     Compression yes
     Ciphers arcfour,blowfish-cbc
     Protocol 2
     ControlMaster auto
     ControlPath ~/.ssh/%r@%h:%p
  LocalForward 3307
#  SendEnv LANG LC_*
  #HostKeyAlgorithms ssh-rsa
# reverse tunnel
ssh -fN -R 2222:localhost:22
# connect back from$ ssh me@localhost -p 2222
# SSH config options
ForwardAgent yes
IdentitiesOnly yes
 IdentityFile /home/foo/.ssh/id_rsa
Host *
ForwardAgent yes
SendEnv LANG LC_*
StrictHostKeyChecking no
# add defatult domain
Host *
 HostName %h
 USER user
Host *
 USER user
    BatchMode yes
# ssh forwarding to sudo
sudo -E -s
echo "Defaults env_keep+=SSH_AUTH_SOCK" >> /etc/sudoers.d/ssh
service sudo restart
# test if SSH agent is running
env | grep SSH_AGENT_PID
# starts SSH agent
eval $(ssh-agent)  
# remote X window with bash login
ssh -X USER@REMOTE_HOST -C /bin/bash -l -c "COMMAND"
# socket forward
ssh -N -D 8080 root@
chromium-browser --proxy-server="socks5://localhost:8080"
?? --proxy-server="https=proxyip:8443;http=proxyip:8080"

Enamble DNS forward in Firefox:
network.proxy.socks_remote_dns: true

# port forward
ssh -N -L 8080: root@
# ssh forward to mailserver
# cat /etc/hosts
sudo  ssh  -L -L -i /home/foo/.ssh/id_rsa -N

deny SSH user

# /etc/ssh/sshd_config
DenyUsers foo
Match User test
PasswordAuthentication no
Host *
  ServerAliveInterval 30
LogLevel ERROR

Removes host keys from ~/.ssh/known_hosts by hostname or IP

ssh-keygen -R

Update SSH know hosts

ssh-keyscan -t rsa  web{1..5} >> ~/.ssh/known_hosts

Forward webserver over SSH

# on client
#echo "GatewayPorts yes" >> /etc/ssh/sshd_config
echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config
service ssh restart
# on server
ssh -o StrictHostKeyChecking=no -N -R 80: -R 443:

Get hostkey

ssh-keyscan SERVER
SendEnv no


RemoteForward 80
LocalForward 1521
GatewayPorts no
# forward proxy
# ~/.ssh/config.d/vm
Host 10.0.1.*
User ubuntu
RemoteForward 3128
https_proxy=http://localhost:3128 wget -O-
# double forward
ssh -A -R 10080:forward_from.tld:80 user@forward_to.tld "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 80:localhost:10080 localhost"
# Forward DB port by SSH tunnel and make public accessible
ssh -A -R 10080:localhost:3306 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 3306:localhost:10080 localhost"
# Forward port 80 from to
ssh -A -R 12345: "ssh -o UserKnoHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 8080:localhost:12345 localhost"
# copy block device over network with SSH
dd if=/dev/sdc | ssh -C user@host dd of=/dev/sdc
cat file | ssh -e none remote-host 'cat > file'
# show SSH status
systemctl status ssh
sudo ssh \
  -i /home/foo/.ssh/id_rsa \
  -o PermitLocalCommand=yes \
  -o LocalCommand="sudo ifconfig tun0 pointopoint netmask; sudo route add -net gw netmask" \
  -o ServerAliveInterval=60 \
  -w 0:0 -p 22022 \
  'sudo ifconfig tun0 pointopoint netmask; echo tun0 ready'

Workarround / Fix

# slow ssh login
systemctl restart systemd-logind
# fix "mesg: ttyname failed: Inappropriate ioctl for device" by force pseudo-tty allocation
ssh -t "bash -l /path/to/cmd"
ssh -tt 'bash -l -c "sqlplus system/oracle @/tmp/query1.sql"'
# sshfs
sshfs -o ServerAliveInterval=15 /mnt 
# /etc/ssh/sshd_config
Match User oli
   GatewayPorts yes
# resolve dns on localhost
ProxyCommand ssh -W $(dig +short %h):%p


ssh -J
# multiple jumphost
ssh -J user1@host1:port1,user2@host2:port2 user3@host3


# scp with sshpass
sshpass -p <PASSWORD> scp <USER>@<HOST>:~/htdocs/*.gz /mnt/backup/

Create new key on client

#ssh-keygen -t rsa 
#(confirm with 3x with enter to leave passphrase empty)
ssh-keygen -q -f ~/.ssh/id_rsa -N ''
# Copy public key to server
ssh-copy-id ${USER}@
# Test login
ssh -v ${USER}@
# Login with private key
ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER
# Import own ssh key by using previous / master ssh key
cat ~/.ssh/ | ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER 'cat >> .ssh/authorized_keys'

OPTIONAL: Disable password login on server

Execute commands remotely using SSH

ssh ${HOST} < ~/bin/

Access internal Git server over temporary SSH tunnel from public VM

# @www1 VM
cat /home/local/.ssh/config 
Port 2222
#@workstation or deployment VM
ssh -R "git -C /var/www/html pull"

SSH Server with Two-Factor Authentication

Multi line command

ssh foo@example << EOF
 cat /etc/resolv.conf
ssh foo@example << '
 cat /etc/resolv.conf

Fix slow SSH login

systemctl restart systemd-logind

Fix Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1


ssh-keygen -L -f .ssh/