ssh Cheatsheet

Useful Options

All options:

For staging/testing: ignore spoofing and unknown hosts warning.

Warning: don't use in production!

  • -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Exit if connection cannot be made after 5 seconds of trying

  • -o ConnectTimeout=5

Exit if port forwarding cannot be established

  • -o ExitOnForwardFailure=yes

Do not accept unknown hosts

Don't ask, Fail instead.

  • -o StrictHostKeyChecking=yes

Do not ask for password

Public key authentification only, fail if password prompt is offered

  • -o PasswordAuthentication=no

Similar, but sets also ServerAliveInterval=300

  • -o BatchMode=yes

Set ServerAliveInterval, after n seconds request a response from the server if still alive

  • -o ServerAliveInterval=300

Check ssh fingerprint of host

On the host:

  • ssh-keygen -l -f /etc/ssh/

Prevent Timeouts

  • vi ~/.ssh/config
    • Host *
        ServerAliveInterval 60

 Make life with non-standard ports easier

  • vi .ssh/config
    • Host
        Port 4321

Remote command


Local and remote port forwarding / tunneling


Chroot users into their home dir for sftp

Show keys, algorithms and key lengths

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

Upgrade to safer, more recent SSH keys

  • ssh-keygen -o -a 100 -t ed25519
  • for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq
  • ssh-add -l

Problems with gnome-keyring

Show sshd configuration

  • sshd -T

Use a separate, or no known_hosts file

  • ssh -o UserKnownHostsFile=/dev/null
  • ssh -o UserKnownHostsFile=/root/.ssh/known_hosts_custom1


Manually create known_hosts entry

Basically the known_hosts entry contains a hostname and the public host key of the remote server.

On the remote server

  • cat /etc/ssh/
    • ssh-rsa AAAAB3... root@server

On the local machine:

  • cat /home/joe/.ssh/known_hosts
    • ssh-rsa AAAAB3...
  • known_hosts entries can be tied to ports
    • []:1234 ssh-rsa AAAAB3...
  • or even to remote ip addresses
    • TODO: add example.
  • These days, if created automatically, all the infos are hashed
    • |1|xxx|yyy ssh-rsa AAAAB3...

Other ways:

Note: requires access to the remote server

With access to remote server:

  • ssh-keyscan -H -t rsa -p 22 localhost
    • |1|xxxxxx=|yyyyyy= ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
    • -H      Hash all hostnames and addresses in the output
    • -t       Type “dsa”, “ecdsa”, “ed25519”, or “rsa”
    • Note: ssh-keyscan outputs stuff to stderr...
      # localhost:222 SSH-2.0-OpenSSH_7.6p1

Without access from localhost (vulnerable to man in the middle attacks):

  • ssh-keyscan -H -t rsa -p 22

Add known hosts line to localhost:

  • vi /home/joe/.ssh/known_hosts
    • ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz


Note: command="uptime" must have double quotes!

Copy a file without scp