SSH command used to securely log a user into a remote system and run commands on that system. The version of ssh described here is the OpenSSH client. ssh can use either Version 1 (SSH1) or Version 2 (SSH2) of the SSH protocol. SSH2 is preferable, as it provides stronger encryption methods and greater connection integrity. The hostname can be specified either as hostname or as user@hostname. If a command is specified, the user is authenticated, the command is executed, and the connection is closed. Otherwise, a terminal session is opened on the remote system. See Escape characters,” later in this section, for functions that can be supported through an escape character. The default escape character is a tilde (~). The exit status returned from ssh is the exit status from the remote system, or 255 if there was an error.
Commonly, authentication is handled with standard username/password credentials, but it can also be useful to authenticate with a key exchange. This is done by generating a key on the client with ssh-keygen and populating the known_hosts file on the remote host.
ssh [options] hostname [command]
Try only SSH1.
Try only SSH2.
Use only IPv4 addresses.
Use only IPv6 addresses.
Disable forwarding of the authentication agent connection.
Allow forwarding of the authentication agent connection. Can also be specified on a per-host basis in a configuration file.
Specify the interface to transmit from when there are multiple available interfaces or aliased addresses.
Select the cipher for encrypting the session. The default is 3des. For SSH2, a comma-separated list of ciphers can also be specified, with the ciphers listed in order of preference. des is supported only for legacy SSH1 compatibility and otherwise should not be used.
Enable compression. Useful mainly for slow connections. The default compression level can be set on a per-host basis in the configuration file with the CompressionLevel option.
Enable dynamic application-level port forwarding using port on the local side. Can be specified in the configuration file. Only root can forward privileged ports.
Set the escape character (default ~). The escape character must be the first character on a line. If none is specified, disable the use of an escape character.
Run interactively for user authentication, then go into background mode for command execution. Implies -n.
Specify a per-user configuration file (default is $HOME/.ssh/config).
Allow remote hosts to connect to local forwarded ports.
Use idfile to read identity (private key) for RSA or DSA authentication. Default is $HOME/.ssh/id_rsa or $HOME/.ssh/id_dsa for SSH2, or $HOME/.ssh/identity for SSH1. You can specify more than one -i option on the command line or in the configuration file.
Specify a smartcard device from which to get the user’s private RSA key.
Disable Kerberos ticket and AFS token forwarding. Can be set on a per-host basis in the configuration file.
Log in as user on the remote system. Can be specified on a per-host basis in the configuration file.
Forward port on the local host to the specified remote host and port. Can be specified in the configuration file. Only root can forward privileged ports. For IPv6, an alternative syntax is port/host/hostport.
For SSH2, the contents of macspec specify message authentication code (MAC) algorithms to use. macspec is a comma-separated list of algorithms in order of preference.
Put the ssh client into master mode for connection sharing.
Get standard input as a redirection from /dev/null. Used to prevent reading from standard input, which is required when running ssh in the background. Useful for running X programs on a remote host.
Do not execute a remote command. Useful with SSH2 for port forwarding.
Specify options in configuration-file format. Useful for specifying options that have no command-line equivalent.
Specify the port on the remote host to which ssh is to connect. Can be specified on a per-host basis in the configuration file.
Run quietly, suppressing warnings and error messages.
Forward port on the remote host to the local host:hostport. Can be specified in the configuration file. You can forward privileged ports only if you are logged in as root on the remote host. For IPv6, an alternative syntax is port/host/hostport.
For SSH2, request invocation of a subsystem on the remote host to be used for another application, such as sftp. The desired subsystem is specified as the remote command.
Specify the location of a control socket for connection sharing.
Force pseudo-tty allocation. Multiple -t options can be specified to force tty allocation even when ssh has no local tty.
Disable pseudo-tty allocation.
Verbose mode. Useful for debugging. Specify multiple -v options to increase verbosity.
Display version information and exit.
Disable X11 forwarding.
Enable X11 forwarding. Can be specified on a per-host basis in the configuration file.
Enable trusted X11 forwarding.
Send a single ~.
List forwarded connections.
Run ssh in the background at logout, while waiting for a forwarded connection or X11 sessions to terminate.
Display the available escape characters.
Send a BREAK to the remote system. Only for SSH2 and if the remote system supports it.
Open a command line. Useful for adding port forwardings when using the -L and -R options.
Request rekeying of the connection. Useful only for SSH2 and if the peer supports it.
Suspend the connection.
Set by SSH to hostname:n for forwarding X11 connections. hostname is the host where the shell is running, and n is an integer greater than zero.
The path to the user’s home directory.
The same as USER; set only for compatibility with systems that use LOGNAME.
The path to the user’s mailbox.
The default PATH as specified when SSH was compiled.
Can be set to the name of a program to run to open an X11 window and read the user’s passphrase if ssh does not have an associated terminal.
The path of a Unix-domain socket for communicating with the agent.
Four space-separated values that contain the client IP address, the client port number, the server IP address, and the server port number.
The original command line, including arguments, if a forced command is executed.
The path to the tty device associated with the current shell or command. Not set if there is no associated tty.
The time zone, passed from the SSH daemon, if it was set when the daemon was started.
The name of the user logging in.
ssh uses the following files in the user’s home directory:
Lists host/user pairs allowed to log in. Used with rhosts authentication.
Like .rhosts, but allows rhosts authentication without permitting login with rlogin or rsh.
Lists RSA/DSA public keys that can be used to log in as this user.
The user’s configuration file.
Additional environment variable definitions.
$HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
The authentication identity of the user for SSH1 RSA, SSH2 DSA, and SSH2 RSA, respectively.
The public key for user authentication for SSH1 RSA, SSH2 DSA, and SSH2 RSA, respectively.
Contains host keys for all hosts the user has logged into that are not already in the systemwide file at /etc/ssh/ssh_known_hosts.
Contains commands executed by ssh after the user has logged in but before the shell or command is started.