ssh — quick reference
OpenSSH has no ssh --help. Options below come from man ssh and ssh -Q help on Ubuntu 25.04. Examples use localhost with BatchMode so they complete without password prompts when sshd is listening.
Version and algorithm query (-Q)
List algorithms and protocol levels the client supports — no network connection required.
| When to use | Command |
|---|---|
| Show OpenSSH client version | ssh -V |
| List supported ciphers | ssh -Q cipher |
| List ciphers that support authenticated encryption | ssh -Q cipher-auth |
| List compression algorithms | ssh -Q compression |
| List key-exchange algorithms | ssh -Q kex |
| List GSSAPI key-exchange methods | ssh -Q kex-gss |
| List host/public key types | ssh -Q key |
| List certificate key types | ssh -Q key-cert |
| List plain key types | ssh -Q key-plain |
| List key signature algorithms | ssh -Q key-sig |
| List MAC algorithms | ssh -Q mac |
| Show supported SSH protocol versions | ssh -Q protocol-version |
| List signature algorithms | ssh -Q sig |
Connection and addressing
| When to use | Command |
|---|---|
| Connect with default user and run a remote command | ssh -o BatchMode=yes localhost hostname |
Specify login name with -l |
ssh -o BatchMode=yes -l root localhost hostname |
Same — user@host form |
ssh -o BatchMode=yes root@localhost hostname |
| Force IPv4 only | ssh -o BatchMode=yes -4 localhost exit |
| Force IPv6 only | ssh -o BatchMode=yes -6 ::1 exit |
| Connect on a non-default port | ssh -o BatchMode=yes -p 22 localhost exit |
| Bind outbound connection to a local address | ssh -o BatchMode=yes -b 127.0.0.1 localhost exit |
| Bind using a local network interface name | ssh -o BatchMode=yes -B lo localhost exit |
Authentication and identity
| When to use | Command |
|---|---|
| Use a specific private key file | ssh -o BatchMode=yes -i ~/.ssh/id_rsa localhost exit |
| Enable SSH agent forwarding | ssh -o BatchMode=yes -A localhost exit |
| Disable agent forwarding | ssh -o BatchMode=yes -a localhost exit |
| Enable GSSAPI authentication and forwarding | ssh -o BatchMode=yes -K localhost exit |
| Disable GSSAPI credential delegation | ssh -o BatchMode=yes -k localhost exit |
Session and remote command
| When to use | Command |
|---|---|
| Run one remote command and exit | ssh -o BatchMode=yes localhost echo hello |
| Disable pseudo-terminal allocation | ssh -o BatchMode=yes -T localhost echo no-pty |
| Force pseudo-terminal allocation | ssh -o BatchMode=yes -t localhost echo pty |
| Do not execute a remote command (forwarding only) | ssh -o BatchMode=yes -N localhost |
Go to background before command (often with -N) |
ssh -o BatchMode=yes -f -N localhost |
Redirect stdin from /dev/null |
ssh -o BatchMode=yes -n localhost echo ok |
Request subsystem mode — remote command names the subsystem (e.g. sftp) |
ssh -o BatchMode=yes -s localhost sftp |
Port forwarding and tunnels
| When to use | Command |
|---|---|
| Local forward — listen locally, connect via SSH to remote socket | ssh -o BatchMode=yes -L 127.0.0.1:19999:127.0.0.1:22 -N localhost |
| Remote forward — listen on remote, tunnel to local | ssh -o BatchMode=yes -R 127.0.0.1:18888:127.0.0.1:22 -N localhost |
| Dynamic SOCKS proxy on local port | ssh -o BatchMode=yes -D 127.0.0.1:11080 -N localhost |
stdio forward to host:port on the remote side |
ssh -o BatchMode=yes -W localhost:22 localhost |
Configuration and debugging
| When to use | Command |
|---|---|
| Use an alternate client config file | ssh -o BatchMode=yes -F /etc/ssh/ssh_config localhost exit |
Set any ssh_config keyword |
ssh -o BatchMode=yes -o ConnectTimeout=5 localhost exit |
Print resolved configuration after Host matching |
ssh -G localhost |
| Append debug log to a file | ssh -o BatchMode=yes -E /tmp/ssh.log localhost exit |
Set escape character for interactive sessions (none disables) |
ssh -o BatchMode=yes -e none localhost exit |
| Quiet mode — fewer warnings | ssh -o BatchMode=yes -q localhost exit |
| Verbose debug (repeat up to three times) | ssh -o BatchMode=yes -v localhost exit |
| Send logging to syslog | ssh -o BatchMode=yes -y localhost exit |
Select ssh_config snippet by tag |
ssh -o BatchMode=yes -P mytag localhost exit |
X11 forwarding
| When to use | Command |
|---|---|
| Enable X11 forwarding | ssh -o BatchMode=yes -X localhost exit |
| Disable X11 forwarding | ssh -o BatchMode=yes -x localhost exit |
| Enable trusted X11 forwarding | ssh -o BatchMode=yes -Y localhost exit |
Crypto and compression
| When to use | Command |
|---|---|
| Request gzip-style compression | ssh -o BatchMode=yes -C localhost exit |
| Select cipher specification | ssh -o BatchMode=yes -c aes128-ctr localhost exit |
| Select MAC algorithm | ssh -o BatchMode=yes -m hmac-sha2-256 localhost exit |
Connection multiplexing
| When to use | Command |
|---|---|
| Place client in master mode for sharing | ssh -o BatchMode=yes -M -S /tmp/ssh-ctl -f -N localhost |
Control an existing master (check, exit, …) |
ssh -o BatchMode=yes -S /tmp/ssh-ctl -O check localhost |
| Path to control socket for shared connection | ssh -o BatchMode=yes -S /tmp/ssh-ctl localhost exit |
Remote forwarded port binding
| When to use | Command |
|---|---|
Allow remote hosts to use local forwarded ports (GatewayPorts) |
ssh -o BatchMode=yes -g -L 127.0.0.1:17777:127.0.0.1:22 -N localhost |
Tunnel device
| When to use | Command |
|---|---|
Request tun(4) device forwarding (local[:remote]) |
ssh -o BatchMode=yes -w 0:0 localhost exit |
ssh — command syntax
Synopsis from man ssh on Ubuntu 25.04 (OpenSSH 9.9p1):
ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
[-c cipher_spec] [-D [bind_address:]port] [-E log_file]
[-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-J destination] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
[command [argument ...]]
ssh [-Q query_option]ssh reads /etc/ssh/ssh_config, ~/.ssh/config, and known-hosts data under ~/.ssh/. It does not modify server accounts — authentication is handled by sshd on the remote side.
ssh — command examples
Essential Check OpenSSH client version with -V
Before debugging cipher or protocol mismatches, confirm the client build on the machine you are using.
Run:
ssh -VSample output:
OpenSSH_9.9p1 Ubuntu-3ubuntu3.2, OpenSSL 3.4.1 11 Feb 2025Match this string against the server banner from sshd -V or the remote ssh -V when troubleshooting handshake failures.
Essential List supported ciphers with ssh -Q
OpenSSH exposes built-in algorithm lists through -Q — no server required.
Run:
ssh -Q cipher | head -5Sample output:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctrUse ssh -Q kex, ssh -Q mac, and ssh -Q key the same way when hardening sshd_config or debugging no matching cipher errors.
Essential Run a remote command on localhost
When sshd runs locally, you can practice ssh without external hosts. BatchMode=yes skips password prompts — ensure key-based auth or known-host trust is already set up.
Run:
ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new localhost 'echo hello-from-ssh'Sample output:
hello-from-sshFirst connect may add a host-key line to ~/.ssh/known_hosts. Use ssh -o BatchMode=yes root@localhost hostname when the remote user must be explicit.
Common Inspect resolved config with ssh -G
-G prints the configuration OpenSSH would apply after parsing ssh_config and command-line overrides — useful before changing ~/.ssh/config.
Run:
ssh -G localhost | head -12Sample output:
host localhost
user root
hostname localhost
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster false
enablesshkeysign noCompare user, hostname, and identityfile lines with what you expect from your config files.
Common Debug connection setup with -v
-v (repeat up to three times) prints handshake steps — cipher choice, host key, and auth methods tried.
Run:
ssh -o BatchMode=yes -v localhost exit 2>&1 | head -10Sample output:
OpenSSH_9.9p1 Ubuntu-3ubuntu3.2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: Authenticating to localhost:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directoryUse -E /tmp/ssh.log to append the same detail to a file for support tickets.
Common Control TTY allocation with -T and -t
-T disables pseudo-terminal allocation — ideal for scripts that only need stdout. -t forces a TTY even when stdin is not a terminal.
Without TTY:
ssh -o BatchMode=yes -T localhost 'echo no-pty'Sample output:
no-ptyForce TTY (may print a notice when stdin is not a terminal):
ssh -o BatchMode=yes -t localhost 'echo with-pty'Sample output:
Pseudo-terminal will not be allocated because stdin is not a terminal.
with-ptyUse -T for automation; use -t when you need sudo or pagers on the remote side.
Common Fail fast with -o ConnectTimeout
When a host is down, default waits can stall scripts. ConnectTimeout caps the TCP connect phase (seconds).
Run against an unreachable documentation address:
ssh -o BatchMode=yes -o ConnectTimeout=2 -o ConnectionAttempts=1 192.0.2.1 exit 2>&1Sample output:
ssh: connect to host 192.0.2.1 port 22: Connection timed outPair with BatchMode=yes in cron and CI jobs so ssh exits instead of prompting.
Advanced Local port forward with -L
-L listens on your machine and tunnels connections through SSH to a socket reachable from the remote host.
Start a background forward (short lab example — stop it after testing):
ssh -o BatchMode=yes -f -N -L 127.0.0.1:19999:127.0.0.1:22 localhostVerify the listener:
ss -tlnp | grep 19999Sample output:
LISTEN 0 128 127.0.0.1:19999 0.0.0.0:* users:(("ssh",pid=44667,fd=4))Stop the forward when finished:
pkill -f '127.0.0.1:19999'See Setup SSH port forwarding for production patterns and hardening.
Advanced SOCKS proxy with -D
-D opens a local SOCKS port that forwards application traffic through the SSH session.
Run briefly on localhost:
ssh -o BatchMode=yes -f -N -D 127.0.0.1:11080 localhost
ss -tlnp | grep 11080
pkill -f '127.0.0.1:11080'Sample ss line:
LISTEN 0 128 127.0.0.1:11080 0.0.0.0:* users:(("ssh",pid=46335,fd=4))Only bind to 127.0.0.1 unless you understand the exposure of opening a proxy on all interfaces.
Advanced Skip user config with -F /dev/null
-F selects which client config file to parse. Pointing at /dev/null ignores ~/.ssh/config — handy when a Host * stanza breaks a one-off command.
Run:
ssh -F /dev/null -o BatchMode=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=accept-new localhost exitExit status should be 0 when sshd and keys are available. Use this pattern to see whether a connection failure comes from user config or the network path.
ssh — when to use / when not
| Use ssh when | Use something else when |
|---|---|
|
|
Related commands
OpenSSH client family and nearby admin tools.
| Command | One line |
|---|---|
| ssh | Remote login and command execution (this page) |
| scp | Copy files over SSH |
| ssh-keygen | Generate and manage key pairs |
| ssh-copy-id | Install a public key on a server's authorized_keys |
| ssh-agent | Hold decrypted keys for forwarding |
Browse the full index on the Linux commands cheat sheet.
ssh — interview corner
What is the ssh command in Linux?
ssh is the OpenSSH client. It opens an encrypted connection to sshd on a remote host, authenticates you (password, public key, or other methods), and either starts an interactive shell or runs a remote command.
Default TCP port is 22. Configuration lives in /etc/ssh/ssh_config and per-user ~/.ssh/config. The client does not create accounts — the server must already have your user and authorized keys.
A strong answer is:
"ssh is the OpenSSH client for secure remote login and commands over port 22. It reads ssh_config, negotiates ciphers with sshd, and supports forwarding and jump hosts. Keys are managed with ssh-keygen, not ssh itself."
Why does ssh --help not work?
OpenSSH predates the GNU --help convention for the client. Use man ssh for options and ssh -V for the version string. Algorithm lists use ssh -Q, for example ssh -Q cipher and ssh -Q kex.
A strong answer is:
"The ssh client has no --help — I use man ssh, ssh -V, and ssh -Q for algorithm inventory on the installed build."
What does BatchMode=yes do in ssh?
BatchMode=yes tells ssh not to prompt for passwords or passphrases. If interactive auth would be required, the connection fails immediately — ideal for scripts and CI.
Example:
ssh -o BatchMode=yes user@host hostnamePair with key-based auth or pre-seeded known_hosts. Use ConnectTimeout so down hosts fail fast.
A strong answer is:
"BatchMode disables interactive prompts — ssh fails instead of asking for a password. I use it in automation with keys and ConnectTimeout."
What is the difference between ssh -L and ssh -D?
-L (local forward) binds a local TCP port and tunnels each connection to a specific remote host:port reachable from the SSH server.
-D (dynamic forward) binds a local SOCKS port. Applications speak SOCKS to ssh, and the client opens whatever remote addresses the application requests.
Both require a working SSH session; -N is common when you only want forwarding without a shell.
A strong answer is:
"-L forwards a local port to one fixed remote socket; -D provides a SOCKS proxy for many destinations through the tunnel. I bind to 127.0.0.1 unless GatewayPorts policy says otherwise."
What is ssh -J used for?
-J (ProxyJump) connects to a bastion host first, then opens the final session to the target through that hop — without manual ProxyCommand shell glue.
Syntax:
ssh -J user@bastion [email protected]Do not loop the jump host to the same machine (lab error: ssh -J localhost localhost). In production, the bastion is a dedicated entry host.
A strong answer is:
"-J is ProxyJump — one command to reach private hosts via a bastion. I match keys and ssh_config Host blocks for each hop."
How do you list ciphers supported by your ssh client?
Run:
ssh -Q cipherOther queries include kex, mac, key, and protocol-version. Output reflects the local OpenSSH build, which must overlap server settings in sshd_config.
A strong answer is:
"ssh -Q cipher — same for kex and mac. I compare that list to sshd's configured algorithms when fixing negotiation failures."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
Host key verification failed |
Host key changed or not in known_hosts |
Verify fingerprint out-of-band; fix or remove stale known_hosts entry |
Permission denied (publickey,…) |
No matching key or password auth disabled | Install key with ssh-copy-id; check sshd_config and file modes on ~/.ssh |
Connection timed out |
Firewall, wrong IP, or host down | Ping/trace route; confirm port with ss -tlnp | grep :22 on server |
no matching cipher / no matching key exchange |
Client/server algorithm mismatch | Compare ssh -Q with server sshd -T | grep -i cipher; align both sides |
bind: Address already in use |
Local forward port taken | Pick another local port or stop the old ssh -L process |
Pseudo-terminal will not be allocated |
-T or non-TTY stdin |
Add -t if you need a TTY; expected for script-only commands |
jumphost loop |
-J points to same host |
Use a real bastion hostname, not the final target |
References
Further reading beyond this cheat sheet.
- OpenSSH authentication methods and sshd_config
- Setup SSH port forwarding
- scp command cheat sheet
- Prevent brute-force SSH attacks
- ssh(1) man page (Ubuntu noble — Plucky manpages not yet published for this page)
- ssh_config(5) man page
