ssh Command in Linux: Syntax, Options & Safe Local Examples

ssh is the OpenSSH client for encrypted remote login and command execution. It reads ssh_config, negotiates ciphers with the server, and supports port forwarding, jump hosts, and algorithm queries via ssh -Q.

Published

Updated

Read time 12 min read

Reviewed byDeepak Prasad

ssh Command in Linux: Syntax, Options & Safe Local Examples
About ssh is the OpenSSH client for encrypted remote login and command execution. It reads ssh_config, negotiates ciphers with the server, and supports port forwarding, jump hosts, and algorithm queries via ssh -Q.
Tested on Ubuntu 25.04 (Plucky Puffin); OpenSSH_9.9p1 Ubuntu-3ubuntu3.2; kernel 7.0.0-27-generic
Package openssh-client (apt/deb) · openssh-clients (dnf/rpm)
Man page ssh(1)
Privilege normal user (server account on remote host)
Distros

Ubuntu, Debian, RHEL, Fedora, and most Linux distributions ship the OpenSSH client.

Server daemon: openssh-server / sshd.

Related guide

ssh — quick reference

OpenSSH has no ssh --help. Options below come from man ssh and ssh -Q help on Ubuntu 25.04. Examples use localhost with BatchMode so they complete without password prompts when sshd is listening.

Version and algorithm query (-Q)

List algorithms and protocol levels the client supports — no network connection required.

When to use Command
Show OpenSSH client version ssh -V
List supported ciphers ssh -Q cipher
List ciphers that support authenticated encryption ssh -Q cipher-auth
List compression algorithms ssh -Q compression
List key-exchange algorithms ssh -Q kex
List GSSAPI key-exchange methods ssh -Q kex-gss
List host/public key types ssh -Q key
List certificate key types ssh -Q key-cert
List plain key types ssh -Q key-plain
List key signature algorithms ssh -Q key-sig
List MAC algorithms ssh -Q mac
Show supported SSH protocol versions ssh -Q protocol-version
List signature algorithms ssh -Q sig

Connection and addressing

When to use Command
Connect with default user and run a remote command ssh -o BatchMode=yes localhost hostname
Specify login name with -l ssh -o BatchMode=yes -l root localhost hostname
Same — user@host form ssh -o BatchMode=yes root@localhost hostname
Force IPv4 only ssh -o BatchMode=yes -4 localhost exit
Force IPv6 only ssh -o BatchMode=yes -6 ::1 exit
Connect on a non-default port ssh -o BatchMode=yes -p 22 localhost exit
Bind outbound connection to a local address ssh -o BatchMode=yes -b 127.0.0.1 localhost exit
Bind using a local network interface name ssh -o BatchMode=yes -B lo localhost exit

Authentication and identity

When to use Command
Use a specific private key file ssh -o BatchMode=yes -i ~/.ssh/id_rsa localhost exit
Enable SSH agent forwarding ssh -o BatchMode=yes -A localhost exit
Disable agent forwarding ssh -o BatchMode=yes -a localhost exit
Enable GSSAPI authentication and forwarding ssh -o BatchMode=yes -K localhost exit
Disable GSSAPI credential delegation ssh -o BatchMode=yes -k localhost exit

Session and remote command

When to use Command
Run one remote command and exit ssh -o BatchMode=yes localhost echo hello
Disable pseudo-terminal allocation ssh -o BatchMode=yes -T localhost echo no-pty
Force pseudo-terminal allocation ssh -o BatchMode=yes -t localhost echo pty
Do not execute a remote command (forwarding only) ssh -o BatchMode=yes -N localhost
Go to background before command (often with -N) ssh -o BatchMode=yes -f -N localhost
Redirect stdin from /dev/null ssh -o BatchMode=yes -n localhost echo ok
Request subsystem mode — remote command names the subsystem (e.g. sftp) ssh -o BatchMode=yes -s localhost sftp

Port forwarding and tunnels

When to use Command
Local forward — listen locally, connect via SSH to remote socket ssh -o BatchMode=yes -L 127.0.0.1:19999:127.0.0.1:22 -N localhost
Remote forward — listen on remote, tunnel to local ssh -o BatchMode=yes -R 127.0.0.1:18888:127.0.0.1:22 -N localhost
Dynamic SOCKS proxy on local port ssh -o BatchMode=yes -D 127.0.0.1:11080 -N localhost
stdio forward to host:port on the remote side ssh -o BatchMode=yes -W localhost:22 localhost

Configuration and debugging

When to use Command
Use an alternate client config file ssh -o BatchMode=yes -F /etc/ssh/ssh_config localhost exit
Set any ssh_config keyword ssh -o BatchMode=yes -o ConnectTimeout=5 localhost exit
Print resolved configuration after Host matching ssh -G localhost
Append debug log to a file ssh -o BatchMode=yes -E /tmp/ssh.log localhost exit
Set escape character for interactive sessions (none disables) ssh -o BatchMode=yes -e none localhost exit
Quiet mode — fewer warnings ssh -o BatchMode=yes -q localhost exit
Verbose debug (repeat up to three times) ssh -o BatchMode=yes -v localhost exit
Send logging to syslog ssh -o BatchMode=yes -y localhost exit
Select ssh_config snippet by tag ssh -o BatchMode=yes -P mytag localhost exit

X11 forwarding

When to use Command
Enable X11 forwarding ssh -o BatchMode=yes -X localhost exit
Disable X11 forwarding ssh -o BatchMode=yes -x localhost exit
Enable trusted X11 forwarding ssh -o BatchMode=yes -Y localhost exit

Crypto and compression

When to use Command
Request gzip-style compression ssh -o BatchMode=yes -C localhost exit
Select cipher specification ssh -o BatchMode=yes -c aes128-ctr localhost exit
Select MAC algorithm ssh -o BatchMode=yes -m hmac-sha2-256 localhost exit

Connection multiplexing

When to use Command
Place client in master mode for sharing ssh -o BatchMode=yes -M -S /tmp/ssh-ctl -f -N localhost
Control an existing master (check, exit, …) ssh -o BatchMode=yes -S /tmp/ssh-ctl -O check localhost
Path to control socket for shared connection ssh -o BatchMode=yes -S /tmp/ssh-ctl localhost exit

Remote forwarded port binding

When to use Command
Allow remote hosts to use local forwarded ports (GatewayPorts) ssh -o BatchMode=yes -g -L 127.0.0.1:17777:127.0.0.1:22 -N localhost

Tunnel device

When to use Command
Request tun(4) device forwarding (local[:remote]) ssh -o BatchMode=yes -w 0:0 localhost exit

ssh — command syntax

Synopsis from man ssh on Ubuntu 25.04 (OpenSSH 9.9p1):

text
ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
    [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
    [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
    [-J destination] [-L address] [-l login_name] [-m mac_spec]
    [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
    [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
    [command [argument ...]]

ssh [-Q query_option]

ssh reads /etc/ssh/ssh_config, ~/.ssh/config, and known-hosts data under ~/.ssh/. It does not modify server accounts — authentication is handled by sshd on the remote side.


ssh — command examples

Essential Check OpenSSH client version with -V

Before debugging cipher or protocol mismatches, confirm the client build on the machine you are using.

Run:

bash
ssh -V

Sample output:

text
OpenSSH_9.9p1 Ubuntu-3ubuntu3.2, OpenSSL 3.4.1 11 Feb 2025

Match this string against the server banner from sshd -V or the remote ssh -V when troubleshooting handshake failures.

Essential List supported ciphers with ssh -Q

OpenSSH exposes built-in algorithm lists through -Q — no server required.

Run:

bash
ssh -Q cipher | head -5

Sample output:

text
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr

Use ssh -Q kex, ssh -Q mac, and ssh -Q key the same way when hardening sshd_config or debugging no matching cipher errors.

Essential Run a remote command on localhost

When sshd runs locally, you can practice ssh without external hosts. BatchMode=yes skips password prompts — ensure key-based auth or known-host trust is already set up.

Run:

bash
ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new localhost 'echo hello-from-ssh'

Sample output:

text
hello-from-ssh

First connect may add a host-key line to ~/.ssh/known_hosts. Use ssh -o BatchMode=yes root@localhost hostname when the remote user must be explicit.

Common Inspect resolved config with ssh -G

-G prints the configuration OpenSSH would apply after parsing ssh_config and command-line overrides — useful before changing ~/.ssh/config.

Run:

bash
ssh -G localhost | head -12

Sample output:

text
host localhost
user root
hostname localhost
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster false
enablesshkeysign no

Compare user, hostname, and identityfile lines with what you expect from your config files.

Common Debug connection setup with -v

-v (repeat up to three times) prints handshake steps — cipher choice, host key, and auth methods tried.

Run:

bash
ssh -o BatchMode=yes -v localhost exit 2>&1 | head -10

Sample output:

text
OpenSSH_9.9p1 Ubuntu-3ubuntu3.2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: Authenticating to localhost:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory

Use -E /tmp/ssh.log to append the same detail to a file for support tickets.

Common Control TTY allocation with -T and -t

-T disables pseudo-terminal allocation — ideal for scripts that only need stdout. -t forces a TTY even when stdin is not a terminal.

Without TTY:

bash
ssh -o BatchMode=yes -T localhost 'echo no-pty'

Sample output:

text
no-pty

Force TTY (may print a notice when stdin is not a terminal):

bash
ssh -o BatchMode=yes -t localhost 'echo with-pty'

Sample output:

text
Pseudo-terminal will not be allocated because stdin is not a terminal.
with-pty

Use -T for automation; use -t when you need sudo or pagers on the remote side.

Common Fail fast with -o ConnectTimeout

When a host is down, default waits can stall scripts. ConnectTimeout caps the TCP connect phase (seconds).

Run against an unreachable documentation address:

bash
ssh -o BatchMode=yes -o ConnectTimeout=2 -o ConnectionAttempts=1 192.0.2.1 exit 2>&1

Sample output:

text
ssh: connect to host 192.0.2.1 port 22: Connection timed out

Pair with BatchMode=yes in cron and CI jobs so ssh exits instead of prompting.

Advanced Local port forward with -L

-L listens on your machine and tunnels connections through SSH to a socket reachable from the remote host.

Start a background forward (short lab example — stop it after testing):

bash
ssh -o BatchMode=yes -f -N -L 127.0.0.1:19999:127.0.0.1:22 localhost

Verify the listener:

bash
ss -tlnp | grep 19999

Sample output:

text
LISTEN 0      128        127.0.0.1:19999      0.0.0.0:*    users:(("ssh",pid=44667,fd=4))

Stop the forward when finished:

bash
pkill -f '127.0.0.1:19999'

See Setup SSH port forwarding for production patterns and hardening.

Advanced SOCKS proxy with -D

-D opens a local SOCKS port that forwards application traffic through the SSH session.

Run briefly on localhost:

bash
ssh -o BatchMode=yes -f -N -D 127.0.0.1:11080 localhost
ss -tlnp | grep 11080
pkill -f '127.0.0.1:11080'

Sample ss line:

text
LISTEN 0      128        127.0.0.1:11080      0.0.0.0:*    users:(("ssh",pid=46335,fd=4))

Only bind to 127.0.0.1 unless you understand the exposure of opening a proxy on all interfaces.

Advanced Skip user config with -F /dev/null

-F selects which client config file to parse. Pointing at /dev/null ignores ~/.ssh/config — handy when a Host * stanza breaks a one-off command.

Run:

bash
ssh -F /dev/null -o BatchMode=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=accept-new localhost exit

Exit status should be 0 when sshd and keys are available. Use this pattern to see whether a connection failure comes from user config or the network path.


ssh — when to use / when not

Use ssh when Use something else when
  • You need an encrypted shell or remote command on another host
  • You want port forwarding or a jump path into a private network
  • You are checking supported algorithms with ssh -Q before hardening sshd
  • You only copy files — scp or sftp
  • You generate or manage keys — ssh-keygen, not ssh
  • You configure the server daemon — edit sshd_config, see OpenSSH authentication methods
  • You need file sync or mounts — rsync, SSHFS, or orchestration tools

OpenSSH client family and nearby admin tools.

Command One line
ssh Remote login and command execution (this page)
scp Copy files over SSH
ssh-keygen Generate and manage key pairs
ssh-copy-id Install a public key on a server's authorized_keys
ssh-agent Hold decrypted keys for forwarding

Browse the full index on the Linux commands cheat sheet.


ssh — interview corner

What is the ssh command in Linux?

ssh is the OpenSSH client. It opens an encrypted connection to sshd on a remote host, authenticates you (password, public key, or other methods), and either starts an interactive shell or runs a remote command.

Default TCP port is 22. Configuration lives in /etc/ssh/ssh_config and per-user ~/.ssh/config. The client does not create accounts — the server must already have your user and authorized keys.

A strong answer is:

"ssh is the OpenSSH client for secure remote login and commands over port 22. It reads ssh_config, negotiates ciphers with sshd, and supports forwarding and jump hosts. Keys are managed with ssh-keygen, not ssh itself."

Why does ssh --help not work?

OpenSSH predates the GNU --help convention for the client. Use man ssh for options and ssh -V for the version string. Algorithm lists use ssh -Q, for example ssh -Q cipher and ssh -Q kex.

A strong answer is:

"The ssh client has no --help — I use man ssh, ssh -V, and ssh -Q for algorithm inventory on the installed build."

What does BatchMode=yes do in ssh?

BatchMode=yes tells ssh not to prompt for passwords or passphrases. If interactive auth would be required, the connection fails immediately — ideal for scripts and CI.

Example:

bash
ssh -o BatchMode=yes user@host hostname

Pair with key-based auth or pre-seeded known_hosts. Use ConnectTimeout so down hosts fail fast.

A strong answer is:

"BatchMode disables interactive prompts — ssh fails instead of asking for a password. I use it in automation with keys and ConnectTimeout."

What is the difference between ssh -L and ssh -D?

-L (local forward) binds a local TCP port and tunnels each connection to a specific remote host:port reachable from the SSH server.

-D (dynamic forward) binds a local SOCKS port. Applications speak SOCKS to ssh, and the client opens whatever remote addresses the application requests.

Both require a working SSH session; -N is common when you only want forwarding without a shell.

A strong answer is:

"-L forwards a local port to one fixed remote socket; -D provides a SOCKS proxy for many destinations through the tunnel. I bind to 127.0.0.1 unless GatewayPorts policy says otherwise."

What is ssh -J used for?

-J (ProxyJump) connects to a bastion host first, then opens the final session to the target through that hop — without manual ProxyCommand shell glue.

Syntax:

bash
ssh -J user@bastion [email protected]

Do not loop the jump host to the same machine (lab error: ssh -J localhost localhost). In production, the bastion is a dedicated entry host.

A strong answer is:

"-J is ProxyJump — one command to reach private hosts via a bastion. I match keys and ssh_config Host blocks for each hop."

How do you list ciphers supported by your ssh client?

Run:

bash
ssh -Q cipher

Other queries include kex, mac, key, and protocol-version. Output reflects the local OpenSSH build, which must overlap server settings in sshd_config.

A strong answer is:

"ssh -Q cipher — same for kex and mac. I compare that list to sshd's configured algorithms when fixing negotiation failures."


Troubleshooting

Symptom Likely cause Fix
Host key verification failed Host key changed or not in known_hosts Verify fingerprint out-of-band; fix or remove stale known_hosts entry
Permission denied (publickey,…) No matching key or password auth disabled Install key with ssh-copy-id; check sshd_config and file modes on ~/.ssh
Connection timed out Firewall, wrong IP, or host down Ping/trace route; confirm port with ss -tlnp | grep :22 on server
no matching cipher / no matching key exchange Client/server algorithm mismatch Compare ssh -Q with server sshd -T | grep -i cipher; align both sides
bind: Address already in use Local forward port taken Pick another local port or stop the old ssh -L process
Pseudo-terminal will not be allocated -T or non-TTY stdin Add -t if you need a TTY; expected for script-only commands
jumphost loop -J points to same host Use a real bastion hostname, not the final target

References

Further reading beyond this cheat sheet.

Rohan Timalsina

is a technical writer and Linux enthusiast who writes practical guides on Linux commands and system administration. He focuses on simplifying complex topics through clear explanations.