Secure Shell connections, keys, tunnels, config & SCP
Linux / Command# Basic connection
ssh user@hostname
ssh user@192.168.1.100
ssh -p 2222 user@host # custom port
ssh user@host "ls -la /var" # run remote command
# Verbose (debug)
ssh -v user@host
ssh -vvv user@host # extra verbose
# Jump host (bastion/proxy)
ssh -J jump@bastion user@internal
ssh -o ProxyJump=bastion user@internal# Generate key pair
ssh-keygen -t ed25519 -C "email@example.com"
ssh-keygen -t rsa -b 4096 -C "email"
# Copy public key to server
ssh-copy-id user@host
ssh-copy-id -i ~/.ssh/mykey.pub user@host
# Manual copy
cat ~/.ssh/id_ed25519.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
# Key files
~/.ssh/id_ed25519 # private key
~/.ssh/id_ed25519.pub # public key
~/.ssh/authorized_keys # server-side allowed keys
~/.ssh/known_hosts # known server fingerprints# ~/.ssh/config
Host myserver
HostName 192.168.1.100
User deploy
Port 2222
IdentityFile ~/.ssh/deploy_key
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_ed25519
Host prod
HostName prod.example.com
User admin
ProxyJump bastion
ForwardAgent yes
# Then just: ssh myserver# Local port forwarding (access remote service locally)
ssh -L 8080:localhost:80 user@server
# Now http://localhost:8080 → server:80
# Access remote DB locally
ssh -L 5433:db-host:5432 user@bastion
# Connect to localhost:5433 → reaches db-host:5432
# Remote port forwarding (expose local to remote)
ssh -R 9090:localhost:3000 user@server
# server:9090 → your localhost:3000
# Dynamic SOCKS proxy
ssh -D 1080 user@server
# Use localhost:1080 as SOCKS5 proxy
# Background tunnel
ssh -fN -L 8080:localhost:80 user@server# SCP — copy files
scp file.txt user@host:/path/ # upload
scp user@host:/path/file.txt . # download
scp -r dir/ user@host:/path/ # recursive
scp -P 2222 file.txt user@host:/path/
# SFTP — interactive file transfer
sftp user@host
sftp> ls # list remote
sftp> get file.txt
sftp> put file.txt
sftp> mkdir newdir
sftp> exit# Start agent
eval $(ssh-agent)
# Add key
ssh-add ~/.ssh/id_ed25519
ssh-add -l # list loaded keys
# Agent forwarding (use local keys on remote)
ssh -A user@host
# macOS: add to keychain
ssh-add --apple-use-keychain ~/.ssh/id_ed25519# Disable password auth (sshd_config)
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
# Change default port
Port 2222
# Limit users
AllowUsers deploy admin
# Fail2Ban — block brute force
# Rate limit — MaxAuthTries 3
# Remove old host key
ssh-keygen -R hostname