ssh -p port user@server

allocate new TTY/shell, don't execute bashrc/profile

ssh -t username@hostname /bin/sh

don't use keys

ssh user@server -o PreferredAuthentications=keyboard-interactive

disable the ssh agent

export SSH_AUTH_SOCK=""; ssh user@server

Never disclose your private key (also called privkey) to anybody! It's private. A public key (also called pubkey) is used to identify you on a remote system and you can copy it to any system you want to authenticate with.

ssh-keygen -t ed25519 -f ~/.ssh/new_key

You will find two files in your ~/.ssh/ directory: new_key (your private key) and (your public key).

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/
ssh-keygen -f ".ssh/known_hosts" -R servername/ip
Host arbitraryhostname
  HostName realhostnameorIPhere
  User usernamehere
  Port 12345

more ideas:

password-less authentication

  • Standard key is ~/.ssh/
  • copy with ssh-copy-id user@server:port
  • Alternative:
    cat ~/.ssh/ | ssh user@server "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"
Port 12345
#ListenAddress ::
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes


  • use `sshguard` instead of `fail2ban`


Subsystem sftp internal-sftp
Match Group sftponly
 ForceCommand internal-sftp
 ChrootDirectory /wwwhome

The ChrootDirectory must have chmod 750 and permissions of root:sftponly!

If you want to connect to target computer on the target port of your SSH computer through localhost:

ssh -L 8888:targetcomputer:targetport ssh-computername -N

With ssh -L 8888:webserver:80 dmz-server -N you can make a webserver which is only available in the destination network available on localhost:8888.

If you want to reverse tunnel a connection (i.e. make the destination port available to connect from the outside), you can use

ssh -o "GatewayPorts=yes" -L 80:localhost:8080 destination -N

This will forward the remote port 8080 to the local 80. Keep in mind you also have to open the firewall on the remote machine.

You can pipe to/from SSH. (Quelle)

remote to local

ssh user@server 'echo 0' | cat - > echo.out

local to remote

echo 0 | ssh user@server 'cat - > echo.out'

The command-line tool ssh should be installed already. If it isn't, consult your package manager and install the OpenSSH package.

Recommended is the msys2 shell, installable through chocolatey. If you want to transfer files with a GUI, you can use WinSCP. Don't use PuTTY, it's old and slow. If you absolutely must use a GUI tool, KiTTY is the better alternative.

OpenSSH server is available for Windows and you can even use PowerShell through it.

If your SSH session doesn't close on reboot or shutting down, you might lack a timeout in the OpenSSHd config or the corresponding systemd package so the session gets closed cleanly.

remedy 1: install libpam-systemd


apt install libpam-systemd dbus

Check that you actually use the PAM module:


remedy 2: enable sshd session cleanup

cp /usr/share/doc/openssh-client/examples/ssh-session-cleanup.service /etc/systemd/system/
systemctl  enable ssh-session-cleanup.service

remedy 3: set a timeout in your client

Host *
   ServerAliveInterval 15
   ServerAliveCountMax 5
  • Last modified: 2020-04-02 10:13