SSH

January 4, 2026 ยท View on GitHub

Secure SHell - remote command line login to systems with network encryption, using passwords and / or SSH public + private asymmetric key cryptography.

Generate an SSH Key

The comment makes your public key distinguishable when it's copied to ~/.ssh/authorized_keys on servers or Cloud systems.

ssh-keygen -f ~/.ssh/"$filename" -t rsa -b 4096 -C "$comment"

It'll prompt you for a passphrase to protect the private key with. If you add a passphrase, use SSH Agent as documented further down to avoid having to type it every time you use the SSH key.

Compare SSH Key Fingerprint

Use this to compare the keys stored on some public service like Bitbucket.

ssh-keygen -l -f ~/.ssh/"$filename"

To print it in MD5 format to compare to an online platform like GitLab:

ssh-keygen -lf ~/.ssh/id_rsa.pub -E md5

SSH Public Key and Authorized Keys

Copy the .pub public key file contents generated from the command above in ~/.ssh/"$filename.pub" to ~/ssh/authorized_keys to any server you want to SSH to without a password.

SSH Login using only SSH Key

To enforce logging in using only the public key and error out otherwise rather than fall back to a password prompt.

ssh -o PreferredAuthentications=publickey ...

Useful to stop automated scripts or CI/CD from getting stuck on a password prompt. It's better to error out immediately for faster debugging and also not wasting chargeable CI/CD build minutes.

Use SSH Agent

Password protect your SSH key on disk and then load it into SSH Agent once at startup.

Start ssh-agent and save the output to a file to import into other shells:

ssh-agent | tee ~/.ssh-agent.env

In each shell:

. ~/.ssh-agent.env

Add your SSH key to the agent (will prompt you this one time for passphrase if the private key is protected):

ssh-add ~/.ssh/id_rsa

List loaded keys:

ssh-add -l

SSH Config

Make it fast and easy to connect to SSH servers which have long names or only IP addresses without having to remember them, by adding a block to your ~/.ssh/config:

Host myhost
  TCPKeepAlive yes
  ServerAliveInterval 300
  HostName x.x.x.x
  IdentityFile ~/.ssh/id_rsa
  User hari
  LogLevel QUIET  # suppress the motd, similar to -q switch

You can now ssh myhost without DNS, it'll replace the hostname with HostName field's value, in this case the IP x.x.x.x.

For AWS EC2 VMs, specify User ec2-user and the key pair generated at creation time.

To use different user accounts and keys for different servers:

Host myhost
  TCPKeepAlive yes
  ServerAliveInterval 300
  HostName x.x.x.x
  IdentityFile ~/.ssh/ec2-user.pem
  User ec2-user

X Forwarding

ssh -X hari@"$HOST"

sudo su
cp .Xauthority /root
virt-manager

Legacy SSH Servers

If you see an error like this when trying to SSH to an older system running an older version of SSH:

Unable to negotiate with 192.168.1.46 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

add the -oHostKeyAlgorithms=+ssh-rsa option to the SSH command line to accept the older algo:

ssh -o HostKeyAlgorithms=+ssh-rsa,ssh-dss ...

If you're using an SSH key you'll get prompted for a password when your SSH key fails to authenticate because you need this switch -o PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss:

ssh -o HostKeyAlgorithms=+ssh-rsa,ssh-dss -o PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss ...

If using rsync over ssh then use the -e switch to pass this option to ssh:

rsync -av -e 'ssh -oHostKeyAlgorithms=+ssh-rsa,ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss' ...

SSHFS

Mount a remote SSH directory locally as a pseudo-filesystem using Fuse and SSHFS:

:octocat: libfuse/sshfs

sshfs "$USER"@"$SERVER":/path/to/remotedir /mnt/localdir

Unmount:

fusermount -u /mnt/localdir

or

umount /mnt/localdir