Secure shell (SSH) is one of the most ubiquitous Linux tools. It provides secure connectivity among workstations, servers, managed switches, routers, and any number of other devices. Linux and macOS include SSH, and it's easy to add to Windows.
This article provides a quick review of standard SSH use. The main focus is to provide guidance for running one-off commands over an SSH connection and how to tunnel other applications, and I've added a bonus section on using
scp to securely copy files.
There are plenty of SSH configuration articles, so this article is about using SSH rather than configuring it. I've made a few assumptions about your setup:
- The SSH service is installed and running on the destination server.
- An SSH client is installed on the local computer.
- The firewall configuration permits SSH.
- You're using the standard 22/tcp SSH port.
- In these exercises, key-based authentication is NOT configured, so SSH prompts you for a password.
For the record, key-based authentication is highly recommended (indeed, almost assumed at this point). Key-based authentication connection attempts are quicker, easier to automate, and considered to be more secure. Read Passwordless SSH using public-private key pairs for guidance on this critical configuration or Eight ways to protect SSH access on your system for general suggestions.
Connect over regular SSH
I'll begin with what might be considered a standard SSH connection. This command initiates SSH and specifies the user account the remote server should authenticate and the destination server's identity (hostname or IP address):
$ ssh user01@server01
The connection attempt triggers a password challenge. This is the password for the specified user account on the remote system.
Once authenticated, the remote system presents a command prompt and provides the ability to run commands or access resources with whatever privileges the connecting user has. On some systems, security configurations prevent the root user from connecting over SSH, so it may be necessary to elevate privileges at this point.
The interactive session is established, and you may now conduct your administrative tasks.
[Learn how to install applications on Linux by downloading this eBook. ]
Run a command over SSH
What if the only thing you need to do over the SSH connection is execute a single quick command? You might not want to take the separate actions of connecting and authenticating, running the command, and then disconnecting.
Recall that you are challenged for a password in these examples unless you have key-based authentication configured (you probably should, but it's out of scope for this article).
SSH allows users to append the desired command directly to the connection attempt. The command executes, and the connection is closed.
The basic syntax is
ssh user01@server01 "command".
For example, you could check the installation status of a package:
$ ssh user01@server01 "rpm -qa | grep nano"
Maybe you need to check a log file on a remote server for "fail" messages. You could try something like this:
$ ssh user01@server01 "cat /var/log/secure" | grep -i fail
Or perhaps you need to pull a file from the remote system. Furthermore, you must compress the file:
$ ssh user01@server01 "tar -czf /projects" > projectsbackup.tar.gz
Note that it's likely you would use
scp for this task (see below).
[ Download the Bash shell scripting cheat sheet. ]
If you need to elevate your privileges on the far side of the SSH connection with
sudo, then force the use of a pseudo-terminal with
-t. Use this if
sudo will challenge you for a password. The command looks like this:
$ ssh -t user01@server01 "sudo yum install nano"
Tunnel other applications
SSH can provide an authenticated and encrypted connection to remote devices for other applications.
Virtual Network Computing (VNC) is a useful way to connect to a remote desktop when you need a graphical user interface (GUI) to accomplish your task.
Not all VNC products provide encryption for data transfer (however, they usually do for the authentication stage). You can tunnel your VNC connection over SSH for added privacy.
You need to forward ports for this to work. Type the following:
$ ssh -L 5901:localhost:5901 -N -f -l user01@server01
Launch the VNC client and connect to
localhost:5901, which is now forwarded to the remote server.
Here's an explanation of the options in the command above:
-L: Forward the port to the destination device. In this case, it's a direct mapping of 5901 to 5901 (the default VNC port number).
-N: Only forward ports and do not execute commands.
-f: Put SSH in the background after the connection is established (freeing the command prompt).
-l: This option specifies the remote SSH user and destination server.
Similarly, you could establish an HTTP-over-SSH tunnel to a directory named images with a command like this:
$ ssh -L 11000:localhost:80 -N -f -l user01@server01
Next, start a web browser and connect to
If all you're trying to do is copy files, you don't have to use a full SSH connection. Instead, you can use the
scp command to perform the same goal more easily.
file.txt to the
/projects directory on remote system
$ scp file.txt server01:/projects
Or, if you need to copy the file from the remote system to your current directory on your system, type:
$ scp server01:/projects/file.txt .
Glen Newell has a nice writeup on using the
Most Linux administrators are familiar with establishing SSH connections for remote administration. We run the
ssh command, authenticate, and then accomplish a series of tasks. When the tasks are complete, we disconnect.
This pattern is great if you need to make multiple configurations or manually issue a series of commands. However, sometimes you just need to run one command or script. SSH allows a quick connection that authenticates, runs the specified command, and disconnects. Finally, SSH can also tunnel other protocols, such as VNC or HTTP, providing a level of security beyond what the supporting applications offer. Explore the incredible flexibility of SSH and discover new ways of using this old tool.