SSH (Secure Shell) is how you remotely access another machine over a network. This is a basic overview of the concepts and commands you’ll use most often.
SSH Concepts
Public and Private Keys
SSH gives you two ways to authenticate: a password or a key pair. We’re going to use keys. They’re harder to brute force than a password and more convenient once set up, since you don’t have to type anything to log in.
The key pair has two parts.
The private key stays on your machine and never leaves it. Think of it as your actual password. Do not share it.
The public key goes on the server. It can only be used to verify that you have the matching private key. Sharing it is fine.
When you connect, the server checks if your private key matches the public key it has on file.
Public keys are stored on the server at ~/.ssh/authorized_keys. Private keys sit on your machine, usually in ~/.ssh/.
SSH Config File
Instead of typing out the full connection details every time, you can save them in ~/.ssh/config. This lets you connect with a short alias instead of a full command.
Host my-server
Hostname 192.168.1.20
User joseph
Port 22
IdentityFile ~/.ssh/my_key
After saving that, you can just run ssh my-server instead of ssh -i ~/.ssh/my_key [email protected].
Common Commands
ssh
Connect to a remote machine.
ssh [USER]@[SERVER]
| Modifier | Input | What it does |
|---|---|---|
-i | path to private key | Specifies which private key to use |
-p | port number | Connects on a specific port instead of the default 22 |
-L | [LOCAL-PORT]:[TARGET-HOST]:[TARGET-PORT] | Forwards a local port to a remote host through the server |
ssh -i [PRIVATE-KEY] [USER]@[SERVER]
ssh -p [PORT] [USER]@[SERVER]
ssh -L [LOCAL-PORT]:[TARGET-HOST]:[TARGET-PORT] [USER]@[SERVER]
Example
For this example I want to SSH into my Linux machine at 192.168.1.20. I’m logging in as joseph, which is the local user on that machine.
The default SSH port is 22, but I changed mine to 2222, so I need to specify it with -p. I also set up key authentication, so I’m pointing to my private key with -i instead of typing a password.
ssh -i ~/.ssh/my_key -p 2222 [email protected]
ssh-keygen
Generate a new key pair. The output will be two files: your private key and your public key (.pub).
ssh-keygen -t [TYPE] -f [PATH] -C "[COMMENT]"
| Modifier | Input | What it does |
|---|---|---|
-t | key type | Sets the encryption type. Use ed25519, it’s faster and more secure than RSA |
-f | file path | Where to save the key and what to name it |
-C | string | A comment to identify the key later, usually your email or a description |
-b | number | Sets the key size in bits. Only needed for RSA, ed25519 ignores this |
ssh-keygen -t ed25519 -f ~/.ssh/[FILENAME] -C "[COMMENT]"
ssh-keygen -t rsa -b 4096 -f ~/.ssh/[FILENAME] -C "[COMMENT]"
Example
For this example I want to generate a new ed25519 key pair for my Linux server. I’m using -t to set the key type to ed25519. With -f I’m telling it to save the key to ~/.ssh/ and name it my_key. The -C is just a label so I know what this key is for later.
ssh-keygen -t ed25519 -f ~/.ssh/my_key -C "joseph linux server"
ssh-copy-id
Copies your public key to a server so you can log in without a password.
ssh-copy-id -i [PUBLIC-KEY] [USER]@[SERVER]
| Modifier | Input | What it does |
|---|---|---|
-i | path to public key | Specifies which public key to copy. Use the .pub file, not the private key |
-p | port number | Copies to a server running SSH on a non-default port |
ssh-copy-id -i [PUBLIC-KEY] [USER]@[SERVER]
ssh-copy-id -i [PUBLIC-KEY] -p [PORT] [USER]@[SERVER]
This appends your public key to ~/.ssh/authorized_keys on the server automatically.
Example
For this example I want to copy my public key to my Linux machine at 192.168.1.20 so I can log in without a password from now on.
I’m using -i to point to my public key. It has to be the .pub file — not the private key. joseph is the local user on that machine. My SSH port is set to 2222 so I also need -p to specify it.
ssh-copy-id -i ~/.ssh/my_key.pub -p 2222 [email protected]
scp
Copy files over SSH. Works like cp but over the network.
scp [FILE] [USER]@[SERVER]:[SERVER-DIRECTORY]
| Modifier | Input | What it does |
|---|---|---|
-i | path to private key | Specifies which private key to use |
-P | port number | Connects on a non-default port. Note the capital P, unlike ssh |
-r | none | Copies a directory recursively |
# Client to server
scp [FILE] [USER]@[SERVER]:[SERVER-DIRECTORY]
# Server to client
scp [USER]@[SERVER]:[FILE] [LOCAL-DIRECTORY]
# With modifiers
scp -i [PRIVATE-KEY] -P [PORT] [FILE] [USER]@[SERVER]:[SERVER-DIRECTORY]
scp -r [DIRECTORY] [USER]@[SERVER]:[SERVER-DIRECTORY]
Example
For this example I want to copy a file from my machine to my Linux server at 192.168.1.20. I’m pointing -i to my private key for authentication. My SSH port is 2222 so I need -P to specify it. Note that scp uses a capital -P for the port, unlike ssh which uses lowercase.
scp -i ~/.ssh/my_key -P 2222 backup.tar.gz [email protected]:/home/joseph/backups/
For transferring large amounts of files or syncing directories, rsync is the better option. It only transfers what has changed instead of copying everything every time, which is faster and safer over an unstable connection.
rsync -avz -e "ssh -i ~/.ssh/my_key -p 2222" [DIRECTORY] [USER]@[SERVER]:[SERVER-DIRECTORY]
Additional Notes
On Debian and some other distros you may run into an issue with an unknown terminal type when trying to clear the screen or run certain commands. To fix this, just add the following to your shell config:
echo 'export TERM=xterm-256color' >> ~/.bashrc && source ~/.bashrc
Last modified on 2025-12-17