ssh Command in Linux: Connect to Remote Servers
Secure Shell (SSH) is a cryptographic network protocol used for an encrypted connection between a client and a server. The ssh client creates a secure connection to the SSH server on a remote machine. The encrypted connection can be used to execute commands on the server, tunnel X11 sessions, forward ports, and more.
There are a number of SSH clients available, both free and commercial, with OpenSSH being the most widely used. It is available on all major platforms, including Linux, OpenBSD, Windows, and macOS.
This guide explains how to use the OpenSSH command-line client (ssh) to log in to a remote machine, run commands, and perform other operations.
Installing OpenSSH Client
The OpenSSH client program is called ssh and can be invoked from the terminal. The OpenSSH client package also provides other SSH utilities such as scp
and sftp
that are installed alongside the ssh command.
OpenSSH client is preinstalled on most Linux distributions. If your system does not have the ssh client installed, you can install it using your distribution’s package manager.
Install OpenSSH on Ubuntu, Debian, and Derivatives
sudo apt update
sudo apt install openssh-clientInstall OpenSSH on Fedora, RHEL, and Derivatives
sudo dnf install openssh-clientsInstall OpenSSH on Windows 10 and 11
Windows 10 and Windows 11 include a built-in OpenSSH client that can be installed via PowerShell. To find the exact package name, run:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'Name : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresentOnce you know the package name, install it by running:
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0Path :
Online : True
RestartNeeded : FalseInstall OpenSSH on macOS
macOS ships with the OpenSSH client installed by default.
ssh Command Syntax
The basic syntax of the ssh command is:
ssh [OPTIONS] [USER@]HOSTThe following requirements must be met to log in to a remote machine via SSH:
- An SSH server must be running on the remote machine.
- The SSH port must be open in the remote machine’s firewall.
- You must know the username and password of the remote account, or have a valid SSH key pair configured.
Connecting to a Remote Server
To connect to a remote server, type ssh followed by the remote hostname or IP address:
ssh ssh.linuxize.comWhen you connect to a remote machine for the first time, you will see a message like this:
The authenticity of host 'ssh.linuxize.com (192.168.121.111)' can't be established.
ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY.
Are you sure you want to continue connecting (yes/no/[fingerprint])?Each host has a unique fingerprint that is stored in the ~/.ssh/known_hosts file. Type yes to store the remote fingerprint and continue. You will then be prompted to enter your password:
Warning: Permanently added 'ssh.linuxize.com' (ECDSA) to the list of known hosts.
dev@ssh.linuxize.com's password:Once you enter the password, you will be logged in to the remote machine.
When no username is given, ssh uses the current system login name. To log in as a different user, specify the username and host in the following format:
ssh username@hostnameThe username can also be specified with the -l option:
ssh -l username hostnameBy default, ssh connects to port 22. On some servers, administrators change the default SSH port
to reduce the risk of automated attacks. To connect to a non-default port, use the -p option:
ssh -p 5522 username@hostnameIf you are experiencing authentication or connection issues, use the -v option to print debugging messages:
ssh -v username@hostnameFor more verbosity, use -vv or -vvv.
Running Remote Commands
You can execute a command on a remote machine without starting an interactive shell session by appending the command after the host:
ssh username@hostname 'command'For example, to check the disk usage on a remote server:
ssh username@hostname 'df -h'To run multiple commands in one session, separate them with a semicolon or use &&:
ssh username@hostname 'sudo apt update && sudo apt upgrade -y'To run a command that requires a pseudo-terminal (for example, top or sudo), pass the -t flag to force TTY allocation:
ssh -t username@hostname 'sudo journalctl -f'SSH Config File
If you connect to multiple remote systems over SSH regularly, remembering all IP addresses, usernames, non-standard ports, and command-line options becomes difficult.
The OpenSSH client reads options from the per-user configuration file (~/.ssh/config). You can store different SSH options for each remote host in this file.
A sample SSH config entry looks like this:
Host dev
HostName dev.linuxize.com
User mike
Port 4422With this entry, typing ssh dev is equivalent to:
ssh -p 4422 mike@dev.linuxize.comFor more information, see the article on the SSH config file .
Public Key Authentication
The SSH protocol supports various authentication mechanisms. Public key authentication lets you log in to a remote server without entering a password .
This method uses a pair of cryptographic keys. The private key stays on your local machine and the public key is placed on each remote server you want to access.
If you do not already have an SSH key pair on your local machine, generate one with:
ssh-keygen -t ed25519 -C "your_email@domain.com"Ed25519 is the recommended key type — it is faster and more secure than RSA. If you need RSA for compatibility with older systems, use:
ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"You will be asked to enter a passphrase. Using a passphrase is optional but strongly recommended for security.
Once you have your key pair, copy the public key to the remote server:
ssh-copy-id username@hostnameEnter the remote user’s password when prompted. The public key will be appended to the ~/.ssh/authorized_keys file on the remote server.
After the key is in place, you can log in without being prompted for a password. Key-based authentication simplifies the login process and significantly improves server security.
Port Forwarding
SSH tunneling (port forwarding) creates an encrypted SSH connection through which traffic for other services can be relayed. It is useful for securing unencrypted protocols such as VNC or FTP, accessing geo-restricted services, or bypassing intermediate firewalls.
There are three types of SSH port forwarding:
Local Port Forwarding
Local port forwarding forwards a connection from the client host through the SSH server to a destination host and port. Pass the -L option to create a local forward:
ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION_HOST:DESTINATION_PORT -N -f username@hostnameRemote Port Forwarding
Remote port forwarding forwards a port from the server host back to the client host. Pass the -R option:
ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT -N -f username@hostnameDynamic Port Forwarding
Dynamic port forwarding creates a SOCKS proxy server
that allows communication across a range of ports. Pass the -D option:
ssh -D [LOCAL_IP:]LOCAL_PORT -N -f username@hostnameThe -f option tells ssh to run in the background and -N tells it not to execute a remote command.
For detailed step-by-step instructions, see How to Set Up SSH Tunneling (Port Forwarding) .
Troubleshooting
Connection refused
The SSH server is not running on the remote host, or the SSH port is blocked by a firewall. Verify the server is running (sudo systemctl status ssh or sudo systemctl status sshd) and that the port is open.
Host key verification failed
The remote host’s key has changed since you last connected, which may indicate a server rebuild or a man-in-the-middle attack. If you are sure the host is legitimate, remove the old key with:
ssh-keygen -R hostnameThen reconnect to store the new fingerprint.
Permission denied (publickey)
The server does not accept your key. Verify that your public key is in ~/.ssh/authorized_keys on the remote host, that file permissions are correct (chmod 600 ~/.ssh/authorized_keys), and that the correct private key is being used. Run ssh -v for details.
Permission denied (password)
The password is wrong, or the server has password authentication disabled. Check PasswordAuthentication in /etc/ssh/sshd_config on the remote host.
ssh_exchange_identification: read: Connection reset by peer
The SSH server rejected the connection before authentication. This can be caused by MaxStartups or AllowUsers/DenyUsers restrictions in sshd_config.
Connection is slow to establish
Add GSSAPIAuthentication no to your ~/.ssh/config for the affected host to skip Kerberos authentication, which can cause delays when it times out.
Quick Reference
For a printable quick reference, see the SSH cheatsheet .
| Command | Description |
|---|---|
ssh hostname | Connect using current username |
ssh user@hostname | Connect as a specific user |
ssh -p PORT user@hostname | Connect on a non-default port |
ssh -i ~/.ssh/id_ed25519 user@hostname | Connect with a specific key |
ssh user@hostname 'command' | Run a remote command |
ssh -t user@hostname 'sudo command' | Run a command requiring a TTY |
ssh -L 8080:localhost:80 user@hostname | Local port forward |
ssh -R 9090:localhost:3000 user@hostname | Remote port forward |
ssh -D 1080 user@hostname | Dynamic SOCKS proxy |
ssh -v user@hostname | Debug connection |
ssh-keygen -t ed25519 | Generate an Ed25519 key pair |
ssh-copy-id user@hostname | Copy public key to remote host |
FAQ
What is the difference between ssh and scp/sftp?
ssh opens an interactive shell session or runs a single remote command. scp
copies files between hosts over SSH, and sftp
provides an interactive file transfer session. All three use the same SSH protocol and authentication.
Should I use Ed25519 or RSA keys? Use Ed25519 for new keys. It is faster, produces shorter keys, and is considered more secure than RSA. Use RSA only if you need to connect to a legacy system that does not support Ed25519.
How do I keep an SSH session alive?
Add the following to your ~/.ssh/config to send keepalive packets and prevent idle disconnection:
Host *
ServerAliveInterval 60
ServerAliveCountMax 3How do I run ssh without typing a password every time?
Use public key authentication and copy your public key to the server with ssh-copy-id. See How to Set Up Passwordless SSH Login
for a step-by-step guide.
Conclusion
The ssh command is the primary tool for securely connecting to remote Linux servers. Use key-based authentication with Ed25519 keys for security, the SSH config file to manage multiple hosts, and the -v flag when troubleshooting connection issues.
If you have any questions, feel free to leave a comment below.
Tags
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page