SSH Basics Cheat Sheet

SSH key management, ~/.ssh/config setup, port forwarding, reverse tunneling, SSH agent, and hardening best practices for secure remote access.

Last Updated: May 1, 2025

SSH Key Management

ssh-keygen -t ed25519 -C 'email'

Generate Ed25519 key (modern, recommended)

ssh-keygen -t rsa -b 4096 -C 'email'

Generate 4096-bit RSA key (compatibility)

ssh-copy-id user@host

Copy public key to remote server

ssh-keygen -p -f ~/.ssh/id_ed25519

Change key passphrase

ssh-keygen -l -f ~/.ssh/id_ed25519.pub

Show key fingerprint

ssh-keygen -R hostname

Remove host from known_hosts (key changed warning)

ssh-add ~/.ssh/id_ed25519

Add key to SSH agent (unlock once per session)

ssh-add -l

List keys currently loaded in agent

ssh-add -d ~/.ssh/id_ed25519

Remove key from agent

SSH Config File (~/.ssh/config)

Item	Description
`Host myserver`	Alias or pattern for this config block
`HostName 192.168.1.100`	Actual hostname or IP
`User deploy`	Username for SSH connection
`Port 2222`	Custom port (if not default 22)
`IdentityFile ~/.ssh/deploy_key`	Specific private key for this host
`ForwardAgent yes`	Forward local SSH agent to remote (use cautiously)
`ProxyJump bastion-host`	Connect through a jump/bastion host
`ServerAliveInterval 60`	Keep connection alive (send keepalive every 60s)
`Compression yes`	Enable compression for slow connections

Port Forwarding & Tunneling

ssh -L 8080:localhost:80 host

Local forward: localhost:8080 → host:80

ssh -L 3306:db.internal:3306 bastion

Access private DB through bastion

ssh -R 9090:localhost:3000 host

Remote forward: host:9090 → your:3000

ssh -D 1080 host

Dynamic SOCKS proxy on localhost:1080

ssh -N -f -L 8080:localhost:80 host

Background tunnel (-N no command, -f background)

ssh -J jump target

ProxyJump shortcut — connect through jump host

SSH Hardening

Item	Description
`Disable root login`	PermitRootLogin no in /etc/ssh/sshd_config
`Disable password auth`	PasswordAuthentication no — keys only!
`Change default port`	Port 2222 (reduces automated attack noise)
`Use fail2ban`	Ban IPs after repeated failed SSH attempts
`Limit users`	AllowUsers deploy@192.168.1.0/24
`Use Ed25519 keys`	Faster, smaller, and more secure than RSA

Pro Tip: Use `ssh -J bastion-host internal-host` for jump host proxying. Put all your hosts in ~/.ssh/config — it saves enormous typing and mistakes.