Send to Kindle
home » snippets » ssh



File Description
~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user.
~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user.
~/.ssh/id_ecdsa Contains the protocol version 2 ECDSA authentication identity of the user.
~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user.
$TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> UNIX-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits.

Environment Variables

Var Description
SSH_AUTH_SOCK A UNIX-domain socket is created and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same user.
SSH_AGENT_PID SSH_AGENT_PID environment variable holds the agent's process ID.


Prefer password login

ssh -o PreferredAuthentications=password machine

Keywords versus command-line options

Any configuration line of the form: Keyword Value can be specified on the command line with -o (use multiple for multiple options) like so: ssh -o "Keyword Value".

For example, the configuration lines:

User sally
Port 220

can be specified as

ssh -o "User sally" -o "Port 220"

SSH1 additionally permits an equals sign between the keyword and the value (so doublequotes are optional with that syntax) – ssh1 -o User=sally -o Port=220


Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with /bin/sh. In the command string, '%h' will be substituted by the host name to connect and '%p' by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to 'none' disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command.

For example, the following directive would connect via an HTTP proxy at

ProxyCommand /usr/bin/nc -X connect -x %h %p

Should you use a nohup in the ProxyCommand?  I've never needed one.  This link shows it solving a problem, but -w 1 to nc is really a timeout like the manpage says so I'm skeptical of that advice.

Another example (thanks to the -W option to ssh - this needs a recent version of OpenSSH)

Host a.b.c.tld
ProxyCommand none

Host *.foo.domain.tld
ProxyCommand ssh my.ssh.gateway.tld -W %h:%p

Extracting the private / public keys from a pem file.

# Extract the private key.
openssl rsa -in key.pem -pubout >

Logging in with a custom private key

ssh -i <IdentityFile> user@host
ssh -i ~/.ssh/id_rsa user@host
ssh -o 'IdentityFile '~/.ssh/id_rsa user@host

# Or use
#     IdentityFile ~/..../id_rsa
# in ~/.ssh/config for specific hosts.

Enabling public key authentication

If you're not able to login with a keypair, maybe sshd doesn't allow it.

To fix, edit /etc/sshd/sshd_config and

Now make sshd reload the config file by sending it a SIGHUP.

sudo kill -HUP $(cat /var/run/

You should now be able to login with a keypair.