Simple howtos

This collection of mini howtos is a dynamic copy of the Unix Toolbox. This page extracts the XML content directly from the original XHTML DOM and displays only the requested node. Source code here (use "save as").
Unix Toolbox revision 14.4
Copyright (c) 2007-2012 Colin Barschel. Some rights reserved under Creative Commons [Attribution - Share Alike]
File System
VPN with SSH
Encrypt Files
Encrypt Partitions
SSL Certificates
Useful Commands
Install Software
Convert Media
Disk Quota
Online Help


Public key | Fingerprint | SCP | Tunneling

See other tricks 25 ssh cmd

Public key authentication

Connect to a host without password using public key authentication. The idea is to append your public key to the authorized_keys2 file on the remote host. For this example let's connect host-client to host-server, the key is generated on the client. With cygwin you might have to create your home directoy and the .ssh directory with # mkdir -p /home/USER/.ssh
# ssh-keygen -t dsa -N ''
# cat ~/.ssh/ | ssh you@host-server "cat - >> ~/.ssh/authorized_keys2"

Using the Windows client from

The non commercial version of the client can be downloaded the main ftp site: Keys generated by the client need to be converted for the OpenSSH server. This can be done with the ssh-keygen command. Notice: We used a DSA key, RSA is also possible. The key is not protected by a password.

Using putty for Windows

Putty is a simple and free ssh client for Windows.

Check fingerprint

At the first login, ssh will ask if the unknown host with the fingerprint has to be stored in the known hosts. To avoid a man-in-the-middle attack the administrator of the server can send you the server fingerprint which is then compared on the first login. Use ssh-keygen -l to get the fingerprint (on the server):
# ssh-keygen -l -f /etc/ssh/      # For RSA key
2048 61:33:be:9b:ae:6c:36:31:fd:83:98:b7:99:2d:9f:cd /etc/ssh/
# ssh-keygen -l -f /etc/ssh/      # For DSA key (default)
2048 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee /etc/ssh/
Now the client connecting to this server can verify that he is connecting to the right server:
# ssh linda
The authenticity of host 'linda (' can't be established.
DSA key fingerprint is 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee.
Are you sure you want to continue connecting (yes/no)? yes

Secure file transfer

Some simple commands:
# scp file.txt host-two:/tmp
# scp joe@host-two:/www/*.html /www/tmp
# scp -r joe@host-two:/www /www/tmp
In Konqueror or Midnight Commander it is possible to access a remote file system with the address fish://user@gate. However the implementation is very slow.
Furthermore it is possible to mount a remote folder with sshfs a file system client based on SCP. See fuse sshfs
ssh_exchange_identification: Connection closed by remote host
With this error try the following on the server:
echo 'SSHD: ALL' >> /etc/hosts.allow
/etc/init.d/sshd restart


SSH tunneling allows to forward or reverse forward a port over the SSH connection, thus securing the traffic and accessing ports which would otherwise be blocked. This only works with TCP. The general nomenclature for forward and reverse is (see also ssh and NAT example):
# ssh -L localport:desthost:destport user@gate  # desthost as seen from the gate
# ssh -R destport:desthost:localport user@gate  # forwards your localport to destination
    # desthost:localport as seen from the client initiating the tunnel
# ssh -X user@gate   # To force X forwarding
This will connect to gate and forward the local port to the host desthost:destport. Note desthost is the destination host as seen by the gate, so if the connection is to the gate, then desthost is localhost. More than one port forward is possible.

Direct forward on the gate

Let say we want to access the CVS (port 2401) and http (port 80) which are running on the gate. This is the simplest example, desthost is thus localhost, and we use the port 8080 locally instead of 80 so we don't need to be root. Once the ssh session is open, both services are accessible on the local ports.
# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate

Netbios and remote desktop forward to a second server

Let say a Windows smb server is behind the gate and is not running ssh. We need access to the smb share and also remote desktop to the server.
# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate
The smb share can now be accessed with \\\, but only if the local share is disabled, because the local share is listening on port 139.
It is possible to keep the local share enabled, for this we need to create a new virtual device with a new IP address for the tunnel, the smb share will be connected over this address. Furthermore the local RDP is already listening on 3389, so we choose 3388. For this example let's use a virtual IP of
Now create the loopback interface with IP I HAD to reboot for this to work. Now connect to the smb share with \\ and remote desktop to


If it is not working:

Connect two clients behind NAT

Suppose two clients are behind a NAT gateway and client cliadmin has to connect to client cliuser (the destination), both can login to the gate with ssh and are running Linux with sshd. You don't need root access anywhere as long as the ports on gate are above 1024. We use 2022 on gate. Also since the gate is used locally, the option GatewayPorts is not necessary.
On client cliuser (from destination to gate):
# ssh -R 2022:localhost:22 user@gate            # forwards client 22 to gate:2022
On client cliadmin (from host to gate):
# ssh -L 3022:localhost:2022 admin@gate         # forwards client 3022 to gate:2022
Now the admin can connect directly to the client cliuser with:
# ssh -p 3022 admin@localhost                   # local:3022 -> gate:2022 -> client:22

Connect to VNC behind NAT

Suppose a Windows client with VNC listening on port 5900 has to be accessed from behind NAT. On client cliwin to gate:
# ssh -R 15900:localhost:5900 user@gate
On client cliadmin (from host to gate):
# ssh -L 5900:localhost:15900 admin@gate
Now the admin can connect directly to the client VNC with:
# vncconnect -display :0 localhost

Dig a multi-hop ssh tunnel

Suppose you can not reach a server directly with ssh, but only via multiple intermediate hosts (for example because of routing issues). Sometimes it is still necessary to get a direct client - server connection, for example to copy files with scp, or forward other ports like smb or vnc. One way to do this is to chain tunnels together to forward a port to the server along the hops. This "carrier" port only reaches its final destination on the last connection to the server.
Suppose we want to forward the ssh port from a client to a server over two hops. Once the tunnel is build, it is possible to connect to the server directly from the client (and also add an other port forward).

Create tunnel in one shell

client -> host1 -> host2 -> server and dig tunnel 5678
client># ssh -L5678:localhost:5678 host1        # 5678 is an arbitrary port for the tunnel
host_1># ssh -L5678:localhost:5678 host2        # chain 5678 from host1 to host2
host_2># ssh -L5678:localhost:22 server         # end the tunnel on port 22 on the server

Use tunnel with an other shell

client -> server using tunnel 5678
# ssh -p 5678 localhost                         # connect directly from client to  server
# scp -P 5678 myfile localhost:/tmp/            # or copy a file directly using the tunnel
# rsync -e 'ssh -p 5678' myfile localhost:/tmp/ # or rsync a file directly to the server

Autoconnect and keep alive script

I use variations of the following script to keep a machine reacheable over a reverse ssh tunnel. The connection is automatically rebuilt if closed. You can add multiple -L or -R tunnels on one line.
COMMAND="ssh -N -f -g -R 3022:localhost:22"
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND
exit 0
1 * * * * colin /home/colin/     # crontab entry (here hourly)