How To Use Ssh In Linux

How To Use Ssh In Linux

Reading time1 min
#Linux#Security#SSH#RemoteAccess#SSHConfig#KeyManagement

Mastering SSH in Linux: Secure Access and Efficient Remote Administration

SSH is standard equipment for anyone responsible for a Linux fleet. Still, a surprising number of workflows are stuck in a rut: password auth, default config, no key isolation, minimal tunneling. So, how does an engineer actually use SSH to work fast and secure in production?

1. SSH Key Management and Isolation

Password authentication is obsolete.
A brute-force SSH attack can fill your syslog within minutes after exposing port 22:

Jun 10 13:01:22 host sshd[28129]: Failed password for root from 61.175.198.91 port 38243 ssh2

Eliminate this risk by switching to key-only authentication. For new projects, generate ed25519 keys (faster, smaller, and not affected by recent RSA/DSA algorithm weaknesses):

ssh-keygen -t ed25519 -a 100 -C "engineer@corp.example"
  • -a 100 boosts key derivation rounds (slow brute-force attempts on passphrases).
  • Use unique keys per machine or context: id_ed25519_prod, id_ed25519_dev.

Maintain a strict mapping with ~/.ssh/config:

Host db-prod
    HostName 10.42.11.17
    User svc_deploy
    IdentityFile ~/.ssh/id_ed25519_prod

Host git-lab
    HostName git.corp.internal
    User devops
    IdentityFile ~/.ssh/id_ed25519_git

Forgetting to map keys can generate errors like:

Permission denied (publickey).

Non-obvious tip: Use ssh-add -t 1h ~/.ssh/id_ed25519_prod to cache your key for one hour—enough to work, low risk if a session is hijacked.

Side note: Never copy private keys between devices. Instead, provision separate keys and rotate regularly. If compromised, restrict with authorized_keys options (from=, command=, no-agent-forwarding).

2. Secure Tunneling: not just admin folklore

Say production MySQL (mysqld 8.0.33) is only bound to localhost on a server at 10.42.11.17. No change to firewall needed:

ssh -L 3306:localhost:3306 svc_deploy@10.42.11.17

This makes localhost:3306 on your workstation a direct, encrypted bridge.

Obvious enough, but local forwarding is also effective for ephemeral tooling access—Grafana, Prometheus, or internal CI dashboards—without opening vendor VPNs.

Remote forwarding example: Reverse access to a local dev service:

ssh -R 9000:localhost:8080 dev@cicd-bastion.example.com

Now cicd-bastion:9000 points to your localhost:8080.

For browser-wide proxying:

ssh -D 9050 alice@proxy-hub.corp

Configure browser SOCKS proxy to localhost:9050. Works with Chrome/Firefox.
Gotcha: DNS requests may still leak unless proxied too (ProxyDNS in Firefox).

3. Server-Side Hardening: Raising the Bar

Prioritize the following parameters in /etc/ssh/sshd_config (tested on OpenSSH_8.9p1):

  • Disable password logins:

    PasswordAuthentication no

  • Disable root SSH direct access:

    PermitRootLogin prohibit-password

    (Consider no for rootless deployments, but may complicate single-user recovery.)

  • Restrict incoming SSH:

    AllowUsers svc_deploy@example.com admin

  • Optional: move off port 22. Not real security, but dodges automated scans:

    Port 2222

After changes:

sudo systemctl reload sshd
# or (older systems)
sudo service ssh restart

Known issue: Always maintain a backup session or console access before locking yourself out.

4. Multiplexing & Jump Hosts: Streamlining Distributed Access

Pain point: SSH handshake latency across unreliable corporate WAN.

SSH multiplexing lets you reuse an encrypted connection; massive QoL upgrade if scripting or using tools like Ansible:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/mux-%r@%h:%p
    ControlPersist 15m
  • Create ~/.ssh/ directory for sockets: 
    mkdir -p ~/.ssh/
  • Control sockets can get orphaned—cleanup with ssh -O exit host.

ProxyJump:
Access isolated servers via bastion:

ssh -J jump.corp.net:2222 db-prod

Or, specify in config:

Host db-secure
    HostName 172.20.21.98
    User svc_deploy
    ProxyJump jump.corp.net

Practical detail: Stacking multiple jump hosts works (-J a,b,c), but increases troubleshooting complexity if a chain node fails.

5. Practical Issues and Edge Cases

  • Key Rotation: For CI/CD, never use unencrypted deploy keys; prefer ephemeral agents or short TTL tokens (e.g., HashiCorp Vault-supported SSH).
  • Audit Trails: Enable LogLevel VERBOSE in sshd for tagging auth attempts with key fingerprints.
  • Agent Forwarding: Use sparingly—possible attack vector if a remote is compromised.

ASCII Diagram — Typical SSH Jump:

[Your Workstation] --SSH--> [Bastion] --SSH--> [Prod DB]
        |                     |               |
    key: id_ed25519       key: id_rsa     key: id_ed25519_prod

Summary

SSH evolves with your environment. Solid key management, smart forwarding, zero-tolerance hardening, and workflow optimizations like multiplexing or ProxyJump are all table stakes for modern Linux operations. Engineers using SSH as a simple remote shell tool are missing critical efficiency and security gains.

There are advanced patterns not covered here: certificate authorities (OpenSSH CA), agent-restriction wrappers, or integration with modern fleet managers. Each environment warrants its own trade-offs. As always, test on non-critical systems before wide rollout.

Questions about specialized SSH patterns or hard-to-debug edge cases? Leave details. Avoid broad hypotheticals for best responses.

Related Articles

How To Use Ssh In Linux

Mastering SSH in Linux: Secure, Efficient Remote Access Beyond Basics

1 min

How To Ssh From Linux

Mastering SSH from Linux: Beyond Basic Connections to Advanced Secure Practices

1 min

How To Ssh On Linux

No description

1 min
← Back to Blog