User Tools

Site Tools


Table of Contents



  • generate a SSH key:1) ssh-keygen -t rsa -b 4096 -C "user@domain"
  • change the private key passphrase: ssh-keygen -p -f ~/.ssh/id_rsa
  • show (own) SSH public key fingerprint: ssh-keygen -l
  • list public key(s) of specific known host/server: ssh-keygen -F <host> -l
  • remove key of host/server from known_hosts file: ssh-keygen -f ~/.ssh/known_hosts -R <host>
  • show certificate information directly from server/host: ssh-keyscan <host>
  • X11 forwarding: ssh -x user@domain
On a SSH server you should add this firewall rule (for example using the Uncomplicated Firewall):
sudo ufw allow proto tcp from to any port 22


  • ~/.ssh/config: client configuration (possibly different from server to server, see Linux manual page ssh_config(5))
  • ~/.ssh/known_hosts: known host(s) public key fingerprint (SSH will never ask you again, to accept the associated public key when SSL/TLS is running)
  • ~/.ssh/ RSA public key
  • ~/.ssh/ DSA public key2)
  • ~/.ssh/ ECDSA public key
  • ~/.ssh/ (Bernstein) Curve ed25519 public key
  • ~/.ssh/id_rsa: RSA private key


See below for a ~/.ssh/config example, which uses client keep-alive and connection multiplexing (for a particular host).

Host <name>
    HostName <host>
    IdentityFile ~/.ssh/id_rsa
    User <user>
    EscapeChar none
# multiplexing
    ControlPath ~/.ssh/controlmasters/%r@%h:%p
    ControlMaster auto
    ControlPersist 3h
# keep-alive
    TCPKeepAlive yes
    ServerAliveInterval 15
    ServerAliveCountMax 4
This can be performed with seahorse too.
DSA is deprecated.
linux/utilities/ssh.txt · Last modified: 2021/05/27 12:36 by Ralf Hoppe