// ssh
SSH Cheatsheet
Keys, agent, config, jump hosts and the three flavors of port forwarding — everything you need to live in remote shells.
Updated
Keys & agent
| Command | Purpose |
|---|---|
| ssh-keygen -t ed25519 -C "you@host" | Generate a modern Ed25519 key. Default location ~/.ssh/id_ed25519. |
| ssh-keygen -t rsa -b 4096 -C "you@host" | RSA 4096 — only if you need legacy interoperability. |
| ssh-keygen -p -f ~/.ssh/id_ed25519 | Change passphrase on an existing key. |
| ssh-keygen -y -f ~/.ssh/id_ed25519 > id.pub | Recover the public key from a private key. |
| ssh-keygen -lf ~/.ssh/id_ed25519.pub | Show fingerprint. |
| ssh-copy-id user@host | Append your public key to the remote ~/.ssh/authorized_keys. |
Port forwarding & jump hosts
| Command | Purpose |
|---|---|
| ssh -L 8080:localhost:80 user@host | Local forward: localhost:8080 → host's localhost:80. |
| ssh -L 5432:db.internal:5432 jump | Reach an internal DB through a jump host. |
| ssh -R 9000:localhost:3000 user@host | Remote forward: expose your local :3000 as host's :9000. |
| ssh -D 1080 user@host | Dynamic SOCKS5 proxy on localhost:1080. |
| ssh -J jump1,jump2 user@target | ProxyJump through one or more bastions. |
| ssh -N -f -L ... | -N no command, -f background. Use for long-lived tunnels. |
~/.ssh/config example
Per-host options live in ~/.ssh/config. Set sane defaults under Host * and override per host.
# ~/.ssh/config Host * ServerAliveInterval 60 ServerAliveCountMax 3 AddKeysToAgent yes IdentitiesOnly yes Host bastion HostName bastion.example.com User ops IdentityFile ~/.ssh/id_ed25519 Host prod-* User deploy ProxyJump bastion IdentityFile ~/.ssh/id_ed25519_prod
FAQ
- Should I use Ed25519 or RSA?
- Ed25519. It's smaller, faster, and just as secure. Use RSA 4096 only when connecting to old systems that don't support Ed25519.
- Why does ssh keep asking for my passphrase?
- Your key isn't loaded into ssh-agent. Run ssh-add ~/.ssh/id_ed25519 once per session, or set AddKeysToAgent yes in ~/.ssh/config so it auto-loads.
- How do I jump through a bastion host?
- Use ProxyJump in ~/.ssh/config: ProxyJump bastion. Then 'ssh target' transparently goes via the bastion. The CLI equivalent is ssh -J bastion target.
- What's the difference between -L and -R port forwarding?
- -L is local forward — opens a port on YOUR machine that tunnels to the remote. -R is reverse — opens a port on the REMOTE that tunnels back to your machine.