Skip to main content
๐ŸŽ“ Claude Code Masterclass Learn AI-assisted development on Udemy โ€” plus the companion book on Leanpub & Amazon. Start Learning
SSH Cheat Sheet: Tunnels, Keys, and Config 2026
DevOps

SSH Cheat Sheet: Tunnels, Keys, and Config 2026

SSH cheat sheet with key generation, config file, tunneling, ProxyJump, agent forwarding, and hardening. Every command for secure remote access.

LB
Luca Berton
ยท 1 min read

A quick reference for SSH โ€” secure remote access and tunneling. Bookmark this page.

Connecting

# Basic connection
ssh user@hostname
ssh -p 2222 user@hostname     # Custom port
ssh -i ~/.ssh/mykey user@host # Specific key

# Verbose (debugging)
ssh -v user@hostname
ssh -vvv user@hostname        # Maximum verbosity

Key Management

# Generate key pair
ssh-keygen -t ed25519 -C "email@example.com"
ssh-keygen -t rsa -b 4096 -C "email@example.com"

# Copy public key to server
ssh-copy-id user@hostname
ssh-copy-id -i ~/.ssh/mykey.pub user@hostname

# Add key to agent
eval $(ssh-agent)
ssh-add ~/.ssh/id_ed25519
ssh-add -l                    # List keys in agent

SSH Config (~/.ssh/config)

Host dev
    HostName 10.0.0.5
    User deploy
    Port 2222
    IdentityFile ~/.ssh/dev_key

Host prod-*
    User admin
    IdentityFile ~/.ssh/prod_key
    ProxyJump bastion

Host bastion
    HostName bastion.example.com
    User jumpuser

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    AddKeysToAgent yes
# Now just type:
ssh dev
ssh prod-web1

Port Forwarding (Tunnels)

# Local port forward (access remote service locally)
ssh -L 8080:localhost:80 user@remote
ssh -L 5432:db.internal:5432 user@bastion
# Now: localhost:8080 โ†’ remote:80
# Now: localhost:5432 โ†’ db.internal:5432

# Remote port forward (expose local service remotely)
ssh -R 8080:localhost:3000 user@remote
# Now: remote:8080 โ†’ localhost:3000

# Dynamic SOCKS proxy
ssh -D 1080 user@remote
# Configure browser to use SOCKS5 proxy localhost:1080

# Tunnel in background
ssh -fNL 5432:db.internal:5432 user@bastion

File Transfer

# SCP
scp file.txt user@host:/remote/path/
scp user@host:/remote/file.txt ./local/
scp -r directory/ user@host:/remote/path/

# rsync (preferred for large transfers)
rsync -avz --progress local/ user@host:/remote/path/
rsync -avz --delete local/ user@host:/remote/path/  # Mirror

Security Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers deploy admin
Protocol 2

Tips and Tricks

  • Use ~/.ssh/config to avoid typing long commands
  • Use ssh-agent forwarding (-A) carefully โ€” it exposes your keys on the remote host
  • Use ProxyJump (not ProxyCommand) for bastion/jump hosts
  • Use ControlMaster and ControlPath for connection multiplexing (faster subsequent connections)
  • Use mosh for unreliable connections (survives network changes)

Related Articles

Argo CD: GitOps Continuous Deployment for Kubernetes
DevOps

Argo CD: GitOps Continuous Deployment for Kubernetes

Production-ready Argo CD setup โ€” ApplicationSets, multi-cluster sync, RBAC, notifications, and progressive delivery patterns.

Buildah vs Kaniko: Container Image Building Without Docker
DevOps

Buildah vs Kaniko: Container Image Building Without Docker

Buildah vs Kaniko for rootless, daemonless container image builds in CI/CD: security, performance, Kubernetes integration, and pipeline examples.

CDK vs Terraform 2026: IaC Comparison with Code Examples
DevOps

CDK vs Terraform 2026: IaC Comparison with Code Examples

AWS CDK vs Terraform โ€” language support, state management, multi-cloud capabilities, team workflows, and migration strategies with real-world benchmarks.

cert-manager: Automate TLS Certificates in Kubernetes
DevOps

cert-manager: Automate TLS Certificates in Kubernetes

Zero-touch TLS with cert-manager โ€” Let's Encrypt, Venafi, Vault CA, wildcard certs, and automatic renewal for all your Ingress resources.

All Articles

Free 30-min AI & Cloud consultation

Book Now