SSH is not really a door key. It’s more like a multi-tool: you can use it for a remote shell, secure copy, identity management, jump hosts, and tunnelling. SSH is introduced as the thing you use to log into a machine, and then it quietly turns into background plumbing. What is really happening when you are SSH'ing: What is really happening when you are SSH'ing: A secure handshake between you and the serverAn encrypted pipeline for an interactive shell. A secure handshake between you and the server An encrypted pipeline for an interactive shell. Point 2 is what makes SSH special. Once the encryption pipe exists, one can send shells, files, ports, and even other SSH connections through it. SSH Keys SSH Keys Passwords work, and SSH supports them, but they aren’t very safe in practice. Keys solve two problems: • They’re hard to guess. • They let you authenticate without sending reusable secrets across the network. The workflow most people want: Generate a key.Put the public key on the server.Let your machine remember the private key securely. Generate a key. Put the public key on the server. Let your machine remember the private key securely. How to generate a modern key How to generate a modern key ssh-keygen -t ed25519 -C "your_email@example.com" ssh-keygen -t ed25519 -C "your_email@example.com" The above bash will give you two keys: Private key (~/.ssh/id_ed25519): This needs to be secured.Public Key (~/.ssh/id_ed25519.pub): This is safe to share. Private key (~/.ssh/id_ed25519): This needs to be secured. Public Key (~/.ssh/id_ed25519.pub): This is safe to share. Configure SSH config file: Configure SSH config file: Put your defaults in ~/.ssh/config: ~/.ssh/config Host prod
  HostName 203.0.113.10
  User ubuntu
  IdentityFile ~/.ssh/id_ed25519
  ServerAliveInterval 30
  ServerAliveCountMax 3 Host prod
  HostName 203.0.113.10
  User ubuntu
  IdentityFile ~/.ssh/id_ed25519
  ServerAliveInterval 30
  ServerAliveCountMax 3 This works like a charm: This works like a charm: ssh prod ssh prod SSH portforwarding SSH portforwarding Port forwarding is where SSH stops being “remote login” and starts being “secure logging.” Say your database is only accessible from inside a private network. You can create a tunnel: ssh -L 5432:db.internal:5432 user@bastion ssh -L 5432:db.internal:5432 user@bastion Now your local machine can connect to localhost:5432, while SSH quietly carries the traffic to db.internal:5432 through the bastion host. localhost:5432 db.internal:5432 This is how employee access is handled: no opening database ports to the internet, no “temporary” firewall exceptions, and no copy-pasting credentials into random tools that shouldn’t have them. Remote forwarding: expose your local service to a remote machine Useful when you need a remote server to call something running on your laptop: ssh -R 8080:localhost:8080 user@server ssh -R 8080:localhost:8080 user@server Now server:8080 forwards to your local machine’s port 8080. server:8080 Dynamic forwarding: SOCKS proxy ssh -D 1080 user@server ssh -D 1080 user@server Point your browser (or tool) at a SOCKS proxy on localhost:1080 and route traffic through the encrypted SSH connection. localhost:1080 This is not a replacement for a real VPN in enterprise environments, but it’s incredibly handy for debugging or reaching internal services in a controlled way. Jump hosts without the pain If production is only reachable through a bastion (as it should be), use ProxyJump: ProxyJump Host bastion
  HostName bastion.example.com
  User ubuntu

Host prod
  HostName prod.internal
  User ubuntu
  ProxyJump bastion Host bastion
  HostName bastion.example.com
  User ubuntu

Host prod
  HostName prod.internal
  User ubuntu
  ProxyJump bastion Now: ssh prod ssh prod SSH handles the hop automatically, and your terminal doesn’t turn into a nested Russian doll of sessions. SSH Handshakes If you run lots of SSH commands in a row (deploy scripts, automation, repetitive admin tasks), enable connection sharing: Host *
  ControlMaster auto
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlPersist 10m Host *
  ControlMaster auto
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlPersist 10m This lets multiple SSH invocations reuse one underlying connection. Result: noticeably faster workflows, especially when latency is non-trivial. SSH isn't just a command. It can establish trust, encrypt the channel and use the channel for everything you can.

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

This story contains AI-generated text. The author has used AI either for research, to generate outlines, or write the text itself. 

SSH Explained: Keys, Tunnels, Jump Hosts, and Why They Matter

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

How I Merged and Validated Two JSON Files in Go

Bridging Cybersecurity and Critical Infrastructure: Vinay Adavi’s Breakthroughs

The Noonification: The Sun Snarers (11/1/2022)

100 Days of Code: Death of Summer on the Island of NixOS

10+ Things I Love About Linux

10 Basic Tips on Working Fast in UNIX or Linux Terminal

How I Merged and Validated Two JSON Files in Go

Bridging Cybersecurity and Critical Infrastructure: Vinay Adavi’s Breakthroughs

The Noonification: The Sun Snarers (11/1/2022)

100 Days of Code: Death of Summer on the Island of NixOS

10+ Things I Love About Linux

10 Basic Tips on Working Fast in UNIX or Linux Terminal

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps