# Enable SSH sudo systemsetup -f -setremotelogin on # Disable SSH sudo systemsetup -f -setremotelogin off # Check if SSH is enabled/disabled sudo systemsetup -getremotelogin
Generating an SSH key on your computer
# Specifying bits of entropy is optional ssh-keygen -b 4096
Removing a comment from an SSH key
ssh-keygen -c -C '' -f ~/.ssh/id_rsa
Converting a private GPG authorization secret RSA subkey (RFC 4880 compliant) to a PEM-encoded private SSH PKCS #1 v2.2 authorization key (RFC 8017 compliant)
gpg --export-secret-subkeys <auth_key_id>! | openpgp2ssh <auth_key_id> > ~/.ssh/id_rsa
Once you have that key, you ought to convert it into make a bunch of different types
Making a PKCS #1 v2.2 private key (RFC 8017)
cp ~/.ssh/id_rsa ~/.ssh/id_pkcs1 ssh-keygen -p -m pem -f ~/.ssh/id_pkcs1 head !$ # -----BEGIN RSA PRIVATE KEY----- #
Making a PKCS #8 private key (RFC 5958)
cp ~/.ssh/id_rsa ~/.ssh/id_pkcs8 ssh-keygen -p -m pem -f ~/.ssh/id_pkcs8 head !$ # -----BEGIN PRIVATE KEY----- #
Making an SSH v2 private key (RFC 4716)
cp ~/.ssh/id_rsa ~/.ssh/id_ssh ssh-keygen -p -m rfc4716 ~/.ssh/id_ssh head !$ # -----BEGIN OPENSSH PRIVATE KEY----- #
Public Key Conversions
Obtaining the public key corresponding with an RSA private key
# Note: this key format is supported by the SSH server # running on macOS, Linux, and Windows ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
Making an SSH2 public key (RFC 4716)
# Note: this key format is rarely used in practice ssh-keygen -y -m rfc4716 -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
View the ASCII randomart of an SSH key
ssh-keygen -lv -f ~/.ssh/id_rsa
ssh keys to someone else's computer
There are two ways for you to have your ssh key added to another person's computer. Say you are the user
tommy and you want
tina to give you permission to enter her computer without a password.
# Option one: from tommy's computer ssh-copy-id email@example.com # Option two: from tina's computer curl https://github.com/tommy.keys >> ~/.ssh/authorized_keys
ssh to log into a known user
-lflag specifies the user to log in as on the remote server.
Signing into remote.net as the user
# using @ ssh firstname.lastname@example.org # using -l ssh -l tommy -p 22 remote.net # using a URI ssh ssh://email@example.com:22
Opening applications on remote computer
You can use the
DISPLAY=0.0 command to tell your
ssh session to open the application on the remote computer. You won't be able to see the app being opened, but it will launch on the remote computer.
Opening a single application
DISPLAY=:0.0 open -a Safari
export DISPLAY=:0.0 open -a Safari open -a Mail
Seeing if anyone is logged into your computer
# shows the IP address of all local/remote users (including you!) who # (prints just your active session) who am i # (kills the session associated with ttys001) pkill ttys001
Transferring clipboard content from local machine to remote machine
# local machine -> remote machine pbpaste | ssh firstname.lastname@example.org pbcopy
I wrote a program called
$ myip which will tell you your current public and private IP address. If you'd like to use it, copy the script below into your terminal.
# Method 1 brew tap austintraver/taps brew install myip # Method 2 brew install austintraver/taps/myip
Now, you can type
myip on your terminal, and it will print your current public & private IP address.
When you combine an IP address and a port number, the pair is known as a socket. An example of a local socket is
127.0.0.1:1234. An example of a remote socket is
In order for a connection attempt to a socket to succeed, something must be "listening" on that socket.
The port that a SSH server listens with in order to accept incoming connections is known as the target port.
The port that a SSH client listens with to receive information from the SSH server is known as the source port.
Therefore, the source socket or client socket is the combination of the client's IP address and the source port. The target socket or remote socket is the combination of the server's IP address and the target port
Multiple clients can connect using the same target socket.
Tunneling, also known as "port forwarding" reroutes a connection to pass through a
ssh uses the
TCP/IP protocol on port 22 as a transport mechanism. It's useful not only for forwarding
ssh data, but also for encrypting data passed through
A bastion refers to a small computer, hosted remotely, that works as a jump box to help you reach the computer that has initiated a "reverse tunnel" or "inbound port forwarding" to that bastion.
Configuring your SSH Client
Configuring your SSH Server
The config file for a computer's SSH server (used to handle incoming SSH connections) is located at
If you open up this file (use sudo) you'll notice that most of the settings are commented out. If a setting is commented out, that means that it's a default setting. If you uncomment it, nothing would change, so don't go nuts uncommenting files. It's useful to leave the comments. That way, when a preference is not commented out, you know it's a setting you've manually reconfigured.
Enabling/Disabling Access to Users
If you're having trouble connecting to a user on a server, modify the
AllowUsers setting in
sshd_config. To configure remote users login permissions for local users
billy, add this line to the super user's
AllowUsers tommy tina DenyUsers billy
You can also allow login functionality to all users within a certain group by modifying the
AllowGroups setting. To configure login permission for all users in the
bruin groups, add this line to the super user's
AllowGroups trojans DenyGroups bruins
Accepting remote connections
You'll have to edit the
sshd_config file to support incoming connections from a remote user.
Go into the bastion, and add/change the line in
/etc/ssh/sshd_config that says
#GatewayPorts no to
Then, on your local machine (not the bastion) give your computer the following instructions:
Build reverse tunnel, allowing users to enter your computer if they first jump through the bastion host
# When connections are made to # user: "jump" # port: 1337 # ip: 126.96.36.199 ssh -fNR 1337:127.0.0.1:22 email@example.com # ...forward it to my local machine (127.0.0.1), on port 22
Make an SSH connection, jumping from bastion host port 22, to bastion host port 1337 (which forwards to the remote machine)
# Connect to the machine that opened the connection ssh -J firstname.lastname@example.org ssh://email@example.com:1337
Restarting the SSH Server
sudo launchctl kickstart -kp system/com.openssh.sshd
sudo service ssh restart
Running Local Machine Commands
You don't have to exit the session if you forgot to send over a file, or need to run a local command. Simply press ~, followed by C and you will be given a prompt on your local machine.
ssh> !scp ~/Desktop/forgot.txt firstname.lastname@example.org:~/Desktop
If you want to change
~ to be a different key, you can change it in the file
Host * EscapeChar C
Now, you could type "⏎ C C !" to open up the
>ssh prompt and issue commands on your local machine
The Secure Copy Protocol or SCP is designed to make sending and receiving files from the terminal as secure as possible. You can use the
scp program in the terminal to send and receive files as follows:
Upload local file FILE to user
johnon the host listening at
scp ./path/to/FILE email@example.com:~/path/to/FILE
Download remote file FILE from user
172.20.10.7to our Desktop
scp firstname.lastname@example.org:~/path/to/FILE ~/Documents/FILE
# Option 1: Specifying the path relative to the user's home directory vi scp://email@example.com:22/Desktop/file.txt # Option 2: Specifying the absolute path vi scp://firstname.lastname@example.org:22//home/jump/Desktop/file.txt
If you have a jupyter notebook running on port 8888 of your computer, you could allow users on your network to view your notebook in their web browsers when they typed in your hostname.
ssh -fNR 0.0.0.0:80:127.0.0.1:8888 email@example.com
If you're in a pinch and you need a VPN, but all you have to work with is a server, you can still get most of the advantages of feigning your location by using a SOCKS5 proxy. On macOS, the commands are as follows:
ssh -fN -D 127.0.0.1:6789 firstname.lastname@example.org sudo networksetup -setsocksfirewallproxy Wi-Fi 127.0.0.1 6789 sudo networksetup -setsocksfirewallproxystate Wi-Fi on
If your SSH key has a password, you can cache the password for the SSH key in your macOS keychain, which saves you the trouble of typing it out every single time.
Store the passphrase for the SSH key
ssh-add -K ~/.ssh/id_rsa
SSH with VirtualBox
Credit goals to Prof. Marco Paolieri, the man who taught me computer systems, and how to SSH into a headless virtual machine
Configure the virtual machine VM_NAME to listen on PORT for SSH connections and forward them to port 22 on the virtual machine
VBoxManage modifyvm VM_NAME --natpf1 'ssh,tcp,,PORT,,22'
Launch the virtual machine in headless mode
# To leave the session in the foreground, omit the '&' VBoxHeadless -s VM_NAME &
Access the host via SSH (note: you may have to wait a few seconds for the machine to boot up)
Shutting down the virtual machine safely
sudo shutdown now
Supposedly this enables caching of HTTPS credentials when working with remote git repositories
git config --global credential.helper cache
If you're trying to
use Visual Studio Code through SSH
and you're not having any luck, try adding the following configuration to the
settings.json configuration file.