Show Contents / Index / Search

ssh Command Line Utility

Syntax: ssh [options] [user@]hostname [host command]

You can use the ssh command line utility to make Secure Shell connections from the Windows command line.

Notes:

  • Reflection also provides an ssh2 utility. Both ssh and ssh2 can be used to establish Secure Shell connections, but some of the options supported by these two utilities are different. The ssh options are based on the OpenSSH Secure Shell implementation with some additional options supported only by the Reflection client. The ssh2 options are compatible with the Reflection for Secure IT UNIX client and the F-Secure client.
  • You can reuse an existing SecureShell connection. However, to do so you must explicitly enable this on each command line, or set the SSHConnectionReUse environment variable to Yes. For details, see Connection Reuse in Secure Shell Sessions.

Options

-A

Enables authentication agent forwarding. This can also be specified on a per-host basis in a configuration file. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host can access the local agent through the forwarded connection. Attackers cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

-a

Disables authentication agent forwarding. (This is the default.)

-b bind_address

Specify the interface to transmit from on machines with multiple interfaces or aliased addresses.

-c cipher_spec

A comma-separated list of ciphers specified in order of preference. The default is "aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour". If the connection is set to run in FIPS mode, the default is "aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc".

Protocol version 1 (which is deprecated and not recommended) allows specification of a single cipher. The supported values are "3des", "blowfish", and "des".

-C

Enables compression of all transmitted data. Compression is desirable on modem lines and other slow connections, but will only slow down response rate on fast networks.

-e escape_character

Sets the escape character for the terminal session. The default character is a tilde (~). Setting the escape character to `none' means that no escape character is available and the tilde acts like any other character. The following escape sequences are available. (Replace the tilde with your designated escape_character.)

~. Terminate the connection.
~R Request rekey (SSH protocol 2 only).
~# List forwarded connections.
~? Display available escape sequences.
~~ Type the escape character twice to send it to the host.

-E provider

Uses the specified provider as the external key provider.

-f

Places the client in the background just before command execution.

-F config_file

Specifies an alternate configuration file to use for this connection. If a configuration file is given on the command line, other configuration files are ignored.

-g

Enables gateway ports. Remote hosts are allowed to connect to local forwarded ports.

-h

Displays a summary of command line options.

-H scheme

Specifies which SSH configuration scheme to use for this connection.

-i key_file

Specifies a private key to use for key authentication. Key files can also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple keys specified in a configuration file). Use quotation marks if the file or path includes spaces.

-k directory

Specifies an alternate location for the config, host key, and user key files.

-l login_name

Specifies a name to use for login on the remote computer.This can also be specified in the configuration file.

-L localport:remotehost:hostport

Redirects data from the specified local port, through the secure tunnel to the specified destination host and port. For more information, see Local Port Forwarding. Port forwardings can also be specified in the configuration file. You cannot forward privileged ports (port numbers below 1024) unless you are logged in as an administrator. IPv6 addresses can be specified with an alternative syntax: port/host/hostport.

-m mac_spec

Specifies one or more comma-separated MAC (message authentication code) algorithms to use for this connection. Specify algorithms in order of preference. The default is "hmac-sha1,hmac-sha256,hmac-sha512,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96". If the connection is set to run in FIPS mode, the default is "hmac-sha1,hmac-sha256,hmac-sha512".

-N

Do not execute a remote command. This is useful for configuring just port forwarding. (protocol version 2 only).

-o option

Sets any option that is supported in the configuration file. For example:

ssh "-o FIPSMode=yes" myuser@myhost

-p port

Specifies the port to connect to on the server. The default is 22, which is the standard port for Secure Shell connections. This can be specified on a per-host basis in the configuration file.

-q

Enables quiet mode, which causes all warning and diagnostic messages, including banners, to be suppressed.

-R localport:remotehost:hostport

Redirects data from the specified remote port (on the computer running the Secure Shell server), through the secure tunnel to the specified destination host and port. For more information, see Remote Port Forwarding. Port forwardings can also be specified in the configuration file. You cannot forward privileged ports (port numbers below 1024) unless you are logged in as an administrator. IPv6 addresses can be specified with an alternative syntax: port/host/hostport.

-S

Do not execute a shell.

-t

Forces a tty allocation even if a command is specified.

-T

Disable pseudo-tty allocation.

-v

Sets the debug level to verbose mode, which is equivalent to setting the debug level to 2.

-V

Displays product name and version information and exits. If other options are specified on the command line, they are ignored.

-x

Disables X11 connection forwarding.

-X

Enables X11 connection forwarding and treats X11 clients as untrusted. Untrusted remote X11 clients are prevented from tampering with data belonging to trusted X11 clients.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

-Y

Enables X11 connection forwarding and treats X11 clients as trusted.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

-1

Forces ssh to try protocol version 1 only. Protocol version 1 is deprecated and not recommended.

-2

Forces ssh to try protocol version 2 only.

-4

Forces connections using IPv4 addresses only.

-6

Forces connections using IPV6 addresses only.