After this lesson, you will be able to: Use SSH professionally: key-based auth, the ~/.ssh/config file, port forwarding, SCP, and the hardening every server needs.
SSH is the front door to every server you'll ever manage. This lesson takes you from 'I copy-paste ssh commands' to 'I run a hardened SSH setup'.
Generate once, copy to each server, never type a password again.
# Generate a modern Ed25519 key (smaller, faster, more secure than RSA)# Press Enter to accept default location (~/.ssh/id_ed25519)# Enter a passphrase (use one, it encrypts the key at rest)# Copy to a serverssh-copy-id alex@server.example.com# Now you can: ssh alex@server.example.com (no password)
Create or edit ~/.ssh/config (mode 600). Every host you SSH to should have an entry.
# ~/.ssh/configHost prodHostName prod.example.comUser alexIdentityFile ~/.ssh/id_ed25519ServerAliveInterval 60Host stagingHostName 10.0.5.42User deployPort 2222IdentityFile ~/.ssh/id_ed25519_staging# Jump through a bastion to reach internal hostsHost internal-dbHostName 10.0.1.50User dbaProxyJump prod
Both copy files over SSH; rsync wins for almost everything.
# scp (simple, but no resume on failure)scp file.txt prod:~/file.txtscp -r local-dir/ prod:/srv/myapp/scp prod:/var/log/app.log .# rsync (the right tool)rsync -avzP file.txt prod:~/ # -a archive, -v verbose, -z compress, -P progressrsync -avzP --delete local-dir/ prod:/srv/myapp/ # --delete syncs deletions toorsync -e 'ssh -p 2222' ... # custom SSH port
Tunnel a remote port to your laptop for safe debugging.
# Local port forwarding: reach a service running on prod from your laptopssh -L 5432:localhost:5432 prod# Now `psql -h localhost` on your laptop talks to prod's Postgres# Remote port forwarding (rare): expose YOUR laptop's port on the remotessh -R 8080:localhost:8080 prod# Dynamic (SOCKS proxy)ssh -D 1080 prod# Configure your browser to use SOCKS5 at localhost:1080; all traffic exits via prod
Edit `/etc/ssh/sshd_config`. After saving: `sudo systemctl restart sshd`. `PermitRootLogin no`, never allow root SSH; admins log in as themselves and `sudo`. `PasswordAuthentication no`, keys only. Passwords are guessable. `PubkeyAuthentication yes`, explicit. `AllowUsers alex deploy`, whitelist users who can SSH. `Port 2222` (optional), non-default port reduces noise from script kiddies (NOT real security). Install `fail2ban` to auto-ban IPs that brute-force.
Keys without a passphrase. If your laptop is stolen, every server is compromised. Leaving `PasswordAuthentication yes` after enabling keys. The password fallback IS the attack surface. SSH'ing as root. Use a regular user + sudo. Forgetting to restart sshd after config changes. Test the new config in a SECOND terminal before closing the first (so you don't lock yourself out). Putting private keys on shared servers. Never. Move them with extreme care.
Pick the safety habit.
Sign in and purchase access to unlock this lesson.