Search notes:

SSH

SSH stands for Secure Shell. The SSH protocol provides secure remote login and other secure network services over an insecure network (typically on top of TCP/IP).
Features of SSH include
SSH replaces r-commands such as rlogin, rsh and rcp. 
ssh [options] destination [command]

ssh -i /path/to/private.key rene@server.xyz

Command line options

-4, -6 IPv4, IPv6 addresses only
-A Enables forwarding of connections from an authentication agent such as ssh-agent, use with caution.
-a Disables forwarding of the authentication agent connection
-C Request compression of data (same algorithm as also gzip ueses)
-f Go to background just before command execution. Useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm. -f implies -n.
-G Print its configuration after evaluating Host and Match blocks and exit.
-g Allows remote hosts to connect to local forwarded ports.
-K Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server.
-k
-M Places the ssh client into “master” mode for connection sharing.
-N Do not execute a remote command, useful for just forwarding ports.
-n Redirects stdin from /dev/null (preventing reading from stdin). -n must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote machine: ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, and the X11 connection will be automatically forwarded over an encrypted channel. The ssh program will be put in the background. (This does not work if ssh needs to ask for a password or passphrase; see also the -f option.)
-q Quiet mode, compare with -v
-s
-T Disable pseudo-terminal allocation.
-t Force pseudo-terminal allocation.
-V Display Version
-v Verbose mode, compare with -q
-X Enables X11 forwarding.
-x Disables X11 forwarding
-Y Enables trusted X11 forwarding.
-y Send log information using syslog rather than writing it to stderr. Compare with -E
-B bind_interface
-b bind_address
-c cipher_spec
-D [bind_address:]port
-E log_file
-e escape_char Specifies the escape character for sessions with a pty, default is ~.
-F configfile
-I pkcs11 Specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing keys for user authentication.
-i identity_file Speficies identity file having the private key used for authentication. Default is ~/.ssh/id_*.
-J [user@]host[:port]
-L address Tunneling: forward connectons to local port to a remote port/socket.
-l login_name
-m mac_spec
-O ctl_cmd
-o option
-p port
-Q query_option
-R address
-S ctl_path
-W host:port Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings (overwritable in configuration file or using -o)
-w local_tun:remote_tun

SSH Tunneling

ssh -L 8888:localhost:8888   username_on_server@ip_of_server

scp

Copying a local file to a remote host, using a non-default port: 
scp  -P 2121  .htaccess  rene@the-remote-host.xy:/path/to/directory/or/file

TODO

SSH Protocol

In order to use public key authentication in the SSH protocol, public keys must first be exchanged between client and server.
In the context of SSH, public keys are exchanged using public key exchange formats («key files», as described in RFC 4716).
The SSH protocol also uses public/private key pairs to authenticate the server.
The security of the SSH protocol relies on the verification of public host keys.
So-called fingerprints makes it easier to compare such keys.
A fingerprint is obtained using the MD5 hash on the public key.j

Warning: Permanently added … (ECDSA) to the list of known hosts.

What is the meaning and/or purpose of the warning Permanently added … (ECDSA) to the list of known hosts? 
$ /usr/bin/ssh rene@192.168.0.102
The authenticity of host '192.168.0.102 (192.168.0.102)' can't be established.
ECDSA key fingerprint is SHA256:….
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.102' (ECDSA) to the list of known hosts.
Password:

Host key

A host key can be generated with ssh-keygen -A
Host keys must have an empty pass phrase.

Warning: Remote host identification has changed

$ ssh rene@some.host.xyz
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:smbFwQl+bVc1o8VMdAqBhXAfH9AwZo6CtALoEzaZBeA.
Please contact your system administrator.
Add correct host key in /home/rene/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/rene/.ssh/known_hosts:3
  remove with:
  ssh-keygen -f "/home/rene/.ssh/known_hosts" -R "some.host.xyz"
ECDSA host key for 192.168.0.102 has changed and you have requested strict checking.
Host key verification failed.

Certificates

OpenSSH certificates have a different and simpler format than the X.509 certificates used in ssl.

Find existing SSH connections

# pgrep -ai sshd
# who -a
# w -h

See also

Relationship to SSL
sshd
ssh-agent
ssh-keygen generates, manages and converts authentication keys for SSH.
ssh-copy-id
ssh-add adds private key identities to the OpenSSH authentication agent.
ssh-keyscan gathers public keys from servers
~/.ssh
%SYSTEMROOT%\System32\OpenSSH
The Python library Paramiko
RFCs:

Index