4096 RSA, no PW, inline comment, default location:

ssh-keygen -t ed25519 -N '' -C "$USER@$HOSTNAME"

print pubkey:

cat ~/.ssh/

Create passwordless throw-away key:

ssh-keygen -t ed25519 -N '' -C '' -f /tmp/throwaway
cat /tmp/throwaway

This creates two files: /tmp/throwaway and /tmp/


umask 077
mkdir -p ~/.ssh
cat >> ~/.ssh/authorized_keys
<paste stuff here, exit with C-d>


If you have a machine that only supports RSA, this might help:

ssh-keygen -t rsa -b 4096 -N '' -C "$USER@$HOSTNAME"
cat ~/.ssh/


ssh-keygen -t rsa -b 4096 -N '' -C '' -f /tmp/throwaway


I want to use daemon at localhost on port 8080 which is running on serv on port 80:

ssh -NfL 8080:localhost:80 serv
echo $!  # the PID

Daemon running on foo on port 1234. Reachable via gate. Mission: Tunnel foo:1234 to localhost:5678:

ssh -NfL 5678:foo:1234 gate
echo $!  # the PID


Listens on localhost:1080 and proxies via s3:

ssh -ND 1080 s3


curl -I --socks5 localhost:1080


Be sure to run mkdir -p ~/.ssh/masters beforehand.

# example entry
Host enterprise
  User picard
  Port 1701
  IdentityFile ~/.ssh/picards_id

# use `enterprise` as proxy and the local IdentityFile (shuttle.lan is reachable from enterprise)
# Warning: Use with care (see ForwardAgent in `man ssh_config`)
# To check the keys your current ssh agent offers, run `ssh-add -l`
Host shuttle
  Hostname shuttle.lan
  ForwardAgent yes
  ProxyJump enterprise

# WARNING keep this at the end of this file
# =========================================
# Because "first value wins". From `man 5 ssh_config`:
# "Since the first obtained value for each parameter is used, more
# host-specific declarations should be given near the beginning of the file,
# and general defaults at the end."
Host *
  # Keep Connections Alive
  ServerAliveInterval 60
  # re-use connections to the same host
  ControlMaster auto
  # leave connection open in background
  ControlPersist 4h
  ControlPath ~/.ssh/masters/%r@%h:%p
  # use `ssh -o ControlPath=none` to disable this temporarily
  # and to close this: `ssh -O exit some_server`


Get fingerprint of public key:

ssh-keygen -E sha256 -lf ~/.ssh/
ssh-keygen -E md5 -lf ~/.ssh/