It’s amazing what you can learn by reading the manual.
felooboolooomba•Jun 24, 2026
It is, because manuals are often not the best way to learn things. Most software manuals are reference manuals. SSH man page isn't too bad. I learned most of my SSH knowledge from it, but I'm not sure it's the best way to do it.
matltc•Jun 24, 2026
For me, the best way to learn a tool is for a quick example or two showing its utility, then practicing with those, reading the man as needed on specific flags. Google or bot ”how do x" ? Repeat : done
Some pages have a nice up-front synopsis of flags, others put them in a wall of text. Browsing the former can supplant Google, /\b-x while paging is helpful for the latter.
trollbridge•Jun 24, 2026
When I see one of these with obvious AI tells at the top (sentences lacking a subject or verb), I ask myself:
Can’t I just open up a harness and prompt “Teach me how to do X?”
GL26•Jun 24, 2026
I personally do this, ask claude code to teach me about concepts I don't know about when it codes something, and only then I accept what it suggests to me
lfx•Jun 24, 2026
I do this all the time, I have a skill/gem with instructions on how I want to receive info, how to format and so on. Really helps to go fast to get the point.
Oxodao•Jun 24, 2026
Could you share it? I'd be interested to get idea to make my own
lfx•Jun 24, 2026
It goes like this:
---
As an expert tutorial creator for experienced engineers, you take the input the user request and make interactive tutorial. Default style is technology, tech is mac and linux. Default style is 20mins, but you ask for the timeline. Also do not forget to provide the cost of technologies used.
---
chasil•Jun 24, 2026
The article mentions bastions, but no jumphosting?
It is surprising how many times I see this content (this version might be marked “Published: Jun 19, 2026” but I've definitely seen those exact diagrams before, starting at least a few years ago, and the same content around them in many tutorials before that) without it being updated to mention jump-hosts.
Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.
Are you using SSH key auth or password authenticating three times when you do this?
riobard•Jun 24, 2026
There's a asymmetry here that "-R" works both for reverse static and dynamic (using SOCKS protocol) forwarding, but "-D" is required for dynamic forwarding which "-L" cannot do.
Why is that?
hylaride•Jun 24, 2026
It's historical. Some older flags could be easily extended for dynamic port support and others could not.
felooboolooomba•Jun 24, 2026
As a sysadmin, one of your biggest ROI is learning the ins and outs of SSH.
hylaride•Jun 24, 2026
Learning how SSH port forwarding is great as a pseudo-vpn for everything from GUI-client database access to (in physical infra) access to web-admin tools for appliances.
The socks proxy support can also deal with bad web filtering and privacy issues on public wifi networks (though nowadays if you're ssh'ing to a cloud IP, you'll get lots of "bot" restrictions).
segphault•Jun 24, 2026
Or you could just install something like Tailscale and never have to think about it again.
buredoranna•Jun 24, 2026
I'll mention it here, because I learned about it here.
"~C" will drop you into the SSH command line, allowing you to, among other things, effect port forwarding
-L8080:localhost:443
Learning that "~C" exists, and what you can do with it, has supercharged my use of SSH tunnels, which were already awesome on their own.
But for some reason this has been disabled by default in more recent ssh configurations... to ensure its available
-o EnableEscapeCommandline=yes
or, in your ~/.ssh/config
EnableEscapeCommandline yes
(edit: formatting)
telotortium•Jun 24, 2026
Important to note that `~` SSH commands work only right after you press Enter - it doesn’t trigger everywhere you press `~`.
Also EnableEscapeCommandline fortunately only affects `~C` - the all-important `~.` to kill a hung SSH session still works with it disabled.
ptaffs•Jun 24, 2026
so many time i have inadvertently ended a session with a fat fingered ~.
matltc•Jun 24, 2026
Very refreshing to see a utilitarian series such as this. Disappointing that the latest ai drama gets 20x more discussion and visibility on this site
Goes over similar content as TFA, in perhaps a little more depth. Indispensable sysadmin knowledge.
opsdisk•Jun 24, 2026
Appreciate the mention wbadart!
susu1111•Jun 24, 2026
so good, I learn new things.
ranger_danger•Jun 24, 2026
Not mentioning the ssh -w option in that book should be a crime.
bheadmaster•Jun 24, 2026
If you have many different remote devices behind NATs or firewalls, a cool trick to access them all via EC2 server (or such) is to setup Remote Forwarding via UNIX socket on the server side, to devices' port 22. Preferably, UNIX socket filenames should start with a common prefix, so an SSH config can be written that will use ssh+socat in a ProxyCommand to establish the connection.
It's amazing how lightweight this method actually is. I have managed to connect hundreds of devices using a single EC2 nano instance.
ranger_danger•Jun 24, 2026
Do you have more info on this method? How is the remote forwarding actually done?
Bender•Jun 24, 2026
Should add how to bypass MFA using phishing and SSH Multiplexing to the article.
smw•Jun 24, 2026
Need to mention sshuttle [0] here, as it magically solves a bunch of these problems without constant reconfiguration
Another option that I never see mentioned anywhere is -w which allows you to create either layer2 or layer3 tunnels via a tun(4) interface.
tangotaylor•Jun 24, 2026
My favorite use of this is peer-to-peer transfer of Docker images. The Docker CLI only allows you to use registries authenticated with HTTPS but there's an exception where it allows HTTP transfers over localhost.
So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.
iirc there's a setting to allow docker to trust and use http registries
i set it up a few years ago for my homelab
QGQBGdeZREunxLe•Jun 24, 2026
This is really useful as you don't have to add an entry under insecure-registries for local registries that don't have valid certificates.
bitlad•Jun 24, 2026
You might as well handover the images to hackers.
mmh0000•Jun 24, 2026
That's not quite true, you just need to add the `insecure-registries`[1] option with a list of either IP (or ip ranges) or hostnames that you want to allow without TLS.
15 Comments
Some pages have a nice up-front synopsis of flags, others put them in a wall of text. Browsing the former can supplant Google, /\b-x while paging is helpful for the latter.
Can’t I just open up a harness and prompt “Teach me how to do X?”
https://www.openssh.org/releasenotes.html
Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.
Are you using SSH key auth or password authenticating three times when you do this?
Why is that?
The socks proxy support can also deal with bad web filtering and privacy issues on public wifi networks (though nowadays if you're ssh'ing to a cloud IP, you'll get lots of "bot" restrictions).
"~C" will drop you into the SSH command line, allowing you to, among other things, effect port forwarding
Learning that "~C" exists, and what you can do with it, has supercharged my use of SSH tunnels, which were already awesome on their own.But for some reason this has been disabled by default in more recent ssh configurations... to ensure its available
or, in your ~/.ssh/config (edit: formatting)Also EnableEscapeCommandline fortunately only affects `~C` - the all-important `~.` to kill a hung SSH session still works with it disabled.
Goes over similar content as TFA, in perhaps a little more depth. Indispensable sysadmin knowledge.
It's amazing how lightweight this method actually is. I have managed to connect hundreds of devices using a single EC2 nano instance.
[0] https://github.com/sshuttle/sshuttle
So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.
Example, docker pussh: https://github.com/psviderski/unregistry
i set it up a few years ago for my homelab
```/etc/docker/daemon.json
```[1] https://docs.docker.com/reference/cli/dockerd/#insecure-regi...