Find the HIDDEN SECRETS that THEY DON'T WANT YOU TO KNOW!

    $ man ssh

• longislandguido

  today at 5:58 AM

  Many Linux man pages have the thoroughness of a fortune cookie, so I can understand the skepticism.

  Jackpot if they're just a pointer to an 'info' page.

  • halapro

    today at 10:15 AM

    I was never able to properly parse large man pages, I'm so happy that llms can now prepare half a usable command without spending an hour reading a time without a single usage example.

  • aa-jv

    today at 9:21 AM

    But its also true that many, many man pages have extremely valuable information that no enterprising hacker should overlook, too ..

  • darkwater

    today at 8:29 AM

    Do we still have those? I think it was common in late '90s, due to GNU trying to get `info` gain moment but nowadays?

    • skywhopper

      today at 9:18 AM

      Mostly just the bash builtins have (had) this problem.

• imwally

  today at 2:03 AM

  I blew a few minds a week ago when I told my younger coworkers about man pages. I hit ‘em with the `man man` and one dude was like “whoa!”

  • AndrewDavis

    today at 6:09 AM

    Further blow their minds by showing them `apropos` https://manpages.debian.org/testing/man-db/apropos.1.en.html

    • riffraff

      today at 7:31 AM

      I remember my first days with Linux/Unix and being taught about man and apropos and info. But somehow I could never find anything useful via apropos!

      With many years of insight, I think I probably never updated the database.

  • bombcar

    today at 2:29 AM

    Reminds me of the old canard of 'man woman'

  • Aardwolf

    today at 10:01 AM

    man, cat, lynx... We're all just creatures in a vast universe

  • aa-jv

    today at 9:21 AM

    $ man -k <whatever>

  • today at 2:15 AM

• antonvs

  today at 8:42 AM

  Who doesn’t want you to know? Well, obviously, the man. That’s why you type man ssh, you’re forcing the man to tell you what he knows.

• saguntum

  today at 2:36 AM

  man ssh_config is even more interesting and hidden

  ProxyCommand is fun

  • project2501a

    today at 8:24 AM

    Honest question, why is ProxyCommand `fun`? What do I get out of ProxyCommand that i do not get out of setting the correct order for ProxyJump and doing an ssh finalhost -- domy --bidding?

    • pmontra

      today at 8:38 AM

      ProxyJump is a newer functionality. There used to be only ProxyCommand. ProxyJump is a shortcut for the usual way to use ProxyCommand to connect through a bastion host but ProxyCommand is more flexible. For example with ProxyCommand you can run any command to connect to the remote host. ProxyJump only connects over ssh. I think I replaced all my ProxyCommand with ProxyJump because I don't need much else than the normal use case.

    • m132

      today at 9:10 AM

      You can get a lot more out of ProxyCommand. For example, you can run SSH over non-IP protocols, such as serial, Bluetooth RFCOMM for embedded boards, or vsock for virtual machines without networking set up at all. The latter is built into and setup up automatically by systemd:

      https://www.freedesktop.org/software/systemd/man/257/systemd...

    • pritambaral

      today at 8:38 AM

      ProxyCommand allows you to use any command to setup a connection. Not necessarily an ssh command, like ProxyJump. It can be any command, as long as it receives on stdin and produces on stdout, it can act like a TCP connection.

      ProxyJump is a special case of `ProxyCommand ssh -p <port> <user>@<host>`. Can't replace the `ssh` in there when using ProxyJump.

    • brigandish

      today at 8:55 AM

      I use ProxyCommand to run spipe tunnels for SSH.

• smoyer

  today at 12:54 AM

  HN as a tabloid ... After all enquiring minds want to know!

• paulddraper

  today at 5:42 AM

  It’s been a while since I’ve heard RTFM

• senectus1

  today at 1:03 AM

  hahaha made me laugh, thanks :-D

• today at 1:20 AM

• thaumasiotes

  today at 8:04 AM

  How's that supposed to help? The ssh man page is about as close as you can get to a Platonic example of "uninformative pretend-documentation".

  • hrmtst93837

    today at 9:07 AM

    If the ssh man page were any lazier it would just be a list of arguments with no context at all, so I get the frustation. The tricky bit is that much of the "secret menu" knowledge about ssh only lives in blog posts and random issue comments, which makes the doc gap feel intentional at times. If you want real examples or usage patterns you pretty much have to scrape Stack Overflow or crawl through dotfiles in public repos hoping someone else already fought the same fight.

I've been using the ~. shortcut for a while, but somehow escaped learning about the help menu.

Another neat thing I noticed while playing with it just now: there's an option to enter ~ twice to send a literal ~, but usually you don't have to do this when typing something like 'ls ~' in a regular session. Not only does the ~ have to be the first character on a line to start an escape sequence, but typing on a line, backspacing all the way to the start and then typing ~ also sends a literal tilde. It only triggers the escape sequence if the ~ is the chronologically first character after a newline (or first in the session), which is an unlikely thing to type into a shell in a normal session. Good choice of UI, both the character and the state machine.

• bandie91

  today at 10:24 AM

  > typing on a line, backspacing all the way to the start and then typing ~ also sends a literal tilde

  for the younger readers, yes, because in terminal echo mode, "backspacing" does not clear your terminal line buffer, those characters backspaced are already sent on the line. if you ever seen a misconfigured terminal, it hints what's going on, like:

  user@host$ ls ~/^?^?^?^?^?~/a.out

  ^? is backspace's control char.

  that is ssh watches what you type, not what is on the screen (terminal).

• computerfriend

  today at 10:17 AM

  The drawback is that if you think your session is hanging and want to bail with ~., you have to press enter, which might actually make it to the server and execute something.

  • bandie91

    today at 10:26 AM

    many get used to Ctrl-U, Return, ~, period keystroke sequence for this.

I've been using SSH for ~15 years and never knew about these escape sequences. I'm eagerly awaiting my next hung session so that I can test `~.`. It's much nicer than my current approach of having to close that terminal window.

• tomxor

  today at 2:02 AM

  If hung SSH connections are common it's likely due to CGNAT which use aggressively low TCP timeouts. e.g. I've found all UK mobile carriers set their TCP timeout as low as 5 minutes. The "default" is supposed to be 2 hours, you could literally sleep your computer, zero packets, and an SSH connection would continue to work an hour later, and generally speaking this is still true unless CGNAT is in the way.

  If you are interested there are a few ways you can fix this:

  Easiest is to use a VPN, because the VPN's exit node becomes the effective NAT they usually have normal TCP timeouts due to being less resource constrained. Another nice benefit of this method is you can move between physical networks and your connection doesn't die... If you use Tailscale then you already have this in a more direct way.

  Another is to tune the tcp_keepalive kernel parameters. Lowering the keepalive timeout to be less than the CGNAT timeout will cause keepalive probes to prevent CGNAT from dropping the connection even while your SSH connection is technically idle. For Linux I pop these into /etc/sysctl.d/z.conf, I have no idea for Windows or Mac:

    # Keepalive frequently to survive CGNAT
    net.ipv4.tcp_keepalive_time   = 240 
    net.ipv4.tcp_keepalive_intvl  = 60
    net.ipv4.tcp_keepalive_probes = 120
  

  This is really a misuse of these settings, they are supposed to be for checking TCP connections are still alive and clearing them up from the local routing table. Instead the idea is to exploit the probes by sending them more frequently to force idle connections to stay alive in a CGNAT environment (dont worry the probes are tiny and still very infrequent).

  _time=240 will send a probe after 4 mins of idle connection instead of the default 2 hours, undercutting the CGNAT timeout. _intvl=60 and _probes=120 mean it will send 120 probes 60 seconds apart (2 hours worth) before considering the connection dead. This will keep it alive for at least 2 hours, but also allows us to have the best of both worlds so that under a nice NAT it keeps the old behaviour, e.g if I temporarily lose my network the SSH connection is still valid after 2 hours, but under CGNAT it will at least not drop the connection after 5 mins so long as I keep my computer on and don't lose the network.

  There are also some SSH client keepalive settings but I'm less familiar with them.

  • vbezhenar

    today at 8:09 AM

        Host *
            ServerAliveInterval 25

  • snvzz

    today at 5:00 AM

    Note this is only an issue if not using IPv6.

    CGNAT is for access to legacy IPv4 only.

    • rnhmjoj

      today at 6:33 AM

      Well, for different reasons, but you have similar issues with IPv6 as well. If your client uses temporary addresses (most likely since they're enabled by default on most OS), OpenSSH will pick one of them over the stable address and when they're rotated the connection breaks.

      For some reason, OpenSSH devs refuse to fix this issue, so I have to patch it myself:

          --- a/sshconnect.c
          +++ b/sshconnect.c
          @@ -26,6 +26,7 @@
           #include <net/if.h>
           #include <netinet/in.h>
           #include <arpa/inet.h>
          +#include <linux/ipv6.h>
           
           #include <ctype.h>
           #include <errno.h>
          @@ -370,6 +371,11 @@ ssh_create_socket(struct addrinfo *ai)
            if (options.ip_qos_interactive != INT_MAX)
              set_sock_tos(sock, options.ip_qos_interactive);
           
          + if (ai->ai_family == AF_INET6 && options.bind_address == NULL) {
          +  int val = IPV6_PREFER_SRC_PUBLIC;
          +  setsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, &val, sizeof(val));
          + }
          +
            /* Bind the socket to an alternative local IP address */
            if (options.bind_address == NULL && options.bind_interface == NULL)
              return sock;

      • gspr

        today at 8:19 AM

        Interesting! Is there anywhere a discussion around their refusal to include your fix?

    • dsl

      today at 6:45 AM

      This is a very common misconception. The issue is not IPv4 or CGNAT, it's stateful middleboxes... of which IPv6 has plenty.

      The largest IPv6 deployments in the world are mobile carriers, which are full of stateful firewalls, DPI, and mid-path translation. The difference is that when connections drop it gets blamed on the wireless rather than the network infrastructure.

      Also, fun fact: net.ipv4.tcp_keepalive_* applies to IPv6 too. The "ipv4" is just a naming artifact.

  • anthk

    today at 7:37 AM

    Check Mosh. It supports these kind of cuts and it will reconnect seamlessly. It will use far less bandwidth too. I successfully tried it with a 2.7 KBPS connection.

  • iberator

    today at 7:35 AM

    putty is sending packets for network up since like forever

• lathiat

  today at 12:44 AM

  Have been using that weekly since probably 20 years. Will change your life :)

  My other favourite is I very often SSH with -v to figure out why the connection is hanging, you rapidly figure out if DNS is failing, the TCP connection doesn't open, it does open but no traffic flows at all or it opens and SSH negotiation starts but never finishes. You can learn a lot just from this about what is wrong.

  • Izkata

    today at 3:32 AM

    Also helps with auth failures, I've used it several times with co-workers who can't figure out why their ssh key isn't working. It lists the keys out and some extra information.

• sirfz

  today at 12:50 AM

  You can even chain them if you have deep ssh connections (i.e. ssh from one instance to another). I think it would be ~~. to terminate the 2nd hop.

  Edit: it's already explained in the OP

• tdeck

  today at 6:43 AM

  You don't need to actually open the menu either. Just hit enter, tilde, ., enter.

• aa-jv

  today at 9:23 AM

  I last used this menu about 20 years ago when a dialup modem was the only way to roll, and have pretty much forgotten about it since the days of always-on direct to the desktop TCP/IP ..

• fragmede

  today at 3:41 AM

  Just ssh to funky.nondeterministic.computer to test it out!

• TacticalCoder

  today at 1:30 AM

  > It's much nicer than my current approach of having to close that terminal window.

  You can also just kill the ssh process (say from another terminal). That way you get to keep your terminal window. And this works with everything "blocking" your terminal, not just ssh.

• wolvoleo

  today at 12:39 AM

  I use that every day but it's the only one I know by heart lol

• shmerl

  today at 12:34 AM

  I've been using ~. on hung ssh connections for a while.

I've used ~. for a long time but did not know about others. I know, should have read man page.

Anyway, if you try it from shell prompt it is likely will not work as pressing ENTER shows the next prompt. Try `cat` followed by ENTER and then ~?

• ralferoo

  today at 10:11 AM

  Same with me, I'll still instinctively go for ~. when a connection has hung / dropped (usually because of a NAT via a rebooted firewall), but never even considered how ~ doesn't normally cause an issue. Never knew it had to be immediately following a newline. Also never knew about the other options, ~^Z in particular looks useful.

  I wonder if anyone still remembers the ctrl-[ sequence in telnet. I think I only ever used the quit command in that though.

• BenjiWiebe

  today at 2:30 AM

  It'll still work. OpenSSH doesn't care about output (for ~ stuff), only input, so if you type <enter>~. it will close the connection.

  • krautsauer

    today at 4:32 AM

    Does not for me, not even with busybox sh and no funky escape codes in PS1 at all. It does with cat or yes running, so just something being output is not the problem… Hm.

  • vzaliva

    today at 3:54 AM

    It does not. open ssh linux to mac, typing ~ just types it on fish shell prompt. It works after`cat` followed by ENTER

    • ploxiln

      today at 6:28 AM

      Just type <enter> without cat, your shell will show you another prompt, and the ssh escape command will also work.

    • dnet

      today at 8:57 AM

      In newer versions, it's disabled by default and you have to do something like this to enable in ~/.ssh/config:

          Host *
          EnableEscapeCommandline yes

Those aren’t “secret”, they’re obviously borrowed from rsh — oh that’s right, I’m old.

• aa-jv

  today at 9:24 AM

  Laughs in uucp!bangpath.

• aidenn0

  today at 3:55 AM

  And these days you need to pass "-O" to scp to have it behave like rcp.

Yep the menu is handy for ssh tunneling. Maybe not a lot of people doing that these days though with stuff like dev tunnels and Tailscale.

• MayeulC

  today at 12:48 AM

  I typically just create a "new" connection in a separate tab when I want to add tunneling.

  I put new in quotes because I use another little-known feature, "ControlMaster". Multiplexes multiple connections into one, it makes making " new" sessions instant (can also be configured to persist a bit after disconnecting). Also useful for tab-completing remote paths. It does not prompt for authentication again, though. And it's a bit annoying when the connection hands (can be solved with ssh -o close, IIRC).

  • NitpickLawyer

    today at 5:54 AM

    > I use another little-known feature, "ControlMaster". Multiplexes multiple connections into one, it makes making " new" sessions instant

    Is this what secureCRT used as well? I remember this being all the rage back when I used windows, and it allowed this spawn new session by reusing the main one.

  • ghrl

    today at 5:37 AM

    I'm using that as well but had issues with tunneling where it creates the tunnel in the background and terminates and so you might not know the random port it assigned or I couldn't figure out how to un-tunnel it and tunnel again to the same port. Just bypassed the control master then.

  • nyanchovy

    today at 1:56 AM

    TIL; thanks, that's interesting (and somehow escaped my 20+ years of using ssh)! As usual the gold is in the comments :-)

My gosh... I've spent decades closing a connection by killing the terminal.

~.

As secret as the ssh manual.

• bigstrat2003

  today at 2:08 AM

  "secret" not in the sense that it's hidden, but that most people won't know about it. Because approximately nobody actually reads man pages in their entirety, they just get in to find out how a specific flag works and then get out.

Sometimes things feel so simple that i dont even read the manual. cool

It's like Ctrl + ] on telnet.

The good old times!

• elric

  today at 8:35 AM

  Unlike CTRL ], at least ~. doesn't require that I press two modifiers at the same time ... CTRL ALTGR $. Because people who define those kinds of shortcuts never consider how they might work on non-QWERTY layouts.

Wow, never knew this... That said I'm not sure if I'll remember using it as my muscle memory is already trained to kill hung processes via ctrl-b s, ctrl-k, ctrl-b x (in tmux).

Hidden or undocumented features like this always have a strange appeal. Part of it is nostalgia for older software where small Easter eggs or experimental features would sometimes ship in production builds.

• alwillis

  today at 4:18 AM

  It's not hidden or undocumented; it's in the man page.

  Here's 15-year old HN link about it: http://grack.com/blog/2011/02/23/ssh-escape-sequences-or-don...

Secret Menu -> Escape Characters

I really hate it when people just rename terms. It made it harder to search properly for better answers.

FYI, you can kill forwarding tunnels with -KD portnum in that commandline too.

https://xkcd.com/1053/

That doesn't do much good if you set `EscapeChar` to `none` in `.ssh/config`.

I find it convenient not to have to worry about accidentally entering escape characters. YMMV.

• MayeulC

  today at 12:41 AM

  Note that it only works after pressing enter, so the odds are slim. In practice, I don't think I ever hit it by accident.

  • greyface-

    today at 1:22 AM

    I have noticed it while running ~/bin/some_command. The ~ doesn't echo until I also type the /. It doesn't cause any misbehavior because there is no binding for ~/ but can be slightly surprising.

    • singlow

      today at 2:40 AM

      I find it odd that you would have commands in ~/bin but not have it be the highest priority in your PATH. I use ~/.local/bin, but would never type it because i wouldn't have bins that overlap shell commands and no other path would have priority.

      • greyface-

        today at 4:24 AM

        Usually, it is. IIRC, this was when I was just setting up my environment on a new host, after I had populated ~/bin but before I restarted my shell to pick up PATH modifications.

• wolvoleo

  today at 12:42 AM

  SSH does it pretty well though. Never once have I done it by mistake.

  • jasomill

    today at 2:47 AM

    I'd guess this is because it only works in ssh PTY sessions. So it would have no effect on tunneling or when piping arbitrary data through ssh to a non-interactive remote command (unless you use the -t switch to force PTY allocation even when stdin is not a TTY).

    • wolvoleo

      today at 3:01 AM

      No I don't think so. I mainly and pretty much constantly use SSH for logging in. I'm not one of those 'cattle not pets' guys lol.

      And when I port forward I usually don't even tunnel it over SSH because all my stuff is on tailscale so it's also encrypted.

[dead]