July 4, 2026
Break the Gate, Own the Tunnel: The Brutal SSH Flag Guide Every Hacker Must Master
SSH is not merely a remote-login command. In the hands of a system administrator, developer, penetration tester, or ethical hacker, it…

By Devansh Patel
5 min read
SSH is not merely a remote-login command. In the hands of a system administrator, developer, penetration tester, or ethical hacker, it becomes an encrypted command channel, authentication system, proxy, pivoting mechanism, and traffic-forwarding engine.
Mastering SSH flags means controlling exactly how you connect, authenticate, troubleshoot, and tunnel through a network.
Use these techniques only on systems you own or have explicit authorization to test.
What Is the SSH Command?
SSH stands for Secure Shell. It allows you to securely connect to another computer over a network and control it from your terminal.
The basic syntax is:
ssh username@serverssh username@serverFor example:
ssh alice@192.168.1.50ssh alice@192.168.1.50This command means:
"Connect securely to the machine at
192.168.1.50and log in as the useralice."
Once the connection is established, commands typed in your local terminal are executed on the remote system. SSH encrypts the authentication process, commands, and data exchanged between both machines.
SSH commonly supports two authentication methods:
- Password authentication — you enter the remote account's password.
- Public-key authentication — your machine proves its identity using a private key while the server checks the corresponding public key.
Now let us break down the flags that turn SSH into a serious security and networking tool.
1. -i: Select an Identity File
Syntax:
ssh -i private_key username@serverssh -i private_key username@serverThe -i option tells SSH which private key it should use for authentication.
Example:
ssh -i ~/.ssh/ex_key alice@192.168.1.50ssh -i ~/.ssh/ex_key alice@192.168.1.50In public-key authentication:
- The private key remains on your machine.
- The matching public key is stored on the server.
- The private key should never be copied to the remote server or shared with anyone.
You can generate an Ed25519 key pair with:
ssh-keygen -t ed25519 -f ~/.ssh/ex_keyssh-keygen -t ed25519 -f ~/.ssh/ex_keyThis normally creates two files:
~/.ssh/ex_key
~/.ssh/ex_key.pub~/.ssh/ex_key
~/.ssh/ex_key.pubThe first file is the private key. The file ending in .pub is the public key.
Copy the public key to the server:
ssh-copy-id -i ~/.ssh/ex_key.pub alice@192.168.1.50ssh-copy-id -i ~/.ssh/ex_key.pub alice@192.168.1.50Then authenticate using the private key:
ssh -i ~/.ssh/ex_key alice@192.168.1.50ssh -i ~/.ssh/ex_key alice@192.168.1.50Key authentication can remove the need to enter the remote account password. However, when the private key itself is protected with a passphrase, that passphrase must still be entered unless an SSH agent is managing the key.
2. -p: Connect to a Different SSH Port
Syntax:
ssh -p port username@serverssh -p port username@serverSSH listens on TCP port 22 by default. The -p option is used when the SSH service is running on another port.
Example:
ssh -p 2222 alice@192.168.1.50ssh -p 2222 alice@192.168.1.50This connects to TCP port 2222 instead of port 22.
Remember that lowercase -p specifies the destination port. Uppercase -P is not the equivalent SSH client option.
3. -l: Specify the Login Name
Syntax:
ssh -l username serverssh -l username serverThe lowercase -l option defines the username that SSH should use on the remote machine.
Example:
ssh -l alice 192.168.1.50ssh -l alice 192.168.1.50This is equivalent to:
ssh alice@192.168.1.50ssh alice@192.168.1.50A critical distinction must be remembered:
- Lowercase
-lspecifies the login name. - Uppercase
-Lcreates a local port-forwarding tunnel.
One character completely changes the command's purpose.
4. -v, -vv, and -vvv: Enable Debugging
Syntax:
ssh -v username@serverssh -v username@serverThe -v flag enables verbose output and reveals what SSH is doing during the connection.
The available levels are:
ssh -v username@server
ssh -vv username@server
ssh -vvv username@serverssh -v username@server
ssh -vv username@server
ssh -vvv username@serverTheir purposes are:
-v— basic debugging information.-vv— more detailed connection and authentication information.-vvv— maximum debugging output.
Example:
ssh -vvv -i ~/.ssh/ex_key alice@192.168.1.50ssh -vvv -i ~/.ssh/ex_key alice@192.168.1.50Verbose mode is extremely useful when investigating:
- Authentication failures
- Incorrect key permissions
- Rejected private keys
- Host-key problems
- Port or network failures
- SSH configuration issues
- ProxyJump and forwarding problems
When SSH refuses to cooperate, -vvv is often where the truth appears.
5. -t and -T: Control Pseudo-Terminal Allocation
A TTY is an interactive terminal environment where you type commands and receive output.
On modern Linux systems, interactive remote sessions commonly use a pseudo-terminal, visible through devices such as:
/dev/pts/0/dev/pts/0Force a pseudo-terminal with -t
Syntax:
ssh -t username@server commandssh -t username@server commandExample:
ssh -t alice@192.168.1.50 "sudo whoami"ssh -t alice@192.168.1.50 "sudo whoami"The -t option forces SSH to allocate a pseudo-terminal. This is useful for commands that expect an interactive terminal, especially sudo, terminal-based applications, or interactive shells.
In difficult cases, -tt can force terminal allocation more aggressively:
ssh -tt alice@192.168.1.50 "sudo whoami"ssh -tt alice@192.168.1.50 "sudo whoami"When input comes from a pipe rather than a human-operated terminal, SSH may not allocate a pseudo-terminal automatically.
Example:
echo "hello" | ssh alice@192.168.1.50 "cat"echo "hello" | ssh alice@192.168.1.50 "cat"Here, the input comes from the pipeline.
Disable terminal allocation with -T
Syntax:
ssh -T username@serverssh -T username@serverThe uppercase -T option explicitly prevents SSH from creating a pseudo-terminal.
Example:
ssh -T alice@192.168.1.50 "uname -a"ssh -T alice@192.168.1.50 "uname -a"This is useful for scripts, automation, Git operations, and commands that do not require an interactive shell.
6. -L: Create a Local Port Forward
Syntax:
ssh -L local_port:destination_host:destination_port username@ssh_serverssh -L local_port:destination_host:destination_port username@ssh_serverLocal forwarding opens a port on your machine and sends traffic received on that port through the SSH connection.
Example:
ssh -L 8080:internal.example.com:80 alice@gateway.example.comssh -L 8080:internal.example.com:80 alice@gateway.example.comThe traffic flow is:
Your machine:8080
↓
Encrypted SSH tunnel
↓
SSH gateway
↓
internal.example.com:80Your machine:8080
↓
Encrypted SSH tunnel
↓
SSH gateway
↓
internal.example.com:80After establishing the tunnel, opening this address locally:
http://127.0.0.1:8080http://127.0.0.1:8080connects you to internal.example.com on port 80 through the SSH server.
Local forwarding is valuable when a service is inaccessible directly from your machine but is reachable from the SSH server.
7. -R: Create a Remote Port Forward
Syntax:
ssh -R remote_port:destination_host:destination_port username@remote_serverssh -R remote_port:destination_host:destination_port username@remote_serverRemote forwarding performs the reverse operation. It opens a port on the remote SSH server and sends connections received there back through the SSH tunnel.
Example:
ssh -R 9000:localhost:3000 alice@remote.example.comssh -R 9000:localhost:3000 alice@remote.example.comThe traffic flow becomes:
Remote server:9000
↓
Encrypted SSH tunnel
↓
Your machine:3000Remote server:9000
↓
Encrypted SSH tunnel
↓
Your machine:3000This can expose a locally running application to the remote server.
For example, when a development server is running locally on port 3000, the remote machine can access it through port 9000.
Remote forwarding is often restricted to the remote machine's loopback interface. Allowing other systems to access the forwarded port may require server-side SSH configuration, such as GatewayPorts.
8. -D: Create a Dynamic SOCKS Proxy
Syntax:
ssh -D local_port username@serverssh -D local_port username@serverThe -D option creates a local SOCKS proxy and dynamically forwards supported application traffic through the SSH server.
Example:
ssh -D 1080 alice@gateway.example.comssh -D 1080 alice@gateway.example.comThis creates a SOCKS proxy at:
127.0.0.1:1080127.0.0.1:1080You can configure a browser or another SOCKS-compatible application to use this proxy.
Unlike -L, which forwards traffic to one fixed host and port, -D allows the application to choose different destinations dynamically.
The traffic path is:
Application
↓
Local SOCKS proxy
↓
Encrypted SSH tunnel
↓
SSH server
↓
Requested destinationApplication
↓
Local SOCKS proxy
↓
Encrypted SSH tunnel
↓
SSH server
↓
Requested destinationThis is useful for secure browsing, network testing, and authorized access to services reachable from the SSH server.
9. -A and -a: Control SSH Agent Forwarding
Enable agent forwarding with -A
Syntax:
ssh -A username@serverssh -A username@serverSSH agent forwarding allows a remote machine to request authentication through the SSH agent running on your local machine.
The private key itself is not copied to the remote server. Instead, the remote system communicates with your local agent through the active SSH connection.
This is useful when connecting through one server to another:
Your machine → Jump server → Internal serverYour machine → Jump server → Internal serverExample:
ssh -A alice@jump.example.comssh -A alice@jump.example.comFrom the jump server, you may then authenticate to another system using a key held by your local SSH agent.
However, agent forwarding is dangerous on untrusted machines. A compromised remote host may use the forwarded agent to request authentication signatures while your session is active.
Use -A only with systems you trust.
Disable agent forwarding with -a
ssh -a alice@serverssh -a alice@serverThe lowercase -a option disables agent forwarding, even when it has been enabled in an SSH configuration file.
10. -J: Connect Through a Jump Host
Syntax:
ssh -J jump_user@jump_host target_user@target_hostssh -J jump_user@jump_host target_user@target_hostA jump host, also called a bastion host, is an intermediate server used to reach another machine that is not directly accessible.
Example:
ssh -J alice@bastion.example.com admin@internal.example.comssh -J alice@bastion.example.com admin@internal.example.comThe connection path is:
Your machine
↓
bastion.example.com
↓
internal.example.comYour machine
↓
bastion.example.com
↓
internal.example.comSSH automatically builds the connection through the bastion host. You do not need to manually log in to the first machine and then start another SSH session.
Multiple jump hosts can also be chained:
ssh -J user1@jump1,user2@jump2 admin@internal.example.comssh -J user1@jump1,user2@jump2 admin@internal.example.comThe -J option is one of the cleanest ways to access segmented internal networks during legitimate administration and authorized penetration testing.