Chapter 11. Network Management

Table of Contents

Supporting your Network Card
Native Driver Support
Support through Windows Drivers
Verify your Networking Abilities
Wired Network Configuration
Configuring the Wired Network
Wireless Network Configuration
Supporting your Network Card
Using Wireless Extensions Support (wireless-tools)
Using the New Wireless Extensions Support (iw)
Using wpa_supplicant for WPA Encrypted Networks
User-friendly Network Configuration Tools
Firewall Configuration
Sharing your Internet Connection
Forwarding Requests
Distributing IP Addresses
Allowing Remote Access
Secure Shell
Secure File Transfer
Further Resources


An important aspect of system management is networking configuration. Linux is a very powerful operating system with major networking capabilities. Even more, many network appliances are in fact Linux-based.

There are two configurations you'll most likely get in contact with: wired network configuration (of which I'll discuss the Ethernet connection) and wireless (IEEE 802.11* standards).

Supporting your Network Card

Native Driver Support

PCI Cards

First of all, check how many interfaces you would expect on your system. Verify this with the PCI devices found by Linux. For instance, to find out about a wired network controller ("Ethernet" controller):

# lspci | grep Ethernet
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
        RTL-8169 Gigabit Ethernet (rev 10)

In this case, one network card was found that offered Ethernet capabilities. The card uses the Realtek 8169 chip set.

USB Network Cards

There are a few USB devices which offer networking capabilities (most of them wireless) which have native Linux support. An example are the USB devices with the Intel 4965agn chip set. If your Linux kernel supports it, the moment you plug it in, a network interface should be made available. For instance, for wireless devices you could use iwconfig, for regular Ethernet cards ifconfig:

# iwconfig
lo        no wireless extensions.

dummy0    no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11g  ESSID:"default"  Nickname:"default"
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:1D:6A:A2:CD:29   
          Bit Rate:54 Mb/s   Tx-Power=20 dBm   Sensitivity=8/0  
          Retry limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=89/100  Signal level=-37 dBm  Noise level=-89 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:7

Support through Windows Drivers

It is possible to support your (wireless or not) network card using the Windows drivers. The tool you need to install for that is called ndiswrapper. First, install ndiswrapper:

# emerge ndiswrapper

Next, either download the windows drivers for the network card or mount the driver CD that was provided with the card. In the drivers, you should find an .inf file. This file contains information regarding the driver(s) for the card and is used by ndiswrapper to create a wrapper.

Install the driver using ndiswrapper -i from within the location where the driver is unpacked:

# ndiswrapper -i net8191se.inf

To verify if the driver installation succeeded, get an overview of the installed drivers using ndiswrapper -l:

# ndiswrapper -l

net8191se: driver installed, hardware present

As you can see, the driver got installed and detected compatible hardware.

Now have ndiswrapper create the necessary modprobe information (modprobe is used by the system to load kernel modules with the correct information; ndiswrapper creates modprobe information that ensures that, when the ndiswrapper kernel module is loaded, the installed wrapper drivers are enabled as well) and make sure that the ndiswrapper kernel module is started when you boot your system:

# ndiswrapper -m
# nano -w /etc/modules.autoload.d/kernel-2.6
(Add "ndiswrapper" on a new line)

You can manually load the ndiswrapper kernel module as well:

# modprobe ndiswrapper

You can now check if the network interface is available (iwconfig or ifconfig).

Verify your Networking Abilities

To find out if Linux has recognized this interface, run the ip link command. It will show you the interfaces that it has recognized on your system:

# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:c0:9f:94:6b:f5 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
      qlen 1000
    link/ether 00:12:f0:57:99:37 brd ff:ff:ff:ff:ff:ff

Now, to find out which interface maps to the Ethernet controller shown before you'll need to check the Linux kernel output when it detected the interfaces. You can either use dmesg (which displays the last few thousands of lines produced by the Linux kernel) or /var/log/dmesg (depending on your system logger) which is the log file where all Linux kernel output is stored for the duration of the systems' session (i.e. until the next reboot).

# grep -i eth0 /var/log/dmesg
eth0: RTL8169sb/8110sb at 0xf8826000, 00:c0:9f:94:6b:f5, XID 10000000
  IRQ 11

In this case, the eth0 interface indeed maps to the Ethernet controller found before.

If Linux does not recognize your device, you'll need to reconfigure your Linux kernel to include support for your network driver. The Linux kernel configuration has been discussed before as part of the device management chapter.

Wired Network Configuration

Most systems have support for the popular Ethernet network connection. I assume that you are already familiar with the term Ethernet and the TCP/IP basics.

Before you configure Gentoo Linux to support your Ethernet connection, you'll first need to make sure that your network card is supported. Once available, you'll configure your interface to either use a manually set IP address or automatically obtain an IP address.

Configuring the Wired Network

There are two methods you can use to configure your wired network: a manual approach (which works on all Linux systems) or the Gentoo Linux specific approach.

Manual Configuration

The quickest method for configuring your network is to tell Linux what you want - a static IP address for your interface, or automatically obtain the IP address information from a DHCP server which is running on your network (most Internet sharing tools or appliances include DHCP functionality).

To set the static IP address to the eth0 interface, telling Linux that the gateway on the network is reachable through (the IP address that shares access to outside networks):

# ifconfig eth0 netmask 
 broadcast up
# ip route add default via

In the example, I used the ifconfig command to tell Linux to assign the IP address to the eth0 interface, setting the netmask (part of the IP address that denotes the network) to and broadcast (IP address which addresses all IP addresses in the local network) to This is the same as assigning the IP address on a network (for those who understand the CIDR notation).

If you need static IP addresses but don't know the netmask (and broadcast), please ask your network administrator - these are quite basic settings necessary for an IP configuration.

You'll most likely also receive a set of IP addresses which correspond to the DNS servers (name servers) for your network. You'll need to set those IP addresses inside the /etc/resolv.conf file:

# nano /etc/resolv.conf
search lan

With this configuration file you tell Linux that a host name can be resolved through the DNS services at the corresponding IP addresses (the name servers) if it does not know the IP address itself.

If you want to configure eth0 to automatically obtain its IP address (and default gateway and even DNS servers), which is the most popular method for local network configurations, you can use a DHCP client such as dhcpcd:

# dhcpcd eth0

That's all there is to it (unless the command fails of course ;-)

Gentoo Linux Network Configuration

If you want to have Gentoo Linux configure your network device, you'll need to edit the /etc/conf.d/net file.

# nano /etc/conf.d/net

If you need to set the IP address yourself (static IP address), you'll need to set the following (suppose the static IP address is, gateway and netmask and the name servers are and

config_eth0=" netmask"

If you want to configure the interface to use DHCP (automatically obtain IP address):


For more examples on the Gentoo Linux network configuration (with more advanced features), check out the /usr/share/doc/openrc-*/net.example file.

To enable this support, you need to add the net.eth0 service to the default runlevel and start the net.eth0 service.

# rc-update add net.eth0 default
# /etc/init.d/net.eth0 start

If a command tells you that net.eth0 doesn't exist, create it as a symbolic link to the net.lo service script:

# cd /etc/init.d; ln -s net.lo net.eth0

More about services later.

Wireless Network Configuration

Wireless networking support is actively being developed on Linux. Sadly, it is also one of the regions where a fully automated out-of-the-box solution isn't available yet. Linux is lacking this because the card providers themselves do not follow standards or refuse to help out with (free software) driver development. As a result, wireless card support (drivers) can be triggered through free software drivers (if you're lucky), proprietary Linux drivers (if you're somewhat lucky) or proprietary Windows drivers (if you're not lucky, but will still be able to get your card working). A fourth state can be that you just ... won't ... get ... it ... working. Yet.

However, development of wireless card support is - like I said - actively being developed. Chances are that an unsupported card (or chip set) now will be supported within 6 months.

Generally speaking though, 80% to 90% of the wireless cards/chip sets are supported under Linux.

Supporting your Network Card

If you have configured your kernel with support for your wireless network card, you should be able to find the interface in the ifconfig -a output:

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr c8:0a:a9:42:9d:76  
          inet addr:  Bcast:  Mask:
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:30 Base address:0x6000 

eth1      Link encap:Ethernet  HWaddr f0:7b:cb:0f:5a:3b  
          inet addr:  Bcast:  Mask:
          RX packets:510358 errors:0 dropped:0 overruns:0 frame:13407
          TX packets:300167 errors:5 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:732540912 (698.6 MiB)  TX bytes:26679459 (25.4 MiB)

In the above example, two Ethernet interfaces are detected: eth0 (which in my case is a regular Ethernet interface) and eth1 (which, since I only have a single wired interface on my system, is most likely the wireless card). To be absolutely sure about the wireless capabilities, you'll need to install wireless-tools or iw.

Using Wireless Extensions Support (wireless-tools)

The (old, yet still working) wireless extensions support tool set is slowly being deprecated in favour of the new tool set. However, you might be required to use the old set as the switch requires the wireless card drivers to be rewritten as well. Especially with proprietary drivers this might take a while, so support for wireless-tools is not going to go away soon.

The information in this section will help you configure a wireless card/network using command-line tools. For a more user-friendly approach, please read User-friendly Network Configuration Tools.

Verifying Wireless Capabilities

To verify if a particular Ethernet interface really has wireless capabilities, first install wireless-tools and then run iwconfig:

# emerge wireless-tools
# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

eth1      IEEE 802.11bgn  ESSID:"1de_verdiep"  Nickname:""
          Mode:Managed  Frequency:2.462 GHz  Access Point: 02:26:5A:4B:E4:6A   
          Bit Rate=54 Mb/s   Tx-Power:24 dBm   
          Retry min limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Managementmode:All packets received
          Link Quality=5/5  Signal level=-48 dBm  Noise level=-94 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:32  Invalid misc:0   Missed beacon:0

As I already suspected, eth1 is indeed the wireless interface.

Accessing a Wireless Network

To access an existing wireless network, you need a few settings. Some of them can be obtained quickly, others might require information from your network administrator.

Let's first start with the wireless network name, called the ESSID. With iwlist you can obtain a list of detected wireless networks and their accompanying ESSIDs:

# iwlist eth1 scan
eth1      Scan completed :
          Cell 01 - Address: 00:11:0A:2A:73:03
                    Protocol:IEEE 802.11bg
                    Frequency:2.417 GHz (Channel 2)
                    Encryption key:off
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 9 Mb/s; 11 Mb/s
                              6 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
                    Quality=82/100  Signal level=-48 dBm  
                    Extra: Last beacon: 37ms ago
          Cell 02 - Address: 00:C0:49:B0:37:43
                    Protocol:IEEE 802.11b
                    Frequency:2.462 GHz (Channel 11)
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 22 Mb/s
                    Quality=41/100  Signal level=-76 dBm  
                    Extra: Last beacon: 7665ms ago

In this case, two wireless networks are found. The first one has ESSID "aaa" and does not require any encryption (so you don't need to know any password or passphrase to access this network) - notice the "Encryption key:off" setting. The second one has ESSID USR8022 and requires an encryption key. However, the second network's signal is also less powerful (lower quality and signal level).

To configure your card to use a particular ESSID, you can use the iwconfig command:

# iwconfig eth1 essid aaa

Suppose that you need to enter an encryption key as well, you can add the key either in its hexadecimal form, or through the ASCII representation.

# iwconfig eth1 essid USR8022 key FF83-D9B3-58C4-200F-ADEA-DBEE-F3
# iwconfig eth1 essid USR8022 key s:MyPassPhrase

Once you have attached your wireless interface to a particular network, you can configure it as if it was a fixed Ethernet interface.

Now, Gentoo Linux allows you to configure your wireless network card through /etc/conf.d/net as well.

In the next example, the wireless configuration is set so that the two networks (aaa and USR8022) are supported where aaa is the preferred network.

key_aaa="key off"
key_USR8022="s:MyPassPhrase enc open"
preferred_aps="'aaa' 'USR8022'"

Once your wireless interface is connected to a wireless network, you can use the IP configuration commands as shown earlier for wired networks.

Again, you'll need to add the net.eth1 service to the default runlevel and then fire up the net.eth1 service:

# rc-update add net.eth1 default
# /etc/init.d/net.eth1 start

Using the New Wireless Extensions Support (iw)

The new wireless extensions support requires kernel drivers that use the (new) nl80211 netlink interface. Almost all free software wireless drivers have been ported towards this interface, so if your wireless card is by default supported by the Linux kernel, you will most likely want to use the iw tool set.

Verifying Wireless Capabilities

To verify if a particular Ethernet interface really has wireless capabilities, first install iw and then run iw list:

# emerge iw
# iw list
lWiphy phy0
        Band 1:
                        * 2412 MHz [1] (20.0 dBm)
                        * 2417 MHz [2] (20.0 dBm)
                        * 2484 MHz [14] (20.0 dBm) (passive scanning, no IBSS)
                Bitrates (non-HT):
                        * 1.0 Mbps
                        * 2.0 Mbps (short preamble supported)
                         * 54.0 Mbps
        max # scan SSIDs: 1
        Supported interface modes:
                 * IBSS
                 * managed

Unlike wireless-tools, iw lists the device as being phy0 (so no immediate relation with eth0/eth1). The relation can be found using iw dev:

# iw dev
        Interface eth1
                ifindex 4
                type managed

Accessing a Wireless Network

To access an existing wireless network, you need a few settings. Some of them can be obtained quickly, others might require information from your network administrator.

Let's first start with the wireless network name, called the ESSID. With iw scan you can obtain a list of detected wireless networks and their accompanying ESSIDs:

# iw dev eth1 scan

BSS 02:87:11:26:39:f9 (on eth1)
        TSF: 130175283584 usec (1d, 12:09:35)
        freq: 2432
        beacon interval: 100
        capability: ESS Privacy ShortSlotTime (0x0411)
        signal: 61.00 dBm
        last seen: 930 ms ago
        SSID: TM2300
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
        DS Parameter set: channel 5
        ERP: Barker_Preamble_Mode
        Extended supported rates: 24.0 36.0 48.0 54.0
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: PSK
                 * Capabilities: (0x0000)
BSS 00:1a:70:eb:ae:f4 (on eth1)
        TSF: 606247219588 usec (7d, 00:24:07)
        freq: 2437
        beacon interval: 100
        capability: ESS ShortSlotTime (0x0401)
        signal: 72.00 dBm
        last seen: 870 ms ago
        SSID: linksys
        Supported rates: 1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0
        DS Parameter set: channel 6
        ERP: <no flags>
        Extended supported rates: 6.0 9.0 12.0 48.0

In this case, two wireless networks are found. The first one has ESSID "TM2300" and requires WPA encryption (this can be deduced from the RSN information). The second network has SSID "linksys" and does not require encryption.

To configure your card to use a particular non-WPA encrypted ESSID, you can use the iw connect command:

# iw eth1 connect linksys

Suppose that you need to enter a WEP encryption key as well, you can add the key either in its hexadecimal form, or through the ASCII representation.

# iw eth1 connect myssid keys d:0:FF83D9B358C4200FE8343033
# iw eth1 connect myssid keys 0:MyPrivatePassword

To verify that the connection succeeded, request the link status using iw link:

# iw dev eth1 link
Connected to 68:7f:74:3b:b0:01 (on eth1)
        SSID: linksys
        freq: 5745
        RX: 30206 bytes (201 packets)
        TX: 4084 bytes (23 packets)
        signal: -31 dBm
        tx bitrate: 300.0 MBit/s MCS 15 40Mhz short GI

Once you have attached your wireless interface to a particular network, you can use the IP configuration commands as shown earlier for wired networks.

Using wpa_supplicant for WPA Encrypted Networks

The wpa_supplicant tool is a software component which controls the wireless connection between your system and an access point. A major advantage of wpa_supplicant over the previously described wireless tools is its support for WPA/WPA2.

Before you can use wpa_supplicant, you first need to install it:

# emerge -a wpa_supplicant

Accessing a Wireless Network

You need to configure your wpa_supplicant to support the wireless network(s) you want to access. Suppose that your home network is called "home" and is a secured (WPA) environment with key "myHomeKey" and at your work there is a wireless network called "CompanyGuests", secured (WPA) environment with key "myCompanyKey" and a third network at your local computer club called "hobby", not secured, then the following wpa_supplicant.conf configuration could work:





The wpa_supplicant tool also supports WPA2. For instance:

  psk="highly private key"

If you do not like to see your private key in plain text, use wpa_passphrase to encrypt your key:

$ wpa_passphrase akkerdjie "highly private key"
  #psk="highly private key"   <-- Plain comment, can be removed!

You can copy/paste the resulting information in wpa_supplicant.conf and remove the (commented) plain-text key information.

If your wireless card is found by Linux (and its powered on), then running the following command will activate the wpa_supplicant on top of it (assume the wireless interface is called wlan0):

# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf

One interesting option is the -D option: with this you select the wireless driver to use. With -Dwext, we use the Linux wireless extensions (which is quite generic). In certain cases you might need to use a different driver - the Internet has many resources on how to configure your specific wireless network card with Linux if the Linux wireless extensions don't work.

Of course, once the configuration file is finished, you can use Gentoo's networking scripts as well. First, edit /etc/conf.d/net to use wpa_supplicant:


To have the wireless support active when you boot up your system, enable the net.wlan0 init script. If /etc/init.d/net.wlan0 doesn't exist yet, first create it:

# cd /etc/init.d
# ln -s net.lo net.wlan0

Next, add the net.wlan0 init script to the default runlevel:

# rc-update add net.wlan0 default

User-friendly Network Configuration Tools

The above information should allow you to work with any possible Linux installation. However, the commands might look a bit tricky and, especially with the wireless configuration, might even require you to hop between various commands or windows before you get the connection working.

Luckily, there are other tools around which rely on the same tools as mentioned before, but offer the user a saner interface from which they can configure their network. Note that these do require that the network card is already detected by Linux (so the kernel configuration part should have succeeded).


My personal favourite is Wicd, installable through net-misc/wicd. The tool exists out of two parts: a daemon and an end-user configuration interface.

# emerge wicd

Once installed, add the wicd service to the boot or default runlevel:

# rc-update add wicd default

Next, make sure Gentoo doesn't start its own network configuration by editing /etc/rc.conf, setting the following:


Now, start the wicd service (and shut down the services you are currently using):

# /etc/init.d/net.eth1 stop
# /etc/init.d/wicd start

If you run inside a graphical environment that supports applets (most desktop environments do), run wicd-client (from a "Run Program..." prompt or so). From within a command-line interface, you can use wicd-curses. This client will connect with the service and allow you to configure your networks (both wired and wireless) more easily.

I refer you to the Wicd homepage for more information / documentation on the tool.

Firewall Configuration

When your system is going to use the Internet often, using a firewall is encouraged. People generally believe that their operating system is secure out of the box if they don't click on "weird" links inside e-mails or Internet sites. Sadly, this isn't true. Also, Linux should never be seen as a secure operating system - security of a system is completely defined by the competence of the system administrator.

A firewall will not fully protect your system from malicious users on the (Inter)net, but it will filter many - of course, depending on the strength of the firewall.

There are many firewalls available for Linux; on Gentoo Linux alone more than a dozen tools exist (just check out the content of the net-firewall category). Most firewall tools use iptables as underlying tool. The iptables tool is an administration tool for manipulating IPv4 packets and is a very known and popular tool.

Firewall tools will often generate iptables rules to create filters (the actual firewall).

Because writing firewall rules is quite custom (it depends on what services your system offers and what tools you often use) I suggest using firewall tools first. Later, when you want to customize them further, you can write your own iptables rules.

Sharing your Internet Connection

We have seen the iptables command previously, as part of the firewall configuration. iptables however is not Linux' firewall tool: its purpose is to create rules on how to deal with network packets on your computer. As such, iptables can also be used to create a NAT gateway through which clients can access the Internet.

In the following examples, we suppose that Internet is available at the wlan0 interface while all clients access through the eth0 interface. Also, we will be assigning IP addresses in the range of to our clients...

Forwarding Requests

This is the simplest step: we ask iptables to enable masquerading on the Internet interface. Masquerading keeps track of connections packets going out on this interface with their original source IP address; the packets on the connection are altered so it seems as if the local system has created the connection rather than a client:

iptables -A POSTROUTING -t nat -o wlan0 -j MASQUERADE

The only remaining tasks here is to enable forwarding packets from the clients to the Internet and back:

# iptables -A FORWARD -i eth0 -o wlan0 -s 
  ! -d -j ACCEPT
# iptables -A FORWARD -o eth0 -i wlan0 -d 
  ! -s -j ACCEPT

More information about iptables and masquerading can be found on the Internet...

Distributing IP Addresses

Now, if eth0 is accessible then all clients with a correct IP address attached to the eth0 interface can access the Internet; however, they will manually need to mark the local system as the default gateway as well as defining the necessary DNS servers. Luckily, we can automate this by installing a DHCP server so that clients can automatically obtain their IP address and necessary settings.

There are plenty of DHCP servers around. For local, small use, I myself use dhcp:

# emerge dhcp

Next, I configure dhcp to distribute the necessary IP address and other settings:

# nano -w /etc/dhcp/dhcpd.conf
option domain-name "";
option domain-name-servers;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none ;

option option-150 code 150 = text ;

subnet netmask {
  option routers;

Now that dhcpd is configured, we only need to start it when we need it:

# /etc/init.d/dhcpd start

Again, if you want to have the script started automatically, add it to the default runlevel.

Allowing Remote Access

If you need to allow remote access to your machine, there are a few tools available. As this book isn't focusing on graphical environments much, I'll stick with SSH access, or Secure SHell.


Allowing remote access to a system is never without security risks. If your security software is not up to date, or your password is easy to guess, or ... you risk being the target for more maliciously minded people. This is especially true if the IP address you have is immediately reachable from the Internet (either directly or because you use port forwarding on your routers).

Secure Shell

By enabling secure shell access to your machine, people on your network who have an account on your system (or know the credentials of an account) can access your system. The tool, which is called ssh, encrypts the data that is sent on the network so no-one can eavesdrop on the network and see user names, passwords or even more confidential information flow by.

To enable SSH access to your system, first install the net-misc/openssh package:

# emerge openssh

Of course, this doesn't automatically enable remote access: you still need to tell your system to start the SSH daemon. You can do this manually using /etc/init.d/sshd, but also ask Gentoo to automatically do this for you every time the system boots using rc-update.

# /etc/init.d/sshd start
# rc-update add sshd default

Now that that is accomplished, you (or other users on your network) can access your system using any SSH client (on Windows, I seriously recommend PuTTY). For instance, to access your system from another Linux system, the command could look like so (assuming that your IP address is and your user name is "captain"):

$ ssh -l captain

You will be asked to enter captain's password, and then you get a shell just like you would when you log on to the system physically.

Secure File Transfer

By installing and enabling SSH access to your system, you can now also perform secure file transfers.

There are two methods for doing secure file transfer using standard openssh tools: scp and sftp.

Secure Copy

With scp (secure copy) you can copy files between systems. If your source or destination (or both) are on a remote system, prepend the source/destination folder with the host name or IP address followed by a colon, like so:

$ scp thesis.tar.gz

If the copy also needs to change to a different user (say that you are currently logged on as "bunny" but on the remote side, you only have an account "wolf"):

$ scp wolf@ .

Secure FTP

With sftp (secure FTP) you have an ftp-like tool (which supports the same commands) but which uses the SSH protocol for all data (and command) transfers.

$ sftp wolf@
Connecting to
Password: (enter wolf's password)
sftp> cd /usr/portage/distfiles
sftp> pwd
Remote working directory: /usr/portage/distfiles
sftp> lpwd
Local working directory: /home/bunny
sftp> get YAML-*
Fetching /usr/portage/distfiles/YAML-0.71.tar.gz to YAML-0.71.tar.gz
/usr/portage/distfiles/YAML-0.71.tar.gz  100% 110KB 110.3KB/s 00:00

Further Resources