SSH: The Hidden Gem of Productivity (And Why You Should Turn It Off When You're Done)

There's a tool that ships with every Mac, hides inside every Linux box, and sits dormant on every Windows machine waiting to be switched on. It doesn't have a logo. There's no app icon. No one made a TikTok about it. And it's genuinely one of the most powerful things you'll ever use.

SSH. Secure Shell. Two words that sound like a rejected metal band name but actually represent the backbone of how the entire internet's infrastructure gets managed.

Every time Netflix deploys a new feature, SSH. Every time your bank patches a vulnerability at 3 AM, SSH. Every time a hobbyist plugs a Raspberry Pi into a closet and never attaches a monitor again, SSH.

And today, I'm going to show you how to go from "I've heard of it" to "I manage six machines from one chair with nothing but a terminal and a key pair."

The Story That Started This Article

Last week I was setting up a self-hosted GitHub Actions runner on an Atom D2700 from 2011. (Yes, that article exists and yes, it involves silver tequila.)

The plan was simple: install Alpine Linux, configure it at my desk with a monitor, then move the box headless to a closet with ethernet. The problem? I forgot to install openssh during setup. The box was in the closet. No monitor. No keyboard. Just a blinking power LED and my rapidly expanding vocabulary of four-letter words.

I had to drag it back to the desk, plug a monitor in, type commands on a keyboard from 2008 with a spacebar that only works if you hit it dead center, and fix my mistake.

The lesson? SSH isn't just a nice-to-have. It's the difference between "I'll fix that remotely in 30 seconds" and "let me find a monitor, a keyboard, an HDMI cable, and my will to live."

Your Mac Already Has Everything You Need

If you're on macOS, open Terminal (it's in Applications > Utilities, or just hit Cmd+Space and type "Terminal"). That's it. You have a fully functional SSH client right now. No installs. No configuration. Just:

ssh [email protected]

Type the password when prompted, and you're inside the remote machine. Every command you type runs over there, not on your Mac. It feels like magic the first time. By the hundredth time, it feels like breathing.

Save your connections so you never type IP addresses again. Edit (or create) ~/.ssh/config:

1Host hercules
2    HostName 192.168.50.202
3    User thesecretchief
4    IdentityFile ~/.ssh/id_ed25519
5
6Host hades
7    HostName 192.168.50.175
8    User root
9
10Host zeus
11    HostName 192.168.50.167
12    User admin

Now instead of remembering IP addresses like a phone book from 1997:

ssh hercules

Done. Name it whatever you want. Name it after Greek gods. Name it after your cats. Name it after your exes if that helps you remember which server is the unreliable one.

MobaXterm: The Swiss Army Knife for Windows

Windows has ssh in PowerShell and CMD now, and it works. But if you're managing multiple machines, MobaXterm is the upgrade you didn't know you needed.

It's free (the Home edition), and it gives you:

• Tabbed SSH sessions with saved bookmarks
• SFTP file browser in a sidebar (drag and drop files to/from remote machines)
• X11 forwarding built-in (run graphical Linux apps from Windows)
• Split panes for monitoring multiple servers simultaneously
• Session management with folders, auto-login, and key authentication

Setting up a saved session in MobaXterm:

1. Click Session (top left) > SSH
2. Remote host: your server's IP (e.g., 192.168.50.202)
3. Username: your login name
4. Port: 22
5. Click Advanced SSH Settings > check Use private key > point to your key file
6. Click Bookmark Settings > name it (e.g., D2700-Hercules)
7. Click OK

It appears in your left sidebar forever. Double-click to connect. The SFTP panel opens automatically showing the remote filesystem. Need to upload a script? Drag it from Windows Explorer into the panel. That's it.

Stop Typing Passwords: SSH Keys in 5 Minutes

Passwords are fine for your first connection. After that, they're a liability. Every password you type is a password that can be:

• Shoulder-surfed
• Keylogged
• Brute-forced
• Phished out of your future self after too many silver tequilas with tonic

SSH keys replace passwords with cryptography. You generate a key pair: a private key (stays on YOUR machine, never leaves, never shared) and a public key (goes on every server you want to access). When you connect, the math proves you hold the private key without ever transmitting it.

Generate your key pair (do this once, on your main machine):

ssh-keygen -t ed25519 -C "[email protected]"

Hit Enter for the default path. Set a passphrase. Yes, really. It encrypts the key file. If someone steals your laptop, they still can't use your key without the passphrase.

Copy the public key to a server:

ssh-copy-id [email protected]

That's it. Next time you SSH in, no password prompt. Just a seamless, encrypted connection.

On Windows (MobaXterm): Use the built-in key generator: Tools > MobaKeyGen. Generate an Ed25519 key, save both files, then add the public key content to ~/.ssh/authorized_keys on your servers.

1Password + SSH: The Keys to the Kingdom

Here's where it gets beautiful. If you use 1Password, your SSH keys can live inside your vault. This means:

• Keys sync across all your devices automatically
• Keys are protected by your 1Password master password + biometrics
• The SSH agent handles authentication transparently; you never touch a key file
• If you get a new laptop, your SSH access moves with your 1Password vault

Setup on macOS:

1. Open 1Password > Settings > Developer
2. Toggle on Use the SSH Agent
3. Toggle on Integrate with 1Password CLI (optional but useful)
4. Add your SSH key to 1Password (drag the private key file in, or create a new one inside 1Password)
5. Edit ~/.ssh/config and add at the top:

Host *
    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Now every SSH connection routes through 1Password's agent. When you ssh hercules, a 1Password prompt pops up asking for biometric approval (Touch ID or Apple Watch). Tap your finger. You're in.

No passphrase typing. No key file management. No "which machine has which key" spreadsheet. 1Password knows your keys, knows your servers, and authenticates you with a fingerprint.

Setup on Windows:

1. Same idea: 1Password > Settings > Developer > Use the SSH Agent
2. MobaXterm can use the Windows OpenSSH agent, which 1Password hooks into
3. Or configure MobaXterm's Pageant support to work with 1Password's agent

Your Workstation Is Mission Control

The goal is simple: one machine (your daily driver) controls everything else. No walking to closets. No plugging in monitors. No hunting for keyboards with working spacebars.

Here's what my setup looks like:

1MacBook (.167) — Command Center
2  ├── ssh hercules     → D2700 CI runner (.202)
3  ├── ssh hades        → Kali HoneyAegis brain (.175)
4  ├── ssh pi-sensor    → Raspberry Pi honeypot (.20)
5  ├── ssh zeus         → AI workstation (.40)
6  ├── Portainer        → Manage all Docker containers (GUI)
7  └── 1Password Agent  → Authenticates everything with Touch ID

Every box runs headless. Every box has SSH keys deployed. Every box is reachable by name (not IP) thanks to ~/.ssh/config. Portainer gives me the GUI layer for Docker management. 1Password gives me the auth layer.

When something goes wrong at 2 AM (and something always goes wrong at 2 AM), I open my laptop, type three words, and I'm inside the problem machine. No pants required. This is the way.

Now Turn It Off (Seriously)

Here's the part most tutorials skip, and it's the most important section of this article.

SSH is a door. And every door you leave open is a door someone else can walk through.

If a machine doesn't need to be remotely accessible right now, disable SSH. Your Windows workstation where you just enabled it to test something? Turn it off when you're done. Your Mac that you only use locally? Don't run the daemon. That old laptop you SSH'd into once six months ago? That's six months of an open port you forgot about.

Disable SSH on macOS:

sudo systemsetup -setremotelogin off

Disable SSH on Windows (PowerShell as Admin):

Stop-Service sshd
Set-Service -Name sshd -StartupType 'Disabled'

Disable SSH on Alpine/Linux:

rc-service sshd stop
rc-update del sshd default

Best Practices: The Non-Negotiable List

After years of managing machines remotely (and a few close calls that made my stomach drop), here's what I never compromise on:

Authentication:

• Use Ed25519 keys, never passwords for regular access
• Disable password authentication entirely on servers: PasswordAuthentication no in sshd_config
• Use 1Password or another agent for key management
• Set a passphrase on your private key (1Password handles this transparently)

Access control:

• Disable root login over SSH: PermitRootLogin no
• Log in as a regular user and su - for root tasks
• Use AllowUsers in sshd_config to whitelist specific usernames
• Change the default port from 22 if the machine faces the internet (not security, but it kills 99% of automated scans)

Monitoring:

• Check auth.log (Linux) or journalctl -u sshd regularly
• If you see thousands of failed login attempts from random IPs, you understand why key-only auth matters
• Consider fail2ban on any internet-facing SSH server (auto-bans IPs after failed attempts)

Housekeeping:

• Audit ~/.ssh/authorized_keys on every server periodically
• Remove keys for people who no longer need access
• Remove keys from machines you no longer use
• Keep your ~/.ssh/config file current; delete entries for decommissioned hosts

Enabling SSH Across Platforms (Quick Reference)

Need to turn SSH on for a machine so you can manage it remotely? Here's the quickstart for each platform.

macOS (as SSH server):

sudo systemsetup -setremotelogin on

Windows 11 (PowerShell as Admin):

1Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
2Start-Service sshd
3Set-Service -Name sshd -StartupType 'Automatic'

Alpine Linux:

1apk add openssh
2rc-update add sshd default
3rc-service sshd start

Ubuntu/Debian:

1sudo apt install openssh-server
2sudo systemctl enable ssh
3sudo systemctl start ssh

Then immediately: deploy your SSH key, disable password auth, and document the machine in your notes. Future you will be grateful.