ssh - doubility-sky/daydayup GitHub Wiki

The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] Its most notable applications are remote login and command-line execution.

• linux

Learn

• :star:SSH 教程

Common

• 远程连接：ssh -p12345 [email protected], 其中 12345 为端口，无 -p 选项则为默认 22 端口

SSH Key

• ssh key 免密连接配置
  • 生成密钥对 ssh-keygen -t rsa -P ''
  • 将公钥 id_rsa.pub 内容，写入远端文件 ~/.ssh/authorized_keys
    • 可使用 ssh-copy-id [-i ~/.ssh/id_rsa.pub] [email protected] 自动写入
  • 修改本地文件 ~/.ssh/config (没有则创建), 按如下格式添加内容，其中 Port 默认为 22

    Host Xsvr
    HostName 172.217.31.238
    Port 12345
    User root
    IdentityFile ~/.ssh/id_rsa
    

  • 即可远端别名登录 ssh Xsvr

SSH Config

• 禁止密码登录（仅 RSA key 登录更安全）vi /etc/ssh/sshd_config
  • PasswordAuthentication no
  • service sshd restart/systemctl restart ssh

SSH Tunnel

• 创建 SSH 账号，仅供打开 SSH 隧道使用，禁止其登录服务器
  • adduser --shell /usr/sbin/nologin some_tunnel_user
• 创建仅能访问服务器某目录的用户
  • docker run -d --name log_reader_jail --restart always -v /root/logs:/logs:ro -w /logs ubuntu:22.04 tail -f /dev/null
  • 创建用户 someone，并设置其密码

    useradd -m -s /bin/bash someone
    passwd someone
    

  • vi /etc/ssh/sshd_config 末尾添加如下内容，令 someone 用户登录后直接进入 docker 容器的 bash 环境

    Match User someone
      ForceCommand docker exec -it log_reader_jail /bin/bash
    

  • systemctl restart sshd

SSH Port Forwarding

• ssh 鲜为人知的三种用法
  • vi /etc/ssh/sshd_config 打开 GatewayPorts yes
  • 远程端口转发至本地端口 ssh -N -R [REMOTE_BIND:]REMOTE_PORT:LOCAL_IP:LOCAL_PORT user@remote_host
• 使用 SSH TUNNEL 打通公司和家里的网络
  • 上传相关公钥至远程服务器
  • vi /etc/systemd/system/reverse-ssh-tunnel.service 配置 USERNAME 及 REMOTE_IP

  [Unit]
  Description=AutoSSH tunnel to Cloud Server
  Wants=network-online.target
  After=network-online.target
  [Service]
  User=USERNAME
  ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval=5" -o "ServerAliveCountMax=3" -N -R 8822:localhost:22 USERNAME@REMOTE_IP
  Restart=always
  RestartSec=10
  [Install]
  WantedBy=multi-user.target
  

  • 重新加载 systemd 配置并启用服务

  systemctl daemon-reload
  systemctl enable reverse-ssh-tunnel
  systemctl start reverse-ssh-tunnel
  

FAQs

• linux如何管理多个ssh公钥密钥
• SSH Broken pipe

  # vi /etc/ssh/sshd_config (server side)
  ClientAliveInterval 10
  ClientAliveCountMax 6
  

• HowTo: Disable SSH Host Key Checking

  Host *
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  

• How to Keep SSH Session Alive

Tools

• Mosh is a remote terminal application that supports intermittent connectivity, allows roaming, and provides speculative local echo and line editing of user keystrokes. It aims to support the typical interactive uses of SSH, plus ... https://mosh.org/
  • Mosh will log the user in via SSH, then start a connection on a UDP port between 60000 and 61000.
  • install mosh on both client and server side.
  • let server ufw allow 60000:61000/udp and run mosh-server.
• GlobalSSH 是一款致力于提高跨国远程管理服务器效率的产品，旨在解决由于跨国网络不稳定导致的远程管理出现的卡顿、连接失败、传输速度较慢等现象。本产品可极大程度的减少卡顿、连接失败的情况发生，提高运维工作的效率。