Skip to main content

SSH

ssh -G host # 查看 Host 配置

# 调整权限
chmod 400 ~/.ssh/id_*
chmod 644 ~/.ssh/id_*.pub

# 转发/隧道
# ============
# -g 允许外部访问,需要 GatewayPorts=no
# -o ExitOnForwardFailure=yes 转发失败退出
ssh -L 3000:127.0.0.1:8080 # 本地 3000 -> 远程 8080
ssh -R 3000:127.0.0.1:8080 # 远程 8080 -> 本地 3000

ssh -D 1080 # SOCKS5 代理
curl -x socks5h://localhost:1080 icanhazip.com

# 跳板
# ============
# 需要 PortForward
ssh -J admin@jumphost admin@internal

~/.ssh/config

Include ~/.ssh/*.ssh-config
  • 拆分配置

ESCAPE

 ~.   - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

ssh> help
Commands:
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
-KL[bind_address:]port Cancel local forward
-KR[bind_address:]port Cancel remote forward
-KD[bind_address:]port Cancel dynamic forward

flags

flagfor

常用配置

# 配置使用的端口
Port 22

# 是否转发网关
GatewayPorts no
# 是否允许使用 root 登陆
PermitRootLogin yes
# 是否允许使用密码登陆
PasswordAuthentication yes
ChallengeResponseAuthentication yes

# 转发的端口允许外部访问
Match User dev
GatewayPorts yes

# 可只对指定的接口对外暴露
# -R :8000:localhost:80
# GatewayPorts clientspecified

# 禁止部分用户使用 TTY
Match User player
PermitTTY no

Key

# 生成 key
ssh-keygen -t rsa -b 2048 -C "[email protected]"

# 无密码不询问
ssh-keygen -t rsa -b 2048 -f /tmp/sshkey -q -N ""
# 新的推荐 ed25519
ssh-keygen -t ed25519 -C "" -f sshkey -q -N ""

# 查看 key 信息
ssh-keygen -l -f key
openssl pkey -in key -noout -text

Tunnel

在工作中常常需要较多的代理和转发,为每个代理和转发都进行一次 SSH 未免太过麻烦,使用 ~/.ssh/config 可以将常用的转发一次配置

Host tunnel
Hostname my.host.com
User myUser
Compression yes
ExitOnForwardFailure yes
ForwardAgent yes
DynamicForward 8888
RemoteForward 2222 127.0.0.1:22
LocalForward 16379 myInternalRedis:6379
LocalForward 13306 myInternalMySQL:3306

再配合 autossh 可大大减少工作量

autossh -M 8889 -vNg tunnel > ssh.log 2>&1 &

多路复用

Host *
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist 10m
# 必须要手动创建目录
mkdir ~/.ssh/controlmasters

# 检测
ssh -O check myhost
# 自动启动 master
ssh myhost pwd
# 停止 master
ssh -O stop myhost

# 手动启动 master
ssh -MNn user@server

网关

ssh -t gateway ssh internal
Host internal
ProxyCommand ssh gw nc -w 1 internal 22
ssh internal
ssh -f -nNT -R 1100:localhost:22 somehost

ssh localhost -p 1100

跳板机

# 默认支持 -J 用于跳板场景
# 需要 PortForward
ssh -J admin@jumphost admin@internal

# 多次跳转
ssh -J user1@host1:port1,user2@host2:port2 user3@host3

# 使用 ProxyCommand
# -W host:port
# 请求转发 IO 到指定机器的端口,隐含了 -N, -T, ExitOnForwardFailure, ClearAllForwardings
ssh -o ProxyCommand="ssh -W %h:%p -q admin@jumphost" admin@internal

# nc 转发 - 不需要 PortForward
# 可以添加 -o StrictHostKeyChecking=no 避免询问指纹
ssh -o ProxyCommand="ssh -q admin@jumphost nc %h %p" admin@internal

# 直接两次 ssh 也行
ssh -At admin@jumphost ssh admin@internal
Host behindbeta
HostName behindbeta.example.org
ProxyJump betajump

HTTP + SSH 多路

ForwardAgent

  • https://www.ssh.com/ssh/agent/
  • 转发 agent 后可以直接在远程节点使用本地添加的 ssh 密钥
  • 注意
    • root 能访问其他用户的 auth sock
# 会暴露 SSH_AUTH_SOCK - 例如 /tmp/ssh-abcd/agent.6379
# 可以在没有的会话设置变量也能直接使用
ssh -A [email protected]