SSH
- sshd_config
- Host key
/etc/ssh/ssh_host_* - 将指定用户的端口转发使得外部都可见,可在
/etc/ssh/sshd_config中添加,然后service sshd reload - http://quark.humbug.org.au/publications/ssh/ssh-tricks.html
- Verify that the .pem file has permissions of 0400, not 0777
ssh -G host # 查看 Host 配置
# 调整权限
chmod 400 ~/.ssh/id_*
chmod 644 ~/.ssh/id_*.pub
# 转发/隧道
# ============
# -g 允许外部访问,需要 GatewayPorts=no
# -o ExitOnForwardFailure=yes 转发失败退出
ssh -L 3000:127.0.0.1:8080 # 本地 3000 -> 远程 8080
ssh -R 3000:127.0.0.1:8080 # 远程 8080 -> 本地 3000
ssh -D 1080 # SOCKS5 代理
curl -x socks5h://localhost:1080 icanhazip.com
# 跳板
# ============
# 需要 PortForward
ssh -J admin@jumphost admin@internal
~/.ssh/config
Include ~/.ssh/*.ssh-config
- 拆分配置
ESCAPE
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
ssh> help
Commands:
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
-KL[bind_address:]port Cancel local forward
-KR[bind_address:]port Cancel remote forward
-KD[bind_address:]port Cancel dynamic forward
flags
| flag | for |
|---|
常用配置
# 配置使用的端口
Port 22
# 是否转发网关
GatewayPorts no
# 是否允许使用 root 登陆
PermitRootLogin yes
# 是否允许使用密码登陆
PasswordAuthentication yes
ChallengeResponseAuthentication yes
# 转发的端口允许外部访问
Match User dev
GatewayPorts yes
# 可只对指定的接口对外暴露
# -R :8000:localhost:80
# GatewayPorts clientspecified
# 禁止部分用户使用 TTY
Match User player
PermitTTY no
Key
# 生成 key
ssh-keygen -t rsa -b 2048 -C "[email protected]"
# 无密码不询问
ssh-keygen -t rsa -b 2048 -f /tmp/sshkey -q -N ""
# 新的推荐 ed25519
ssh-keygen -t ed25519 -C "" -f sshkey -q -N ""
# 查看 key 信息
ssh-keygen -l -f key
openssl pkey -in key -noout -text
- ssh-rsa
- rsa-sha2-256, rsa-sha2-512
- golang/go#49952 x/crypto/ssh 不支持 rsa-sha2-256, rsa-sha2-512
- https://superuser.com/a/1444343/242730
Tunnel
在工作中常常需要较多的代理和转发,为每个代理和转发都进行一次 SSH 未免太过麻烦,使用 ~/.ssh/config 可以将常用的转发一次配置
Host tunnel
Hostname my.host.com
User myUser
Compression yes
ExitOnForwardFailure yes
ForwardAgent yes
DynamicForward 8888
RemoteForward 2222 127.0.0.1:22
LocalForward 16379 myInternalRedis:6379
LocalForward 13306 myInternalMySQL:3306
再配合 autossh 可大大减少工作量
autossh -M 8889 -vNg tunnel > ssh.log 2>&1 &
多路复用
- https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
- 好处
- 减少连接时间 - 特别是机器多、ssh 命令多、ack 延时高的时候
- 连接复用
- 注意
- 连接过多可能有问题
- 不要用来传大文件 - 直接连接会更快
Host *
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist 10m
# 必须要手动创建目录
mkdir ~/.ssh/controlmasters
# 检测
ssh -O check myhost
# 自动启动 master
ssh myhost pwd
# 停止 master
ssh -O stop myhost
# 手动启动 master
ssh -MNn user@server
网关
ssh -t gateway ssh internal
Host internal
ProxyCommand ssh gw nc -w 1 internal 22
ssh internal
ssh -f -nNT -R 1100:localhost:22 somehost
ssh localhost -p 1100
跳板机
# 默认支持 -J 用于跳板场景
# 需要 PortForward
ssh -J admin@jumphost admin@internal
# 多次跳转
ssh -J user1@host1:port1,user2@host2:port2 user3@host3
# 使用 ProxyCommand
# -W host:port
# 请求转发 IO 到指定机器的端口,隐含了 -N, -T, ExitOnForwardFailure, ClearAllForwardings
ssh -o ProxyCommand="ssh -W %h:%p -q admin@jumphost" admin@internal
# nc 转发 - 不需要 PortForward
# 可以添加 -o StrictHostKeyChecking=no 避免询问指纹
ssh -o ProxyCommand="ssh -q admin@jumphost nc %h %p" admin@internal
# 直接两次 ssh 也行
ssh -At admin@jumphost ssh admin@internal
Host behindbeta
HostName behindbeta.example.org
ProxyJump betajump
HTTP + SSH 多路
ForwardAgent
- https://www.ssh.com/ssh/agent/
- 转发 agent 后可以直接在远程节点使用本地添加的 ssh 密钥
- 注意
- root 能访问其他用户的 auth sock
# 会暴露 SSH_AUTH_SOCK - 例如 /tmp/ssh-abcd/agent.6379
# 可以在没有的会话设置变量也能直接使用
ssh -A [email protected]