N天学习一个linux命令之ssh

用途

通过加密连接，远程登录主机和在远程主机执行命令，也可以用于转发x11和tcp，也可用于搭建VPN。第一次连接时，会弹出远程主机公钥指纹确认信息，通过这个方式防止中间人攻击。

用法

ssh [options] [user@]hostname [command]

常用选项

-1
使用协议版本1

-2
使用协议版本2

-4
使用IPv4地址

-6
使用IPv6地址

-A
开启授权代理转发，有安全问题，一般不开启

-a
禁用authentication agent connection的转发

-b bind_address
设置连接的源地址

-C
传输时压缩数据，针对慢网速有明显的效果

-c cipher_spec
指定加密会话的算法，对于协议2版本可以指定多个且使用逗号隔开(指定多个好像没神马用><)

-D [bind_address:]port
本地动态端口转发配置，目前支持SOCKS4和SOCKS5协议

-e escape_char
给会话设置转义字符，默认是~(不知道这个选项是有什么用？)

-F configfile
指定配置文件路径，默认是/etc/ssh/ssh_config

-f
执行命令之前，ssh在后台执行

-g
允许远程主机连接本地转发端口

-I pkcs11
(Specify the PKCS#11 shared libarary ssh should use to communicate with a PKCS#11 token used for storing the user’s private RSA key.)

-i identity_file
使用私钥登录时，私钥所在的文件路径

-K
(Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server.)

-k
(Disables forwarding (delegation) of GSSAPI credentials to the server.)

-L [bind_address:]port:host:hostport
(Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file.)

-l login_name
设置登录远程主机用户名

-N
禁止执行远程命令，对于只是用于转发很有用

-n
(Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote machine.)

-o option
(Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag.)

-p port
指定连接远程主机的端口，默认是22

-q
安静模式

-R [bind_address:]port:host:hostport
(Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.)

-s
(May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg. sftp(1)). The subsystem is specified as the remote command.)

-T
(Disable pseudo-tty allocation.)

-t
(Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services.)

-V
显示程序版本

-v
开启调试模式

-W host:port
(Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings and works with Protocol version 2 only.)

-w local_tun[:remote_tun]
( Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun).)

-X
(Enables X11 forwarding.)

-x
(Disables X11 forwarding.)

-Y
(Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.)

-y
(Send log information using the syslog(3) system module. By default this information is sent to stderr.)

识别用户身份方式

1 GSSAPI-based authentication
2 host-based authentication
3 public key authentication
4 challenge-response authentication
5 password authentication

转移字符含义

~. Disconnect.
~^Z Background ssh.
~# List forwarded connections.
~& Background ssh at logout when waiting for forwarded connection / X11 sessions to terminate.
~? Display a list of escape characters.
~B Send a BREAK to the remote system (only useful for SSH protocol version 2 and if the peer supports it).
~C Open command line.
~R Request rekeying of the connection

实践

1 使用私钥登录

[root@vm ~]# ssh -p 22 -i wadeyu.pem wadeyu@192.168.2.42

2 使用账号密码登录

[root@vm ~]# ssh -p 22 wadeyu@192.168.2.42
wadeyu@192.168.2.42's password: 
Last login: Tue Apr 17 11:49:11 2018 from 192.168.2.8

参考资料

【0】 man ssh
【1】实战SSH端口转发
https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/