友链
导航
These are the good times in your life,
so put on a smile and it'll be alright
友链
导航
There are two different uses for authentication keys: host keys, which authenticate computers, and identity keys, which authenticate users.
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. For a list of platforms on which rssh is known to work, see the Platform Support Page.
linux - Allow SCP but not actual login using SSH - Server Fault
# To use it just set it as a shell for a new user like this: $ useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1 $ passwd scpuser1 # ..or change the shell for an existing one like this: $ chsh -s /usr/bin/rssh scpuser1 # ..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users. $ vi /etc/rssh.conf
启动 sshd 必须用绝对路径 $ /usr/sbin/sshd -d
, d for debug
详见: Using ssh agent forwarding · GitHub Help
步骤:
# 检查目前缓存了那些 key $ ssh-add -L # 添加 key $ ssh-add ~/.ssh/id_rsa
# 本地的 /etc/ssh_config 中 **不能** 有
ForwardAgent no
# 服务器的 /etc/sshd_config 中需要有 AllowAgentForwarding yes
ssh -A example.com
, 手动指定 ssh 某服务器时, 用 agent forwarding# Host * Host example.com ForwardAgent yes
需注意 AllowAgentForwarding 只在 openssh 5.1+ 有效,低版本使用会造成 ssh 无法启动!!
SSH 的 Escape Char 和 telnet 里面ctrl + ]
键可以进入命令模式类似. 系统默认的 Escape Char 可通过如下方式查看:
$ grep -i escape /etc/ssh/ssh_config # EscapeChar ~
使用ssh -e '?' use@host
可临时更改 Escape Char.
Escape Char 的作用如下:
myhost# ~? Supported escape sequences: ~. - terminate connection ~^Z - suspend ssh ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice (Note that escapes are only recognized immediately after newline.)
其中常用的有 ~^Z.
問題來了,假設你從 HOST1 先 SSH 到 HOST2,然後再從 HOST2 SSH 到 HOST3
HOST1 ===1===> HOST2 ===2===> HOST3
如果你在 HOST3 的 terminal 下輸入 ~. 的話,你會直接切斷上面的第一段連線回到 HOST1 的 terminal,當然這樣的話第二段連線也一併 bye-bye 了!如果只是想切斷第二段連線回到 HOST2 該怎麼作呢?
這時候 ~~ 就發揮作用了,你只要輸入 ~~. 就可以切斷第二段連線了
以此累推,輸入 N 個 Escape Character 代表對第 N 段連線送出 Escape Character.
ssh user@server bash < /path/to/local/script.sh
ssh user@host cat /path/to/remotefile | diff /path/to/localfile -
ssh -ND 8080 user@111.111.111.111
about key: c3q → 3cq
sudo -H -s
ssh-keygen
apt-get install autossh
# autossh description "AutoSSH Tunnel" start on (net-device-up and local-filesystems and runlevel [2345]) stop on runlevel [016] # REMOTE_PORT 为中继服务器在本地服务器上的对应端口 # 如 9628 是 gin 的端口 respawn exec autossh -nNT -o ServerAliveInterval=15 -R :REMOTE_PORT:localhost:22 autossh@remote.server.com # -nNT 都是安全设置 # -N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only). # -n Redirects stdin from /dev/null (actually, prevents reading from stdin). # -T Disable pseudo-tty allocation.
man sshd_config 中 GatewayPorts 说明如下:
$ man ssh -R [bind_address:]port:host:hostport Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine. Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square braces. By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only suc‐ ceed if the server's GatewayPorts option is enabled (see sshd_config(5)). If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output. $ man 5 sshd_config GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port for‐ wardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port forwardings to be avail‐ able to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.
start autossh
putty 中的设置
但是 putty GUI 不能像 OpenSSH 一样 -N Do not execute a remote command,会打开 console 同时做端口转发。如果要 -N,可能需要用 putty 配套的 plink
将/root/.ssh/id_rsa.pub
的内容添加到公网服务器的autossh账号的~autossh/.ssh/authorized_keys
中. 在该行行首加 no-pty 可阻止使用autossh登录, 让它只可用作端口转发.