Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:ssh

SSH

putty

使用 google authenticator

Glossary

OpenSSH 的组件

  • sshd
    The OpenSSH server daemon.
  • ssh
    Stands for secure shell, though it doesn’t really include a shell, but provides a secure channel to the command shell on the remote system.
  • scp
    Secure copy; this provides encrypted file transfer.
  • sftp
    Secure file transfer protocol.
  • ssh-copy-id
    Nice little program for installing your personal identity key to a remote machine’s authorized_keys file.
  • ssh-keyscan
    Finds and collects public host keys on a network, saving you the trouble of hunting them down manually.
  • ssh-keygen
    Generates and manages RSA and DSA authentication keys.
  • ssh-add
    Add RSA or DSA identities to the authentication agent, ssh-agent.
  • ssh-agent
    Remembers your passphrases over multiple SSH logins for automatic authentication. ssh-agent binds to a single login session, so logging out, opening another terminal, or rebooting means starting over. A better utility for this is keychain, which remembers your passphrases for as long you don’t reboot.

Key types

There are two different uses for authentication keys: host keys, which authenticate computers, and identity keys, which authenticate users.

rssh - 只允许 scp 等限制命令的 ssh shell

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. For a list of platforms on which rssh is known to work, see the Platform Support Page.

linux - Allow SCP but not actual login using SSH - Server Fault

# To use it just set it as a shell for a new user like this:
$ useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1
$ passwd scpuser1
 
# ..or change the shell for an existing one like this:
$ chsh -s /usr/bin/rssh scpuser1
 
# ..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users.
$ vi /etc/rssh.conf

sshd

启动 sshd 必须用绝对路径 $ /usr/sbin/sshd -d, d for debug

安全

TODO:

linux 101 hacks 2ed p.79

chroot jail

在 debian/ubuntu 上使用 debootstrap 在 chroot 下安装精简系统

ssh

ForwardAgent / AgentForwarding / 在服务器上用本机的 ssh key

详见: Using ssh agent forwarding · GitHub Help

步骤:

  1. 保证本地 ssh-agent (用来缓存 ssh key) 在运行
    # 检查目前缓存了那些 key
    $ ssh-add -L
    # 添加 key
    $ ssh-add ~/.ssh/id_rsa
  2. 确保本地不会阻止 forwarding
    # 本地的 /etc/ssh_config 中 **不能** 有
      ForwardAgent no
  3. 确保服务器允许 forwarding
    # 服务器的 /etc/sshd_config 中需要有 
      AllowAgentForwarding yes
  4. 使用下面的两种办法, 在 ssh 到某服务器上时 forward agent
    • 方法 1: ssh -A example.com, 手动指定 ssh 某服务器时, 用 agent forwarding
    • 方法 2: 配置 ssh 某些服务器时用 agent forwarding:
      ~/.ssh/config
      # Host *
      Host example.com
        ForwardAgent yes

需注意 AllowAgentForwarding 只在 openssh 5.1+ 有效,低版本使用会造成 ssh 根本启动不了!!!!!!!!

Escape Char

SSH 的 Escape Char 和 telnet 里面ctrl + ]键可以进入命令模式类似. 系统默认的 Escape Char 可通过如下方式查看:

$ grep -i escape /etc/ssh/ssh_config 
#   EscapeChar ~

使用ssh -e '?' use@host可临时更改 Escape Char.

Escape Char 的作用如下:

myhost# ~?
Supported escape sequences:
~.  - terminate connection
~^Z - suspend ssh
~B  - send a BREAK to the remote system
~C  - open a command line
~R  - Request rekey (SSH protocol 2 only)
~#  - list forwarded connections
~&  - background ssh (when waiting for connections to terminate)
~?  - this message
~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

其中常用的有 ~^Z.

問題來了,假設你從 HOST1 先 SSH 到 HOST2,然後再從 HOST2 SSH 到 HOST3

HOST1 ===1===> HOST2 ===2===> HOST3

如果你在 HOST3 的 terminal 下輸入 ~. 的話,你會直接切斷上面的第一段連線回到 HOST1 的 terminal,當然這樣的話第二段連線也一併 bye-bye 了!如果只是想切斷第二段連線回到 HOST2 該怎麼作呢?

這時候 ~~ 就發揮作用了,你只要輸入 ~~. 就可以切斷第二段連線了

以此累推,輸入 N 個 Escape Character 代表對第 N 段連線送出 Escape Character.

tips

  • 在远程机器上运行一段脚本。这条命令最大的好处就是不用把脚本拷到远程机器上
    ssh user@server bash < /path/to/local/script.sh
  • 比较一个远程文件和一个本地文件
    ssh user@host cat /path/to/remotefile | diff /path/to/localfile -
  • scp -r 会跟踪 symlink, 无选项让 scp 不跟踪 symlink, 所以如果想保留 symlink 应 tar 后再 scp
  • 不允许密码登陆:`vi /etc/ssh/sshd_config` `PasswordAuthentication no`

参考

通过 sshd 做端口转发(Off The Wall)

ssh -ND 8080 user@111.111.111.111

反向链接

about key: c3q → 3cq

目的服务器端设置

  1. 切换到root用户
    sudo -H -s
  2. 本地设置ssh key, 方便 SSH 在不需要密码的情况下直接连接中继服务器
    ssh-keygen
  3. 安装autossh
    apt-get install autossh
  4. 设置upstart脚本
    /etc/init/autossh.conf
    # autossh
    description	"AutoSSH Tunnel"
     
    start on (net-device-up and local-filesystems and runlevel [2345])
    stop on runlevel [016]
     
    # REMOTE_PORT 为中继服务器在本地服务器上的对应端口
    # 如 9628 是 gin 的端口
    respawn
    exec autossh -nNT -o ServerAliveInterval=15 -R :REMOTE_PORT:localhost:22 autossh@remote.server.com 
     
    # -nNT 都是安全设置
    # -N      Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).
    # -n      Redirects stdin from /dev/null (actually, prevents reading from stdin).
    # -T      Disable pseudo-tty allocation.

man sshd_config 中 GatewayPorts 说明如下:

  • no, 转发端口强制仅 lo 可访问
  • yes, 转发端口强制所有地址可访问
  • clientspecified, 允许 client 设置 bind_address, 但只支持 lo 或 *, 不支持任意地址
$ man ssh
     -R [bind_address:]port:host:hostport
             Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.  This works by allocating a
             socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a
             connection is made to host port hostport from the local machine.

             Port forwardings can also be specified in the configuration file.  Privileged ports can be forwarded only when logging in as root on the remote machine.
             IPv6 addresses can be specified by enclosing the address in square braces.

             By default, the listening socket on the server will be bound to the loopback interface only.  This may be overridden by specifying a bind_address.  An
             empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces.  Specifying a remote bind_address will only suc‐
             ceed if the server's GatewayPorts option is enabled (see sshd_config(5)).

             If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.  When used together with
             -O forward the allocated port will be printed to the standard output.


$ man 5 sshd_config
     GatewayPorts
             Specifies whether remote hosts are allowed to connect to ports forwarded for the client.  By default, sshd(8) binds remote port forwardings to the loopback
             address.  This prevents other remote hosts from connecting to forwarded ports.  GatewayPorts can be used to specify that sshd should allow remote port for‐
             wardings to bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be “no” to force remote port forwardings to be avail‐
             able to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the
             address to which the forwarding is bound.  The default is “no”.
  1. 载入启动脚本
    start autossh

putty 中的设置

但是 putty GUI 不能像 OpenSSH 一样 -N Do not execute a remote command,会打开 console 同时做端口转发。如果要 -N,可能需要用 putty 配套的 plink

中继端设置

/root/.ssh/id_rsa.pub的内容添加到公网服务器的autossh账号的~autossh/.ssh/authorized_keys中. 在该行行首加 no-pty 可阻止使用autossh登录, 让它只可用作端口转发.

it/ssh.txt · Last modified: 2017/12/14 23:23 by admin