ssh是linux使用的入口,也是使用最频繁的。但是除常用功能外,ssh也存在一些冷门的功能,并且用起来让人眼前一亮。
ssh使用参数
-1:强制使用ssh协议版本1
-2:强制使用ssh协议版本2
-4:强制使用IPv4地址
-6:强制使用IPv6地址
-A:开启认证代理连接转发功能
-a:关闭认证代理连接转发功能
-b:使用本机指定地址作为对应连接的源ip地址
-C:请求压缩所有数据
-c:选择所加密的密码型式 (blowfish|3des 预设是3des)
-e:设定跳脱字符
-F:指定ssh指令的配置文件
-f:后台执行ssh指令
-g:允许远程主机连接主机的转发端口
-i:指定身份文件(预设是在使用者的家目录 中的 .ssh/identity)
-l:指定连接远程服务器登录用户名
-N:不执行远程指令
-n:重定向stdin 到 /dev/null
-o:指定配置选项
-p:指定远程服务器上的端口(默认22)
-P:使用非特定的 port 去对外联机(注意这个选项会关掉 RhostsAuthentication 和 RhostsRSAAuthentication)
-q:静默模式
-T:禁止分配伪终端
-t:强制配置 pseudo-tty
-v:打印更详细信息
-X:开启X11转发功能
-x:关闭X11转发功能
-y:开启信任X11转发功能
-L listen-port:host:port 指派本地的 port 到达端机器地址上的 port
-
打印调用LOG
ssh出问题后报错比较简单,如果遇到一些复杂场景,定位起来很困难。比如新版本连接老版本时,会存在rsa加密长度问题导致的认证失败。
ssh -v 开启debug模式
[root@ssh-1 ~]# ssh -v -T 192.168.100.115 OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to 192.168.100.115 [192.168.100.115] port 22. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type 0 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 192.168.100.115:22 as 'root' debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:fs2pNuc1IpkT6yynoLHJ5jQOOVJT+HW3P5UGuoLwW1k debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '192.168.100.115' is known and matches the ED25519 host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:acHryfvI6lD4xDFC3/r3jFwloV1yqAdw/YQfay64PDo debug1: Will attempt key: /root/.ssh/id_dsa debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com> debug1: SSH2_MSG_SERVICE_ACCEPT received Authorized users only. All activities may be monitored and reported. debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:acHryfvI6lD4xDFC3/r3jFwloV1yqAdw/YQfay64PDo debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:acHryfvI6lD4xDFC3/r3jFwloV1yqAdw/YQfay64PDo Authenticated to 192.168.100.115 ([192.168.100.115]:22) using "publickey". debug1: pkcs11_del_provider: called, provider_id = (null) debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: filesystem full debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: client_input_hostkeys: searching /root/.ssh/known_hosts for 192.168.100.115 / (none) debug1: client_input_hostkeys: searching /root/.ssh/known_hosts2 for 192.168.100.115 / (none) debug1: client_input_hostkeys: hostkeys file /root/.ssh/known_hosts2 does not exist debug1: client_input_hostkeys: no new or deprecated keys from server debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Sending environment. debug1: channel 0: setting env LANG = "en_US.UTF-8" Authorized users only. All activities may be monitored and reported.
-
X11转发
ssh可以转发桌面到当前的的桌面,比如xmanager和mobaxterm都是使用的ssh -X的转发
ssh -X 192.168.100.12 virt-manager #转发其他节点到当前节点
-
SSH代理功能
- 正向代理(-L):相当于 iptable 的 port forwarding
- 反向代理(-R):相当于 frp 或者 ngrok
- socks5 代理(-D):相当于 ss/ssr
正向代理:
将本地端口映射到远端
ssh -L 0.0.0.0:PortB:HostC:PortC user@HostC #访问0.0.0.0:PortB --> HostC:PortC ssh -L 0.0.0.0:PortA:HostC:PortC user@HostB #访问0.0.0.0:PortA --> HostC:PortC
反向代理:
将远端端口映射到本地,内网穿透
HostA$ ssh -R HostC:PortC:HostB:PortB user@HostC #将HostC:PortC转发到HostB:PortB HostA通过HostC
socks5代理
HostA$ ssh -D localhost:1080 HostB # HostA 的本地 1080 端口启动一个 socks5 服务,通过本地 socks5 代理的数据会通过 ssh 链接先发送给 HostB,再从 HostB 转发送给远程主机
优化
ssh -CqTnN -L 0.0.0.0:PortA:HostC:PortC user@HostB
其中
-C
为压缩数据,-q
安静模式,-T
禁止远程分配终端,-n
关闭标准输入,-N
不执行远程命令