Linux工具篇--SSH冷门用法

275 阅读2分钟

ssh是linux使用的入口,也是使用最频繁的。但是除常用功能外,ssh也存在一些冷门的功能,并且用起来让人眼前一亮。

ssh使用参数

-1:强制使用ssh协议版本1
-2:强制使用ssh协议版本2
-4:强制使用IPv4地址
-6:强制使用IPv6地址
-A:开启认证代理连接转发功能
-a:关闭认证代理连接转发功能
-b:使用本机指定地址作为对应连接的源ip地址
-C:请求压缩所有数据
-c:选择所加密的密码型式 (blowfish|3des 预设是3des)
-e:设定跳脱字符
-F:指定ssh指令的配置文件
-f:后台执行ssh指令
-g:允许远程主机连接主机的转发端口
-i:指定身份文件(预设是在使用者的家目录 中的 .ssh/identity)
-l:指定连接远程服务器登录用户名
-N:不执行远程指令
-n:重定向stdin 到 /dev/null
-o:指定配置选项
-p:指定远程服务器上的端口(默认22)
-P:使用非特定的 port 去对外联机(注意这个选项会关掉 RhostsAuthentication 和 RhostsRSAAuthentication)
-q:静默模式
-T:禁止分配伪终端
-t:强制配置 pseudo-tty
-v:打印更详细信息
-X:开启X11转发功能
-x:关闭X11转发功能
-y:开启信任X11转发功能
-L listen-port:host:port 指派本地的 port 到达端机器地址上的 port
  • 打印调用LOG

ssh出问题后报错比较简单,如果遇到一些复杂场景,定位起来很困难。比如新版本连接老版本时,会存在rsa加密长度问题导致的认证失败。

ssh -v 开启debug模式

[root@ssh-1 ~]# ssh -v -T 192.168.100.115
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.100.115 [192.168.100.115] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.100.115:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:fs2pNuc1IpkT6yynoLHJ5jQOOVJT+HW3P5UGuoLwW1k
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.100.115' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:acHryfvI6lD4xDFC3/r3jFwloV1yqAdw/YQfay64PDo
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
​
Authorized users only. All activities may be monitored and reported.
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:acHryfvI6lD4xDFC3/r3jFwloV1yqAdw/YQfay64PDo
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:acHryfvI6lD4xDFC3/r3jFwloV1yqAdw/YQfay64PDo
Authenticated to 192.168.100.115 ([192.168.100.115]:22) using "publickey".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /root/.ssh/known_hosts for 192.168.100.115 / (none)
debug1: client_input_hostkeys: searching /root/.ssh/known_hosts2 for 192.168.100.115 / (none)
debug1: client_input_hostkeys: hostkeys file /root/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
​
Authorized users only. All activities may be monitored and reported.
  • X11转发

ssh可以转发桌面到当前的的桌面,比如xmanager和mobaxterm都是使用的ssh -X的转发

ssh -X 192.168.100.12 virt-manager #转发其他节点到当前节点
  • SSH代理功能
    • 正向代理(-L):相当于 iptable 的 port forwarding
    • 反向代理(-R):相当于 frp 或者 ngrok
    • socks5 代理(-D):相当于 ss/ssr

    正向代理:

    将本地端口映射到远端

    ssh -L 0.0.0.0:PortB:HostC:PortC user@HostC
    #访问0.0.0.0:PortB --> HostC:PortC
    ​
    ssh -L 0.0.0.0:PortA:HostC:PortC  user@HostB
    #访问0.0.0.0:PortA --> HostC:PortC
    

    反向代理:

    将远端端口映射到本地,内网穿透

    HostA$ ssh -R HostC:PortC:HostB:PortB  user@HostC
    #将HostC:PortC转发到HostB:PortB HostA通过HostC
    

    socks5代理

    HostA$ ssh -D localhost:1080  HostB
    # HostA 的本地 1080 端口启动一个 socks5 服务,通过本地 socks5 代理的数据会通过 ssh 链接先发送给 HostB,再从 HostB 转发送给远程主机
    

    优化

    ssh -CqTnN -L 0.0.0.0:PortA:HostC:PortC  user@HostB
    

    其中 -C 为压缩数据,-q 安静模式,-T 禁止远程分配终端,-n 关闭标准输入,-N 不执行远程命令