Secure Shell (SSH)
Contents
SSH Port Forwarding
SSH端口映射(SSH Port Forwarding),也称SSH隧道(SSH Tunnelling),可以用来方便地存取一下无法直接访问的资源。SSH端口映射分为本地映射(Local Forward)和远程映射(Remote Forward)。
本地映射(Local Forward):
$ ssh -f -g -A -X -N -T -L 1234:remote-host2:5678 user@remote-host
或者通过修改ssh的配置文件:
$ cat ~/.ssh/config Host remote-host Hostname x.x.x.x (your remote host IP) LocalForward 1234:remote-host2:5678 User user $ ssh user@remote-host所有对本地1234端口的访问都通过remote-host被转发到remote-host2的5678端口。有些DMZ中只开放sshd的22端口,通过本地映射,你可以访问远程计算机上的所有服务。
远程映射(Remote Forward):
$ ssh -f -g -A -X -N -T -R 1234:remote-host2:5678 user@remote-host
或者通过修改ssh的配置文件:
$ cat ~/.ssh/config Host remote-host Hostname x.x.x.x (your remote host IP) RemoteForward 1234:remote-host2:5678 User user $ ssh user@remote-host所有对remote-host的1234端口的访问都通过本机被转发到remote-host2的5678端口。通过远程映射,你可以通过家中的机子(有公网IP,可以ssh登录)来访问公司防火墙内部的计算机。
SSH Proxy
下载 connect.c ,编译,拷贝到系统`/usr/bin`目录:
$ gcc connect.c -o connect $ sudo cp connect /usr/bin
编辑ssh的配置文件`~/.ssh/config`,增加:
Host remote-host ProxyCommand connect -H your.proxy.com:port %h %p连接远程主机:
$ ssh user@remote-host
SSH Web Proxy
Setup local dynamic application-level port forwarding for Linux:
$ ssh -qTfnN -D localhost:8888 user@remote-host
Setup local dynamic port forwarding for Windows:
- Download PuTTY.
- Under Category -> Session: input the SSH server name and port.
- Under Category -> Connection -> SSH -> Tunnels: create a forwarded port by input 8888 in 'Source port' and click on 'Add'. There will be a 'D8888' appears in the port list area.
- Connect to the server by clicking 'Open'.
Setup browser to use localhost:8888 as socks 5 proxy.
Internet Explore doesn't support Socks 5 proxy; Firefox supports this.
Your SSH server may not support port forwarding. Check /etc/sshd_config:
AllowTcpForwarding no X11Forwarding no
and replace them with:
AllowTcpForwarding yes X11Forwarding yes
SSH Key
SSH2 private keys do not have standard format. OpenSSH, ssh.com, PuTTY have different formats, and any key generated with one client cannot immediately be used with another.
You can use PuTTY key generator to convert a OpenSSH private key to PuTTY recognized format.
使用公钥认证经常遇到的问题就是一些文件的权限问题。一些问题可以通过查看/var/log/secure来发现。
要配置两台计算机使用公钥认证,可以通过运行如下命令:
$ ssh $host1 ssh-keygen -t rsa -b 2048 -N "" -C "" -o -q $ ssh $host1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys $ ssh $host1 chmod 600 ~/.ssh/authorized_keys $ ssh $host2 ssh-keygen -t rsa -b 2048 -N "" -C "" -o $ ssh $host2 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys $ ssh $host2 chmod 600 ~/.ssh/authorized_keys
Speed Up SSH Connection
- SSH登录时会进行DNS反查,如果你的DNS Server速度比较慢,会发生等待。知道了原因解决方法就出来了:就是提高域名解析的速度。可以将主机名写到/etc/hosts中来解决。
SSH Keep Alive
可以使用下面的方法之一:
增加下面的内容到 ~/.ssh/config 或者 /etc/ssh/ssh_config:
Host * ServerAliveInterval 60 # in second执行下面的脚本:
while date; do sleep 10; done
当要输入命令时,只需要按下”CTRL-C“。
SSH Key Generation
Use this command:
$ ssh-keygen -t rsa -b 2048 -f id_rsa -N "" -C "" -o -q
SSH Known Hosts
Put the following lines to ~/.ssh/config or /etc/ssh/ssh_config:
Host * StrictHostKeyChecking no
