Secure Shell (SSH)

SSH Port Forwarding

  • SSH端口映射(SSH Port Forwarding),也称SSH隧道(SSH Tunnelling),可以用来方便地存取一下无法直接访问的资源。SSH端口映射分为本地映射(Local Forward)和远程映射(Remote Forward)。

  • 本地映射(Local Forward):

    $ ssh -f -g -A -X -N -T -L 1234:remote-host2:5678 user@remote-host

    或者通过修改ssh的配置文件:

    $ cat ~/.ssh/config
Host remote-host
     Hostname x.x.x.x (your remote host IP)
     LocalForward 1234:remote-host2:5678
     User user
$ ssh user@remote-host

    所有对本地1234端口的访问都通过remote-host被转发到remote-host2的5678端口。有些DMZ中只开放sshd的22端口,通过本地映射,你可以访问远程计算机上的所有服务。

  • 远程映射(Remote Forward):

    $ ssh -f -g -A -X -N -T -R 1234:remote-host2:5678 user@remote-host

    或者通过修改ssh的配置文件:

    $ cat ~/.ssh/config
Host remote-host
     Hostname x.x.x.x (your remote host IP)
     RemoteForward 1234:remote-host2:5678
     User user
$ ssh user@remote-host

    所有对remote-host的1234端口的访问都通过本机被转发到remote-host2的5678端口。通过远程映射,你可以通过家中的机子(有公网IP,可以ssh登录)来访问公司防火墙内部的计算机。

SSH Proxy

  • 下载 connect.c ,编译,拷贝到系统`/usr/bin`目录:

    $ gcc connect.c -o connect
$ sudo cp connect /usr/bin

  • 编辑ssh的配置文件`~/.ssh/config`,增加:

    Host remote-host
    ProxyCommand connect -H your.proxy.com:port %h %p

  • 连接远程主机:

    $ ssh user@remote-host

SSH Web Proxy

  • Setup local dynamic application-level port forwarding for Linux:

    $ ssh -qTfnN -D localhost:8888 user@remote-host

  • Setup local dynamic port forwarding for Windows:

    • Download PuTTY.
    • Under Category -> Session: input the SSH server name and port.
    • Under Category -> Connection -> SSH -> Tunnels: create a forwarded port by input 8888 in 'Source port' and click on 'Add'. There will be a 'D8888' appears in the port list area.
    • Connect to the server by clicking 'Open'.

  • Setup browser to use localhost:8888 as socks 5 proxy.

  • Internet Explore doesn't support Socks 5 proxy; Firefox supports this.

  • Your SSH server may not support port forwarding. Check /etc/sshd_config:

    AllowTcpForwarding no
X11Forwarding no

    and replace them with:

    AllowTcpForwarding yes
X11Forwarding yes

SSH Key

  • SSH2 private keys do not have standard format. OpenSSH, ssh.com, PuTTY have different formats, and any key generated with one client cannot immediately be used with another.

  • You can use PuTTY key generator to convert a OpenSSH private key to PuTTY recognized format.

  • 使用公钥认证经常遇到的问题就是一些文件的权限问题。一些问题可以通过查看/var/log/secure来发现。

  • 要配置两台计算机使用公钥认证,可以通过运行如下命令:

    $ ssh $host1 ssh-keygen -t rsa -b 2048 -N "" -C "" -o -q
$ ssh $host1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ ssh $host1 chmod 600 ~/.ssh/authorized_keys
$ ssh $host2 ssh-keygen -t rsa -b 2048 -N "" -C "" -o
$ ssh $host2 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ ssh $host2 chmod 600 ~/.ssh/authorized_keys

Speed Up SSH Connection

  • SSH登录时会进行DNS反查,如果你的DNS Server速度比较慢,会发生等待。知道了原因解决方法就出来了:就是提高域名解析的速度。可以将主机名写到/etc/hosts中来解决。

SSH Keep Alive

可以使用下面的方法之一:

  • 增加下面的内容到 ~/.ssh/config 或者 /etc/ssh/ssh_config:

    Host *
    ServerAliveInterval 60 # in second

  • 执行下面的脚本:

    while date; do sleep 10; done

    当要输入命令时,只需要按下”CTRL-C“。

SSH Key Generation

  • Use this command:

    $ ssh-keygen -t rsa -b 2048 -f id_rsa -N "" -C "" -o -q

SSH Known Hosts

  • Put the following lines to ~/.ssh/config or /etc/ssh/ssh_config:

    Host *
    StrictHostKeyChecking no

None: SSH (last edited 2012-01-31 15:55:30 by ZhigangWang)