SSH
SYNOPSIS
ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd]
[-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
DESCRIPTION
ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections, arbitrary TCP ports and UNIX-domain sockets can also be forwarded over the secure channel.
- The simple demo
$ ssh root@139.196.28.125
ssh connects and logs into the specified hostname (with optional user name). The user must prove his/her identity to the remote machine using one of several methods (see below). If command is specified, it is executed on the remote host instead of a login shell.
If command is specified, it is executed on the remote host instead of a login shell. The options are as follows:
| opt | description |
|---|---|
| -1 | Forces ssh to try protocol version 1 only. |
| -2 | Forces ssh to try protocol version 2 only. |
| -4 | Forces ssh to use IPv4 addresses only. |
| -5 | Forces ssh to use IPv6 addresses only. |
SSH 免密登录
If you want login B in A without password, you can do it like this:
1、generate ssh key in A
ssh-keygen -t rsa
It may has three times input, just enter directly. It will generate id_rsa and id_rsa.pub in .ssh
2、Import A’s id_rsa.pub into B
ssh-copy .ssh/id_rsa.pub root@139.196.28.125
If A not install ssh-copy, we can do it like this
- copy
id_rsa.pubto B
houbinbindeMacBook-Pro:.ssh houbinbin$ scp ~/.ssh/id_rsa.pub root@139.196.28.125:id_rsa.pub
root@139.196.28.125's password:
id_rsa.pub
- import it to B’s
.ssh/authorized_keys
cat id_rsa.pub > .ssh/authorized_keys
If the the user you login has no .ssh, create it:
root@iZuf60ahcky4k4nfv470juZ:~# pwd
/root
root@iZuf60ahcky4k4nfv470juZ:~# mkdir .ssh
3、login test
houbinbindeMacBook-Pro:~ houbinbin$ ./ali.sh
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-86-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '16.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to aliyun Elastic Compute Service!
root@iZuf60ahcky4k4nfv470juZ:~#
SSH 内网穿透技术
假设已有:
- 一台公网主机(B)
- 可以联公网的主机的主机A、C
问: 如何让C访问A呢?
思路
1、C可以直接访问B,A可以访问B,所以要通过B作为二者沟通的桥梁。 2、当我们使用C访问B时,如何让B把消息传递给A呢?(SSH)
实现
- A来征服
ssh -N -f -R 2323:127.0.0.1:22 139.196.28.125
作用:告诉139.196.28.125(B), 如果有人请求你的2323端口, 你就把这个请求转到我(A)的22号端口
-N: 告诉B, 我这个命令你什么也不要做, 只需要做转发就行了 -f:让这条命令在A的后台执行(不会因为关掉命令窗口而断开链接) -R: 格式-R X:Y:Z, 作用是做端口映射, 把远程机器的端口X映射(转发)到本地机器Y的Z端口
- C来见证
1、C访问B
ssh root@139.196.28.125
2、访问指定端口
让B访问自己的2323端口,等于直接访问A的22端口(22为默认ssh端口)
ssh -p 2323 root@localhost
将内网服务器设置为外网可以访问
指定转发脚本: conn.sh
# kill ssh
echo "kill all ssh..."
ps -ef | grep ssh | grep -v sshd | cut -c 9-15 | xargs kill -9
# ssh
ssh -C -f -N -g -L 8080:42.196.156.22:18080 -p 12222 houbinbin@42.196.156.22
ssh -C -f -N -g -L 8081:42.196.156.22:18081 -p 12222 houbinbin@42.196.156.22
ssh -C -f -N -g -L 9000:42.196.156.22:19000 -p 12222 houbinbin@42.196.156.22
ssh -C -f -N -g -L 80:42.196.156.22:10080 -p 12222 houbinbin@42.196.156.22
定时执行:
# crontab -e
添加内容如下:
# 每小时进行一次转发重连
0 */1 * * * /root/shell/conn.sh
SSH 访问其他服务器卡顿
ssh 访问很慢的原因和解决办法
原因:访问服务器的时候会把服务器的 ip 地址反向解析为域名,如果无法解析就会导致登陆时很慢
下面三种方法都可以解决这个问题
1、清空/etc/resolv.conf文件中nameserver记录
2、在客户机的/etc/hosts文件中添加服务器域名的解析记录
3、修改客户机的 /etc/ssh/ssh_config 文件中:
GSSAPIAuthentication no
我使用的方法 3,调整后重启机器。感觉好了很多。
