![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2018-07-01
目錄
- Detect remote 's sshd is running
- run cmd on remote by ssh
- ssh 常用的 opts
- ssh client hotkey
- Client Configure File
- Environment Variables
- Enable ssh-rsa
- ssh-agent
- sshpass
- key fingerprint
- scp
- sftp
- Login with password instead of key
- clone disk by ssh
- Change Cipher
- Close Session
Detect remote 's sshd is running
ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no -o ConnectTimeout=5 \
192.168.88.32 -- uptime
連線失敗時
echo $? # 255
run cmd on remote by ssh
# 用 -- 分隔要行的 command
i.e.
ssh <IP> -- uname -a
# pipe in remote
# Local
ssh 192.168.88.59 -- df > test.txt
# Remote
ssh 192.168.88.59 -- 'df > test.txt'
ssh 常用的 opts
# sudo 時會用到
-t Force pseudo-tty allocation
# compression ( will only slow down things on fast networks )
-C Requests compression(gzip) of all data (stdin, stdout, stderr, forwarded X11 and TCP connections)
# Default: ~/.ssh/id_rsa
-i identity_file
# Default 是當前 username
-l login_name
# 連去舊的 cisco router 要用到.
-c cipher_spec # 連去舊的 ssh server 時用到 ( 比如連去 Cisoc asa5500 )
# 設定加密的方式
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
ssh client hotkey
~? # Help
~. # 中斷當前 ssh session
Client Configure File
~/.ssh/config
* not accessible by others
ssh obtains configuration data from the following
1. command-line options
2. user’s configuration file (~/.ssh/config)
3. system-wide configuration file (/etc/ssh/ssh_config)
* For each parameter, the first obtained value will be used.
Doc:
man 5 ssh_config
Example:
Host server1 HostName example.dyndns.org Port 2222 ServerAliveInterval 5 ConnectTimeout 1200 User admin IdentitiesOnly yes IdentityFile /root/.ssh/nginx.key
IdentityFile
IdentitiesOnly
# Only use the authentication identity files; default: no
# This option is intended for situations where ssh-agent offers many different identities
Key Files Location:
version 1 default
- ~/.ssh/identity
version 2 default
- ~/.ssh/id_dsa
- ~/.ssh/id_rsa
version 2 ECDSA:
- ~/.ssh/id_ecdsa
multiple identity files
It is possible to have multiple identity files specified in configuration files
* all these identities will be tried in sequence. (multiple identity files => tried in sequence)
# 同時設定幾個 IdentityFile IdentityFile ~/.ssh/k1.key IdentityFile ~/.ssh/k2.key IdentityFile ~/.ssh/k3.key
Variable
- %d’ (local user's home directory)
- ‘%u’ (local user name)
- ‘%l’ (local host name)
- ‘%h’ (remote host name)
- ‘%r’ (remote user name)
ServerAliveInterval
ssh(1) will send a message through the encrypted channel to request a response from the server.
The default is 0, indicating that these messages will not be sent to the server.
ConnectTimeout
This value is used only when the target is down or really unreachable
IdentitiesOnly
only use the authentication identity and certificate files explicitly configured in the ssh_config
Host Patterns:
Since the first obtained value for each parameter is used,
more host-specific declarations should be given near the beginning of the file,
and general defaults at the end.
Host *.co.uk # up to the next Host keyword, 所以 TAB 不是必須 ... Host 192.168.0.? ... Host * # Default ...
Usage:
ssh server1
Other
SetEnv # Directly specify one or more environment variables
RemoteCommand # Specifies a command to execute on the remote machine after successfully connecting to the server.
PasswordAuthentication # Default: yes
PreferredAuthentications # Default: gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
LocalForward # local tcp port -> remote tcp port ( [bind_address:]port host:hostport )
RemoteForward # allows a remote client to connect to arbitrary destinations from the local machine.
Compression # Efault: no
Environment Variables
帶 Env 到 remote 方法
- SendEnv
- SetEnv
Server
Server 指定可以帶什麼 Env 上來
/etc/ssh/sshd_config:
# 可以多行
# Variables are specified by name, which may contain wildcard characters.
# Multiple environment variables may be separated by whitespace or spread across multiple SendEnv directives.
AcceptEnv MyEnv
AcceptEnv LANG LC_* FOOClient Setting
[1] ~/.ssh/config
Host * # 方法1 # It is possible to clear previously set SendEnv variable names by prefixing patterns with -. SetEnv GIT_AUTHOR_NAME=datahunter SetEnv [email protected] # 方法1 SendEnv GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL
[2] "-o"
export FOO=bar
ssh -o SendEnv=FOO remote.host
Note
The TERM environment variable is always sent whenever a pseudo-terminal is requested as it is required by the protocol.
Enable ssh-rsa
CLI
ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa -i {yourfile} user@host
Config File
Host *
PubkeyAcceptedKeyTypes=+ssh-rsa
HostKeyAlgorithms=+ssh-rsa
ssh-agent
用圖:
hold private keys used for public key authentication
運作:
all other windows or programs are started as clients to the ssh-agent program
ssh(1) looks at these variables (SSH_AUTH_SOCK) and uses them to establish a connection to the agent
operations that require a private key will be performed by the agent, and the result will be returned to the requester
(This way, private keys are not exposed to clients using the agent.)
Opts:
- -k Kill the current agent
- -t life lifetime of identities added to the agent. Default: forever.
它會建立一個 UNIX-domain sockets:
$TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
start agent
ssh-agent
# output
SSH_AUTH_SOCK=/tmp/ssh-k9vI4ysMD75A/agent.14362; export SSH_AUTH_SOCK; SSH_AGENT_PID=14363; export SSH_AGENT_PID; echo Agent pid 14363;
方法1: If a commandline is given, this is executed as a subprocess of the agent.
ssh-agent bash
* 一定要用 ssh-agent 去獨立開個 shell 才可以直接使用 ssh-add
# 否則行 ssh-add 會出 "Could not open a connection to your authentication agent."
* The agent exits automatically when the command given on the command line terminates.
方法2: 人手執行 ssh-agent output 的 cmd
SSH_AUTH_SOCK=/tmp/ssh-k9vI4ysMD75A/agent.14362; export SSH_AUTH_SOCK; SSH_AGENT_PID=14363; export SSH_AGENT_PID;
SSH_AUTH_SOCK: This method is easily abused by root or another instance of the same user.
ssh-add
# without arguments, ssh-add(1) adds the files
- ~/.ssh/id_rsa
- ~/.ssh/id_dsa
- ~/.ssh/id_ecdsa
# displays the identities currently held by the agent
ssh-add -l
2048 3d:04:35:41:3f:17:b5:77:f1:b2:9f:fb:3d:22:a8:38 /root/.ssh/id_rsa (RSA)
# Lists public key parameters
ssh-add -L
ssh-rsa AAA ... ... ... XYSpT /root/.ssh/id_rsa
Useful Otps
-D Deletes all identities from the agent
All identities removed.
-d Delete identity
-X Unlock the agent
-x Lock the agent with a password
sshpass
Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user.
yum install sshpass
Options
- -p password # 最唔安全 (All system users can see the password)
- -f filename # 最好
- -e # The password is taken from the environment variable "SSHPASS"
- -P # Set the password prompt. Default: "assword:"
i.e.
export SSHPASS=your-password-here sshpass -e ssh $User@$AP -- uptime
key fingerprint
Key type:
- ECDSA key fingerprint
- RSA key fingerprint
Elliptic Curve Digital Signature Algorithm
* ECDSA is the new default
* As of April 2013, the Windows SSH client PuTTY does not support ECDSA
Usage:
ssh -oHostKeyAlgorithms='ssh-rsa' <IP>
複製檔案(scp)
URI in the form: scp://[user@]host[:port][/path]
Options:
- -P port
-
-i identity_file
-------- -
-r Recursively copy entire directories
-------- - -C Compression enable
-
-l limit specified in Kbit/s
-------- - -B batch mode (prevents asking for passwords or passphrases)
- -q Quiet mode (disables the progress meter)
-
-v Verbose mode
-------- - -p only preserves timestamps and permissions, not the file ownership
Example
#1 將檔案(/etc/apt/sources.list) upload 到 IP 192.168.1.7 內的 root 帳戶的家目錄(~)裡
scp /etc/apt/sources.list [email protected]:
#2 直接複製到目的地
scp /etc/apt/sources.list [email protected]:/etc/apt/
#3 Limit download speed
# 限速 4 Mbps
scp -r -l 40000 server:/path/to/folder ./
# 這裡的 unit 係 MiBps filename 1% 6074MB 4.9MB/s 22:55:39 ET
進階
-3 Copies between two remote hosts are transferred through the local host.
sftp
sftp - all operations over an encrypted ssh transport.
支援
- public key authentication
- compression
sftp 它是與 scp 一齊來的, 在 Centos 上同在 openssh-clients Package 內
它們有的 Opts 亦差不多.
常用 Opts:
- -P port
- -r # Recursively copy entire directories
- -C # Enables compression
- -B buffer_size # Default is 32768 bytes. Larger buffers require fewer round trips
- -R num_requests # The default is 64 outstanding requests. how many requests may be outstanding at any one time.
Usage
sftp [user@]host[:path] <<< 'put filename'
sftp -b batchfile [user@]host # necessary to configure non-interactive authentication
sftp [user@]host[:file ...]
sftp [user@]host[:dir[/]]
Batch mode
Batch mode reads a series of commands from an input batchfile instead of stdin.
Since it lacks user interaction it should be used in conjunction with non-interactive authentication.
#!/bin/bash
# 方法 1
export SSHPASS=your-password-here
sshpass -e sftp sftp-user@remote-host << MYCMD
put your-log-file.log
bye
MYCMD
# 方法 2
export SSHPASS=your-password-here
sshpass -e sftp -oBatchMode=no -b - sftp-user@remote-host << MYCMD
put your-log-file.log
bye
MYCMD
INTERACTIVE COMMANDS
- ls, df, bye, exit,
- cd, mkdir, rmdir
- get, put, reget, reput, rename, ln, rm
- chgrp, chmod, chown
- version, progress
ln
If the -s flag is specified the created link is a symbolic link, otherwise it is a hard link.
df
-i flag: requests display of inode information
-h flag: human-readable
reget, reput
Resume. Equivalent to "-a" flag set
put, get
local-path may contain glob
-a: attempt to resume partial transfers of existing files
If the local file contents differ from the remote local copy then the resultant file is likely to be corrupt.
-P or -p flag is specified, then full file permissions and access times are copied too.
-r flag is specified then directories will be copied recursively.
mput, mget
* mget works with a glob for the "source file" portion of the arguments
sftp> mget abc.PDF def.PDF ghi.PDF
Fetching /abc.PDF to def.PDF
sftp> mget *.pdf
Local
- lls [ls-options [path]] Display local directory listing
- lmkdir path Create local directory
Example
#1 sftp shell
# check version
sftp> version
SFTP protocol version 3
# show hide file
sftp> ls -a
#2 在 ./ 下會有 public_html folder
sftp -r user@remote:/public_html ./
#3 upload folder
sftp> put -r folder/
Login with password instead of key
[方法 1]
ssh -i /dev/null host
[方法 2]
ssh -o PubkeyAuthentication=no host
clone disk by ssh
# Source
dd bs=16M if=/dev/sda | pv | ssh -C root@dest_ip "dd bs=16M of=/dev/sda"
-C option to the SSH command to enable gzip compression
測試
dd bs=16M if=/root/tmp/send/vda.qcow2 | ssh -C root@localhost "dd bs=16M of=/root/tmp/receive/vda.qcow2"
2023161856 bytes (2.0 GB, 1.9 GiB) copied, 89.4027 s, 22.6 MB/s
* 其中一個 CPU core 在 90%
沒有加 -C
2023161856 bytes (2.0 GB, 1.9 GiB) copied, 32.7042 s, 61.9 MB/s
* CPU 用得很小(30%)
Change Cipher
Client
# list of available ciphers
ssh -Q cipher
3des-cbc blowfish-cbc cast128-cbc arcfour ...
# Selects the cipher specification for encrypting the session
-c blowfish-cbc
# Server 不支援要求的 cipher
Unable to negotiate with 127.0.0.1 port 22: no matching cipher found. Their offer: ...
Server
Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character,
then the specified ciphers will be appended to the default set instead of replacing them.
Ciphers +arcfour,blowfish-cbc
Copy file test
# blowfish-cbc (cpu 60%)
2023161856 bytes (2.0 GB, 1.9 GiB) copied, 34.4005 s, 58.8 MB/s
# arcfour (cpu 20%)
2023161856 bytes (2.0 GB, 1.9 GiB) copied, 35.6266 s, 56.8 MB/s
Other
Close Session
You can type Enter "~ ." to close the connection.
