SSH 常用命令

发布时间: 更新时间: 总字数:1432 阅读时间:3m 作者: 分享 复制网址

本文中介绍如何在一台服务器中,生成 ssh-key,并为不同地址配置不同 ssh key,该方法适合为不同 git client 配置不同 key。

生成 ssh key

ssh-keygen

通常,要为多个邮箱账号分别生成公钥,公私钥都是放到~/.ssh下面,生成步骤如下:

mkdir -p ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -C "me@xiexianbin.cn"  # 把这个文件命名为id_rsa_github,然后一路回车
ssh-keygen -t rsa -C "10972072@qq.com"   # 把这个文件命名为id_rsa_aliyun,然后一路回车
ssh-keygen -t rsa -b 4096 -C "me@xiexianbin.cn"

将 SSH 私钥增加到 ssh-agent:

ssh-add ~/.ssh/id_rsa

查看已经 add 的SSH KEY:

ssh-add -l

若报错:Could not open a connection to your authentication agent.,执行:

ssh-agent bash

PS:将 ~/.ssh/id_rsa.pub 添加到目标及其的 .ssh/authorized_keys 可以实现 ssh 证书登录。

修改密码

ssh-keygen -f ~/.ssh/id_rsa -p

免密码登录

ssh-copy-id $IP    #$IP为本虚机地址,按照提示输入yes 和密码,然后可以无密码登录服务器

上述过程,是将 id_rsa.pub 添加到对应主机的 ~/.ssh/authorized_keys 目录下。

多个服务器分别配置key

此时在~/.ssh下面生成了两对公私钥,把id_rsa_aliyun.pub的内容贴到aliyun的git服务的ssh keys中,把id_rsa_github.pub的内容贴到github的ssh keys中。然后touch一个配置文件:

touch ~/.ssh/config
chmod 600 ~/.ssh/*

最后在~/.ssh/config中添加如下内容即可:

host code.aliyun.com
    # user xiexianbin
    hostname code.aliyun.com
    port 22
    identityfile ~/.ssh/id_rsa_aliyun

host github.com
    User git
    hostname github.com
    port 22
    identityfile ~/.ssh/id_rsa_github
Host 10.0.0.* 10.0.1.*
  port 22
  IdentityFile ~/.ssh/id_rsa
  User root
  • 快捷登录
host vm1
    User root
    hostname 10.0.0.2
    port 22
    identityfile ~/.ssh/id_rsa

可以直接 ssh vm1 登录该机器。

测试

然后用ssh命令分别测试:

ssh -T git@github.com

调试

如果到这里你没有成功的话,可以 –debug,比如测试 github:

ssh -vT git@github.com

-v 是输出编译信息,然后根据编译信息自己去解决问题吧。

配置免确认

修改 ~/.ssh/config,内容如下:

UserKnownHostsFile=/dev/null
StrictHostKeyChecking=no
LogLevel=ERROR

修改权限:

chmod 400 ~/.ssh/config

ssh 免 hostkey check 登录:

sudo ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i .ssh/ssh_key.key ubuntu@10.0.0.1

自动登陆文件

cat 10.0.0.1
#!/bin/sh

user="root"
host=`basename $0`

ssh -i ~/.ssh/id_rsa $user@$host

高级用法

执行多个命令

ssh -CT -o BatchMode=yes c1

TCP port or Unix socket 转发

$ man ssh

     -C      Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and
             UNIX-domain connections).  The compression algorithm is the same used by gzip(1).  Compression is de‐
             sirable on modem lines and other slow connections, but will only slow down things on fast networks.
             The default value can be set on a host-by-host basis in the configuration files; see the Compression
             option.

     -g      Allows remote hosts to connect to local forwarded ports.  If used on a multiplexed connection, then
             this option must be specified on the master process.

     -L [bind_address:]port:host:hostport
     -L [bind_address:]port:remote_socket
     -L local_socket:host:hostport
     -L local_socket:remote_socket
             Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be
             forwarded to the given host and port, or Unix socket, on the remote side.  This works by allocating a
             socket to listen to either a TCP port on the local side, optionally bound to the specified
             bind_address, or to a Unix socket.  Whenever a connection is made to the local port or socket, the
             connection is forwarded over the secure channel, and a connection is made to either host port
             hostport, or the Unix socket remote_socket, from the remote machine.

             Port forwardings can also be specified in the configuration file.  Only the superuser can forward
             privileged ports.  IPv6 addresses can be specified by enclosing the address in square brackets.

             By default, the local port is bound in accordance with the GatewayPorts setting.  However, an explicit
             bind_address may be used to bind the connection to a specific address.  The bind_address of
             “localhost” indicates that the listening port be bound for local use only, while an empty address or
             ‘*’ indicates that the port should be available from all interfaces.

     -N      Do not execute a remote command.  This is useful for just forwarding ports.

将远程5901转发到本地示例:

ssh -v -CNg -L 5901:127.0.0.1:5901 root@ip -p 22

Debug

ssh 链接慢

  • 修改:/etc/ssh/sshd_config
UseDNS no
# GSSAPI options, 使用 ssh -v xiexianbin@git.xiexianbin.cn 调试发现连接gssapi-with-mic消耗时间较长
GSSAPIAuthentication no
GSSAPICleanupCredentials no
  • w 命令查看当前ssh远程连接数,是否达到最大连接数
vim /etc/ssh/sshd_config
LoginGraceTime 2m   # 参数表示登录验证时间
MaxAuthTries 6      # 最大验证重试次数
MaxSessions 10      # 最大远程连接数
  • last 命令查看最近登录日志
  • /var/log/secure 系统安全日志
  • /etc/hosts.all/etc/hosts.deny查看限定的ip

ssh 连接超时中断

超时时,ssh console 的错误日志

client_loop: send disconnect: Broken pipe
  • 修复方式:客户端配置
  1. ssh 指定超时时长 ssh -o ServerAliveInterval=600 xxx
  2. 配置文件指定 echo "ServerAliveInterval 600" >>> ~/.ssh/config
  3. 或在 ~/.ssh/config 中配置
Host *
    ServerAliveInterval 600
  • 修复方式:服务器配置

服务器端,修改/etc/ssh/sshd_config,重启 sshd 后生效:

# 单位:秒,SSH 客户端不活动时间间隔
ClientAliveInterval  200

# SSH 服务器向客户端尝试发送活动消息的次数,超过该次数后将中断 SSH 连接
ClientAliveCountMax  3
Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数