SSH命令用法速查手册
本文汇集了常用的SSH命令用法,以及SSH-Keygen, SSH agents等等我经常用到的相关操作。
SSH-Keygen
目前大多数平台都推荐使用ed25519
算法来生产 keys 。
ssh-keygen -t ed25519 -C "your@email.com"
如果因为兼容的原因而更喜欢 RSA 算法的话,请使用下面的命令:
ssh-keygen -t rsa -b 4096 -C "your@email.com"
这个 -C
参数仅是在公钥上添加一个注释,所以,就像后文介绍的Authorized_Keys那样,可以简单的注明这个 公钥属于某个email。
ssh-ed25519 KLAJSDLKSAJKLSJD90182980p1+++ your@email.com
注意:生成 SSH 秘钥时,使用密码串来保护你的私钥。
SSH with Keys
Authorized_Keys
对于任何的远程主机或服务,比如GitHub,如果你想使用你的SSH秘钥登录,相对对应是公钥也是必须的。
在服务器上,你可以把自己的公钥写入 ~/.ssh/authorized_keys
文件。
用下面的命令实现:
cat ~/.ssh/id_rsa.pub | ssh USER@HOST "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
– https://askubuntu.com/a/262074ssh-copy-id user@host
– https://askubuntu.com/a/46427
对一些像GitHub, AWS等这样的服务,我们需要上传公钥,通过提供的界面,或者直接使用命令行工具。
SCP
上传文件至远程服务器:
scp myfile.txt user@dest:/path
将整个目录上传至远程服务器:
scp -rp sourcedirectory user@dest:/path
从远程服务器下载文件:
scp user@dest:/path/myfile.txt localpath
从远程服务器下载目录:
scp -rp user@dest:/remotedir localpath
SSH-Agent
如果已经运行着 OpenSSH agent (大多数Linux平台和macOS上都是标配的),只需要:
ssh-add privatekeyfile
在Windows运行 OpenSSH agent, 你需要执行这些命令:
# By default the ssh-agent service is disabled. Allow it to be manually started for the next step to work. # Make sure you're running as an Administrator. Get-Service ssh-agent | Set-Service -StartupType Automatic # Start the service Start-Service ssh-agent
Note: On Windows/Linux adding a key to your ssh-agent once, even with a password, will make sure that the key gets associated with your ‘login’. Meaning: When you restart your PC and log in again, you’ll have your identity automatically available again.
To get the same behavior on macOS, you’ll need to follow these instructions on StackExchange.
SSH Config
Create a file ~/.ssh/config
to manage your SSH hosts. Example:
Host dev-meta*
User ec2-user
IdentityFile ~/.ssh/johnsnow.pem
Host dev-meta-facebook
Hostname 192.168.178.1
Host dev-meta-whatsapp
Hostname 192.168.178.2
Host api.google.com
User googleUser
IdentityFile ~/.ssh/targaryen.key
Note:
The Host
directive can either
- be a pattern (matching multiple follow-up
Hosts
) - refer to a made-up hostname (
dev-facebook
) - be a real hostname.
If it’s a made-up hostname, you’ll need to specify an additional Hostname
directive, otherwise, you can leave it out. And to add to the overall confusion, a Host
line can actually contain multiple patterns.
With the config file above, you could do a:
ssh dev-meta-facebook
Which would effectively do a ssh -i ~/.ssh/johnsnow.pem ec2-user@192.168.178.1
for you.
For a full overview of all available options, look at this article.
Git & Windows OpenSSH
To make Git use Window’s OpenSSH (and not the one it bundles), execute the following command:
git config --global core.sshcommand "C:/Windows/System32/OpenSSH/ssh.exe"
Exit Dead SSH Sessions
To kill an unresponsive SSH session, hit, subsequently.
Enter, ~, .
Multiple GitHub Keypairs
Trying to clone different private GitHub repositories, which have different SSH keypairs associated with them, doesn’t work out of the box.
Add this to your .ssh/config
(this example assumes you have two GitHub keypairs, one for your work account and one for your personal account)
Host github-work.com
Hostname github.com
IdentityFile ~/.ssh/id_work
Host github-personal.com
Hostname github.com
IdentityFile ~/.ssh/id_personal
Then instead of cloning from github.com
.
git clone git@github.com:marcobehlerjetbrains/buildpipelines.git
Clone from either github-work.com
or github-personal.com
.
git clone git@github-work.com:marcobehlerjetbrains/buildpipelines.git
SSH Agent Forwarding
Ever wanted to use your local SSH keys on a remote server, without copying your keys to that server? For example to git clone
a private repository via SSH on a remote server?
Agent forwarding to the rescue. Edit your local .ssh/config
file like so:
Host yourremoteserver.com
ForwardAgent yes
Then simply ssh
to your server and execute an _ssh-add -L
. The server’s SSH agent should have all local SSH identities available and you can start cloning away!
SSH Agent Forwarding: Windows to WSL
If you want to use the Windows OpenSSH agent with all its identities from WSL, do the following:
- Install
socat
, e.g. on your WSL Distribution: e.g.apt install socat
for Ubuntu/Debian. - Download a build of npiperelay and put it somewhere on your (Windows) PATH.
- Put the following into your WSL
~/.bash_profile
or~/.bashrc
.
# Configure ssh forwarding
export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
# need `ps -ww` to get non-truncated command for matching
# use square brackets to generate a regex match for the process we want but that doesn't match the grep command running it!
ALREADY_RUNNING=$(ps -auxww | grep -q "[n]piperelay.exe -ei -s //./pipe/openssh-ssh-agent"; echo $?)
if [[ $ALREADY_RUNNING != "0" ]]; then
if [[ -S $SSH_AUTH_SOCK ]]; then
# not expecting the socket to exist as the forwarding command isn't running (https://www.tldp.org/LDP/abs/html/fto.html)
echo "removing previous socket..."
rm $SSH_AUTH_SOCK
fi
echo "Starting SSH-Agent relay..."
# setsid to force new session to keep running
# set socat to listen on $SSH_AUTH_SOCK and forward to npiperelay which then forwards to openssh-ssh-agent on windows
(setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) >/dev/null 2>&1
fi
Enjoy!
Major thanks to Stuart Leeks, who I blatantly stole this code from – he did all the work @ https://stuartleeks.com/posts/wsl-ssh-key-forward-to-windows/.
Check out his WSL Book for more such tricks!
SSH Tunnels
Want to connect to a server that is hidden from the outside world, but accessible from a box you have SSH access to? Like an Amazon RDS database, which is only reachable from inside an AWS network?
Use SSH forwarding
ssh username@jumphost -N -f -L localport:targethost:targetport
The following command establishes an SSH tunnel between my local machine (@port 3307)
and an RDS database (@port 3306)
, via an EC2 jump host (18.11.11.11)
.
ssh ec2-user@18.11.11.11 -N -f -L 3307:marcotestme.12345.eu-central-1.rds.amazonaws.com:3306
You could now, for example, use the mysql client to connect to localhost:3307
, which will be transparently tunneled to RDS for you.
mysql -h localhost -P 3307
Note: A lot of tools/IDEs like IntelliJ IDEA, support opening up SSH tunnels by just clicking a checkbox in the UI.
Password Managers & SSH Agents
Password Managers like 1Password or Keepass can not only store your SSH keys, but they also come with their own ssh-agent
, replacing your system’s ssh-agent.
This means, whenever you unlock your password manager on any machine that you have it installed on, you’ll have all your SSH identities instantly available.
Super useful!
参考:https://www.marcobehler.com/guides/ssh-cheat-sheet
你也许感兴趣的:
- 具有魔法的 H.264
- 多用户环境中的 rootless Docker
- 【外评】微软的人工智能聊天机器人将 “回忆 “您在其新 PC 上所做的一切
- 【外评】苹果需要解释重新出现已删除照片的错误
- 你需要知道的现代 CSS 技巧(2024 年春季版)
- 使用 :has() 作为 CSS 父选择器及其他更多内容
- 【外评】大科技公司致欧盟:“去死”
- npm又被滥用,灰产用《庆余年2》盗版资源——把开源公共基础设施的羊毛薅秃了
- 【外评】如果您没有在 Edge 中使用必应,微软现在会说您的电脑需要 “修复”
- Chrome 浏览器开发工具(DevTools)现在使用双子座(Gemini )来帮助处理控制台中的 JavaScript 错误
你对本文的反应是: