用途
通过加密连接,远程登录主机和在远程主机执行命令,也可以用于转发x11和tcp,也可用于搭建VPN。第一次连接时,会弹出远程主机公钥指纹确认信息,通过这个方式防止中间人攻击。
用法
ssh [options] [user@]hostname [command]
常用选项
-1
使用协议版本1
-2
使用协议版本2
-4
使用IPv4地址
-6
使用IPv6地址
-A
开启授权代理转发,有安全问题,一般不开启
-a
禁用authentication agent connection的转发
-b bind_address
设置连接的源地址
-C
传输时压缩数据,针对慢网速有明显的效果
-c cipher_spec
指定加密会话的算法,对于协议2版本可以指定多个且使用逗号隔开(指定多个好像没神马用><)
-D [bind_address:]port
本地动态端口转发配置,目前支持SOCKS4和SOCKS5协议
-e escape_char
给会话设置转义字符,默认是~(不知道这个选项是有什么用?)
-F configfile
指定配置文件路径,默认是/etc/ssh/ssh_config
-f
执行命令之前,ssh在后台执行
-g
允许远程主机连接本地转发端口
-I pkcs11
(Specify the PKCS#11 shared libarary ssh should use to communicate with a PKCS#11 token used for storing the user’s private RSA key.)
-i identity_file
使用私钥登录时,私钥所在的文件路径
-K
(Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server.)
-k
(Disables forwarding (delegation) of GSSAPI credentials to the server.)
-L [bind_address:]port:host:hostport
(Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file.)
-l login_name
设置登录远程主机用户名
-N
禁止执行远程命令,对于只是用于转发很有用
-n
(Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote machine.)
-o option
(Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag.)
-p port
指定连接远程主机的端口,默认是22
-q
安静模式
-R [bind_address:]port:host:hostport
(Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.)
-s
(May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg. sftp(1)). The subsystem is specified as the remote command.)
-T
(Disable pseudo-tty allocation.)
-t
(Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services.)
-V
显示程序版本
-v
开启调试模式
-W host:port
(Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings and works with Protocol version 2 only.)
-w local_tun[:remote_tun]
( Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun).)
-X
(Enables X11 forwarding.)
-x
(Disables X11 forwarding.)
-Y
(Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.)
-y
(Send log information using the syslog(3) system module. By default this information is sent to stderr.)
识别用户身份方式
1 GSSAPI-based authentication
2 host-based authentication
3 public key authentication
4 challenge-response authentication
5 password authentication
转移字符含义
~. Disconnect.
~^Z Background ssh.
~# List forwarded connections.
~& Background ssh at logout when waiting for forwarded connection / X11 sessions to terminate.
~? Display a list of escape characters.
~B Send a BREAK to the remote system (only useful for SSH protocol version 2 and if the peer supports it).
~C Open command line.
~R Request rekeying of the connection
实践
1 使用私钥登录
[root@vm ~]# ssh -p 22 -i wadeyu.pem wadeyu@192.168.2.42
2 使用账号密码登录
[root@vm ~]# ssh -p 22 wadeyu@192.168.2.42
wadeyu@192.168.2.42's password:
Last login: Tue Apr 17 11:49:11 2018 from 192.168.2.8
参考资料
【0】 man ssh
【1】实战SSH端口转发
https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/