A tutorial of Using SSH command in Linux system

Time:2020-5-28

SSH is used to log in to the remote host and execute commands on the remote host. Its purpose is to replace rlogin and RSH. At the same time, on the insecure network, the two untrusted hosts provide encrypted and secure communication connection. First, let’s look at some parameters of SSH command:

parameter

-a
Prohibit forwarding connection of authentication agent
   
-A
This parameter can be set separately for each host in the configuration file
Agent forwarding should be careful. Some users can bypass the file access rights on the remote host (due to the UNIX domain socket of the agent), and they can access the local agent through the forwarding connection. It is impossible for an attacker to obtain the key content from the agent, but they can operate these keys and use the identity information loaded on the agent to authenticate
   
-b bind_address
On machines with multiple interfaces or address aliases, specify the transceiver interface
   
-c blowfish|3des|des
3DES is the default algorithm. 3DES (Triple DES) uses three different keys to do encryption decryption encryption three times, which is considered to be more reliable. Blockfish is a fast block cipher, which is very safe and much faster than 3DES. Des only supports clients, The purpose is to be able to interoperate with the first version of the old protocol which does not support 3DES. Due to the weakness of its cryptographic algorithm, it is strongly recommended to avoid using it
   
-c cipher_spec
In addition, for the second version of the protocol, you can specify a set of ciphers separated by commas and arranged in order of priority. See ciphers for details
   
-e ch|^ch|none
Set the escape character of the pty session (default character: ` ~ ‘). The escape character is only valid at the beginning of the line. The escape character is followed by a dot (`.’) to end the connection, a control-z to suspend the connection, and the escape character itself to output the character. Setting this character to ` ` none disables the escape function and makes the session completely transparent

-f
It is required to go back to the background before executing the command. It is used when you are ready to ask for a password or password, but you want it to be done in the background. This option implies the – N option. The recommended way to start X11 program on a remote machine is a command similar to SSH – f host xterm
   
-g
Allows remote hosts to connect to local forwarding ports
   
-i identity_file
Specify an identity (private key) file required for RSA or DSA authentication. The default file is $home /. SSH / identity of the first version of the protocol and $home /. SSH / ID of the second version of the protocol_ RSA and $home /. SSH / ID_ DSA file. You can also specify an identity file for each host in the configuration file. You can use multiple – I options at the same time (you can also specify multiple identity files in the configuration file)
   
-I smartcard_device
Specify the smart card device. The parameter is the device file, which can be used to communicate with the smart card. The smart card stores the RSA private key of the user
   
-k
Prohibit forwarding Kerberos tickets and AFS tokens. This parameter can be set separately for each host in the configuration file
   
-l login_name
Specifies the user to log in to the remote host. This parameter can be set separately for each host in the configuration file
   
-m mac_spec
In addition, for the second version of the protocol, you can specify a set of MAC (message authentication code) algorithms separated by commas in order of priority. The details are queried with Macs as the keyword
   
-n
Redirect stdin to / dev / null (actually prevent reading data from stdin). This option must be used when running in the background. Its common skill is to run X11 program remotely. For example, SSH – n shadows.cs.hut . fi Emacs will shadows.cs.hut Start Emacs on. Fi, At the same time, it automatically transfers the X11 connection in the encrypted channel and runs in the background
   
-N
Do not execute remote command. Used for forwarding port. (protocol version 2 only)
   
-o option
Some options can be given here in the same format as in the configuration file. It is used to set options without command line switches
   
-p port
Specify the port of the remote host. You can set this parameter separately for each host in the configuration file
   
-q
Quiet mode. Remove all warning and diagnostic information
   
-s
Request the remote system to activate a subsystem. The subsystem is a feature of SSH2 protocol, which can assist other applications (such as SFTP) to use SSH as a safe path. The subsystem is specified by remote command
   
-t
Forced allocation of pseudo terminals. Any screen based program can be executed on a remote machine, so it is very useful, such as menu services. The parallel – t option forces the allocation of terminals, even if there is no local terminal
   
-T
Do not assign pseudo terminals
   
-v
Verbose mode. Enables printing of debugging information about operation. It is very useful for debugging connection, authentication and configuration problems. The – V option in parallel can increase the verbosity. Up to three
   
-x
X11 forwarding is prohibited
   
-X
Allows X11 forwarding. This parameter can be set separately for each host in the configuration file
X11 forwarding should be used with caution. If the user can bypass the file access right on the remote host (according to the user’s x authorization database), he can access the local X11 display through the forwarding connection. The attacker can take action accordingly, such as monitoring the keyboard input
   
-C
Data compression is required (including stdin, stdout, stderr and data forwarding X11 and TCP / IP connections). Compression algorithm is the same as gzip (1). In the first version of the protocol, compression level is controlled by compression level option. Compression technology is very useful in modem lines or other slow speed connections, However, it may slow down on high-speed network. You can set this parameter separately for each host in the configuration file. See also compression option
   
-F configfile
Specify a user level configuration file. If the configuration file is specified on the command line, the system level configuration file (/ etc / SSH / SSH_ Config) will be ignored. The default user level configuration file is $home /. SSH / config
   
-L port:host:hostport
Forward a port of the local machine (client) to the specified port of the remote specified machine. The working principle is as follows: a socket listening port port is allocated on the local machine. Once there is a connection on the port, the connection will be forwarded through the security channel, At the same time, the remote host and the host’s host port port establish a connection. You can specify the forwarding of the port in the configuration file. Only root can forward the privileged port. IPv6 address is described in another format: port / host / hostport
   
-R port:host:hostport
Forward a port of the remote host (server) to the specified port of the local specified machine. The working principle is as follows: a socket listening port port is allocated on the remote host. Once there is a connection on the port, the connection will turn out through the security channel, At the same time, the local host and the host’s host port port establish a connection. You can specify the forwarding of the port in the configuration file. Only by logging in to the remote host with root can the privileged port be forwarded. IPv6 address is described in another format: port / host / hostport
   
-D port
Specify a dynamic application port forwarding of a local machine. The working principle is as follows: a socket listening port port is allocated on the local machine. Once there is a connection on this port, the connection will be forwarded through a secure channel. According to the agreement of the application program, you can determine where the remote host will connect with. Currently, it supports the Socks4 protocol, Will act as Socks4 server. Only root can forward privileged port. You can specify forwarding of dynamic port in configuration file
   
-1
Force only the first version of the agreement to be used
   
-2
Force only the second version of the agreement to be used
   
-4
Force only IPv4 addresses to be used
   
-6
Force only IPv6 addresses to be used

Basic Usage

The simplest SSH command only needs to specify user name and host name parameters. The host name can be IP address or domain name. The command format is as follows:

Copy code

The code is as follows:

For example, to log in to a raspberry pie system in my LAN, simply enter the following command at the command line:

Copy code

The code is as follows:

The PI and 10.42.0.47 in the command are the user name and LAN IP address of my raspberry pie system respectively. In actual use, the host name needs to be changed to the IP address of your target host (LAN or remote)
2016119120410920.png (639×38)

If you can successfully log in, then the following content is easy for you

Use other ports

SSH connects to port 22 of the target host by default, but you may need to connect to other ports for various reasons

Copy code

The code is as follows:

$ ssh -p 10022 [email protected]

The above command specifies port number 10022 by adding parameter – P

Remote command execution

Sometimes it is convenient to execute a command on the remote host and display it locally, and then continue to work locally. SSH can meet this requirement:

Copy code

The code is as follows:

$ ssh [email protected] ls -l

For example, the above command will enumerate the contents of the remote host’s home directory and display them locally. Isn’t it cool? You can try other commands
2016119120446346.png (641×65)

Mount remote file system

Another great SSH based tool is called sshfs. Sshfs allows you to directly mount the file system of the remote host locally

Copy code

The code is as follows:

$ sshfs -o idmap=user [email protected]:/home/user ~/Remote

For example, the following command:

Copy code

The code is as follows:

$ sshfs -o idmap=user [email protected]:/home/pi ~/Pi

This command mounts the home directory of the remote host PI user to the PI folder under the local home directory

To learn more, you can refer to the sshfs tutorial

X11 graphic interface

If you want to run a GUI program on the remote host now, SSH has already helped you think about it! You can use the SSH basic command mentioned above plus the parameter – x to connect to the remote host to start the X11 forwarding function. You may feel that there is no difference after logging in, but when you run a GUI program, you will find the difference

Copy code

The code is as follows:

$ ssh -X [email protected]
$ pistore

If you want to do something else while running a GUI program, simply add a & sign at the end of the command

Copy code

The code is as follows:

$ pistore&

2016119120507899.png (638×242)

Escape character

SSH provides a variety of escape character functions. Connect to any remote host with SSH and enter ~? You can see the list of supported escape characters and function descriptions. The following example shows the effect of ~ ා and ~ C
2016119120524275.png (639×273)

Configure SSH

If you need to change SSH configuration, open / etc / SSH / sshd with your favorite text editor_ Config to edit. For example, if you want to change the login banner, find the following line in the configuration file:

Copy code

The code is as follows:

#Banner none

Delete the ා character (uncomment the line), and replace none with the file address containing the content you want to display. After modification, the line should look like this:

Copy code

The code is as follows:

Banner /etc/issue

In the configuration file / etc / SSH / sshd_ You can also find port number, idle timeout and other configuration items in config. Most configuration items are easy to understand, but it’s safe to refer to SSH help documents when you modify some configuration items that are not very certain

Building SSH key pair

Run the following command to create a key pair:

Copy code

The code is as follows:

$ ssh-keygen -t dsa

This command will ask you to enter a password (it can be left blank), then a key will be generated and a random graph of the key will be displayed
2016119120542876.png (639×332)

Find host key

Before you are ready to add a key, you can use the following command to see if the key of the corresponding host has been added

Copy code

The code is as follows:

$ ssh-keygen -F 10.42.0.47

2016119120557712.png (643×92)

Delete host key

In some cases, such as host address change or no longer using a key, you may need to delete a key

Copy code

The code is as follows:

$ ssh-keygen -R 10.42.0.47

You can delete it by using the above command. This is better than manually using ~ /. SSH / known_ It is much more convenient to delete the hosts file
2016119120613822.png (638×81)

summary

You should be able to use SSH easily through the above content. SSH has many functions worth exploring, which depends on your imagination.

Recommended Today

Sharing socket resources between PHP processes

receive.php <?php $path = __DIR__ . “/unix_sock”; @unlink($path); $rs = socket_create(AF_UNIX, SOCK_DGRAM, 0) or die(“socket_create err”); socket_bind($rs, $path) or die(“socket_bind err”); $data = [ “name” => [], “buffer_size” => 2000, “controllen” => socket_cmsg_space(SOL_SOCKET, SCM_RIGHTS, 3) ]; print_r($data); $r = socket_recvmsg($rs, $data, 0); if ($r) { print_r($data); $ret = fwrite($data[‘control’][0][‘data’][0], date(‘Y-m-d H:i:s’) . ” receive \n”); […]