Openssh--ssh

The SSH program is the client program in the SSH client, and the following describes the SSH program according to the use of SSH programs in different scenarios.

first, the basic application scenario

In this scenario, an SSH connection is established, allowing "user login, command execution, etc." operations.

1.1. Establish SSH connection command

In this scenario, the command to establish an SSH connection using the SSH program is as follows:

-l-i ~/.-p22192.168.1.5

1.1.1, meaning of options

1, " -i"
Specify the private key file
2, "-P"
Specify the SSH server listening port
3, "-L"
Specify SSH Connection login user
4, "192.168.1.5"
Represents the IP address of the machine where the SSH server resides

the corresponding configuration in 1.1.2, ssh_config files

These parameter values can be configured in the "Ssh_config file", after the following configuration:

HostRemoteHost#指定配置匹配条件    HostName192.168.1.5    User dslztx    Port22    IdentityFile ~/.ssh/id_dsa

Now execute the ssh RemoteHost command to achieve the same effect as executing the original command.

second, SSH tunnel application scenario

In this scenario, an SSH connection is established and the SSH connection is used as a tunnel. Before proceeding, the following points are described first:

1. The machine on which the SSH client is located is called the "Local Machine" and the machine on which the SSH server is located is called "RemoteHost"
2. "-l,-i,-p, domain name or IP address" parameter values for these parameters have been configured in the "Ssh_config file"
3. According to the SSH protocol, the SSH connection must be established by the SSH client request, but once established, the data communication request can be initiated either by SSH client or by SSH server, that is, after the SSH connection is established, the data communication request can be initiated by any end

The application of SSH tunnel can be subdivided into 4 kinds of forms, and the following are introduced respectively.

2.1, SSH client side set to be monitored application forwarding port--local forwarding 2.1.1, establish SSH connection command

In this scenario, the command to establish an SSH connection using the SSH program is as follows:

ssh-L[bind_address:]port:host:hostportRemoteHost  

2.1.1.1, meaning of options

1, "Port"
The port number of the local machine, the application being monitored is forwarded to the port
2, "host"
When its value is "localhost" or "127.0.0.1", it is equivalent to a "relative address", its absolute address is "remotehost", otherwise, its absolute address is "host" value. (i.e. "remotehost" as the reference benchmark)
3, "Hostport"
The port number on the machine represented by "host"
4, "bind_address"
Indicates that only access to port ports from the "bind_address" address is allowed through the SSH tunnel. When the "bind_address" value is "localhost" or "127.0.0.1", the equivalent of a relative address, its absolute address is the local machine, indicating that only from its own access to the "port" ports are allowed through the SSH tunnel; when "Bind_ Address "value is not" localhost "or" 127.0.0.1 ", and for a specific domain name or IP address, its absolute address is the" bind_address "value, indicating that only the" bind_address "address of the" port " Access to the port is allowed through the SSH tunnel; when the "bind_address" value is "*" or NULL, there is no so-called absolute address, indicating that access to the "port" ports from all addresses is allowed through the SSH tunnel (i.e. "Local machine" as the Reference datum)

the corresponding configuration in 2.1.1.2, ssh_config files

"[bind_address:]port:host:hostport" parameter values for these parameters can be configured in the "Ssh_config file", the configuration option is "Localforward".

2.1.2, principle analysis

The SSH connection established is applied as a tunnel, because the SSH client sets the application forwarding port to be monitored, so the application connection must be established by the application on the local machine, known as local forwarding.
The specific flow diagram is shown in 1.

Figure 1

Here are a few things to note:

• Perform ssh -L [bind_address:]port:host:hostport RemoteHost an SSH connection tunnel, set up a listening forwarding port, forward the destination address and port parameters.
• Application connections are initiated by an application on the local machine
• After an application connection is initiated by an application on the local machine:
  When "Bind_address" is "127.0.0.1/localhost" and "host" is "127.0.0.1/localhost", the Data Flow path is: Data channel 2--data channel 3--SSH tunnel-data Channel 5; when "Bind_ Address "is a non-' 127.0.0.1/localhost '" of a specific location, "host" is "127.0.0.1/localhost", the data flow is: Data channel, data channel 3--SSH tunnel-data Channel 5. And so on

2.2, SSH server to set the application to be monitored by the Port-remote forwarding 2.2.1, establish SSH connection command

In this scenario, the command to establish an SSH connection using the SSH program is as follows:

ssh-R[bind_address:]port:host:hostportRemoteHost  

2.2.1.1, meaning of options

1, "Port"
The port number on "RemoteHost", the application being monitored is forwarded to the port
2, "host"
When the "host" value is "localhost" or "127.0.0.1", the equivalent of a "relative address", its absolute address is "local machine", otherwise, its absolute address is "host" value (that is, the local machine as the reference base)
3, "Hostport"
The port number on the machine represented by "host"
4, "bind_address"
Indicates that only access to port ports from the "bind_address" address is allowed through the SSH tunnel. When the "bind_address" value is "localhost" or "127.0.0.1", the equivalent of a relative address, its absolute address is "remotehost", indicating that only from its own access to the "port" ports are allowed through the SSH tunnel; Bind_address "value is not" localhost "or" 127.0.0.1 ", and for a specific domain name or IP address, its absolute address is" bind_address "value, indicating that only the" bind_address "address of the" Port access is allowed through the SSH tunnel, when the "bind_address" value is "*" or NULL, there is no so-called absolute address, indicating that access to the "port" ports from all addresses is allowed through the SSH tunnel (i.e. "remotehost" As reference datum)

the corresponding configuration in 2.2.1.2, ssh_config files

"[bind_address:]port:host:hostport" parameter values for these parameters can be configured in the "Ssh_config file", the configuration option is "Remoteforward".

2.2.2, principle analysis

The established SSH connection is applied to the connection as a tunnel, because the SSH server-side setting is monitored by the application forwarding port, so the application connection is initiated by an application on "RemoteHost", called Remote forwarding.
(Note that SSH connection tunneling is initiated by the SSH client, but once the SSH client and SSH server are established, data communication requests can be initiated on the SSH Connection tunnel.) Thus the application on the "RemoteHost" initiates a request to establish an application connection, which in turn makes it possible for the SSH server to initiate the corresponding data communication request on the SSH connection tunnel)
The specific flow diagram is shown in 2.

Figure 2

Here are a few things to note:

• Perform ssh -R [bind_address:]port:host:hostport RemoteHost an SSH connection tunnel, set up a listening forwarding port, forward the destination address and port parameters.
• Application connection initiated by an application on "RemoteHost"
• After an app connection is initiated by an application on "RemoteHost":
  When "Bind_address" is "127.0.0.1/localhost" and "host" is "127.0.0.1/localhost", the Data Flow path is: Data channel 2--data channel 3--SSH tunnel-data Channel 5; when "Bind_ Address "is a non-' 127.0.0.1/localhost '" of a specific location, "host" is "127.0.0.1/localhost", the data flow is: Data channel, data channel 3--SSH tunnel-data Channel 5. And so on

2.3. Dynamic forwarding 2.3.1, establish SSH connection command

In this scenario, the command to establish an SSH connection using the SSH program is as follows:

ssh -D [bind_address:]port RemoteHost

2.3.1.1, option meaning

1, "Port"
The port number of the local machine, the dynamic forwarding port being monitored
2, "bind_address"
Indicates that only access to port ports from the "bind_address" address is allowed through the SSH tunnel. When the "bind_address" value is "localhost" or "127.0.0.1", the equivalent of a relative address, its absolute address is the local machine, indicating that only from its own access to the "port" ports are allowed through the SSH tunnel; when "Bind_ Address "value is not" localhost "or" 127.0.0.1 ", and for a specific domain name or IP address, its absolute address is the" bind_address "value, indicating that only the" bind_address "address of the" port " Access to the port is allowed through the SSH tunnel; when the "bind_address" value is "*" or NULL, there is no so-called absolute address, indicating that access to the "port" ports from all addresses is allowed through the SSH tunnel (i.e. "Local machine" as the Reference datum)

the corresponding configuration in 2.3.1.2, ssh_config files

"[bind_address:]port" parameter values for these parameters can be configured in the "Ssh_config file", the configuration option is "Dynamicforward".

2.3.2, principle analysis

The SSH connection established is applied as a tunnel, because the SSH client sets the application dynamic forwarding port to be monitored, so the application connection must be established by the application on the local machine, but unlike "local forwarding", the forwarding destination address and the forwarding destination port are dynamically obtained according to the application protocol. This is called dynamic forwarding.
In fact, in the process of dynamic forwarding, the main application of the protocol is "SOCKS4" or "SOCKS5", rather than "ssh", at this time, SSH client and SSH server identity is socks client and socks server respectively. (The OpenSSH default not only supports implementing the SSH protocol, but also implements the SOCKS4 and SOCKS5 protocols).
The specific flow diagram is shown in 3.

Figure 3

Here are a few things to note:

• Perform ssh -D [bind_address:]port RemoteHost an SSH connection tunnel, set up parameters such as the forwarded port to be monitored
• Application connections are initiated by an application on the local machine
• After an application connection is initiated by an application on the local machine:
  When "Bind_address" is "127.0.0.1/localhost", "Forwarding destination address and destination port" is "http://127.0.0.1/localhost:8080", the Data Flow path is: Data channel 2--data channel 3-- SSH tunnel--data channel 5; When "bind_address" is a specific address of "non-127.0.0.1/localhost", "Forwarding destination address and destination port" is "http://www.youtube.com:80" Data flow path is: Data channel data channel 3--SSH tunnel-data Channel 4. And so on

2.4. Graphical interface Extended application Scenario 2.4.1, establish SSH connection command

In this scenario, the command to establish an SSH connection using the SSH program is as follows:

RemoteHost  

2.4.1.1, option meaning

1, "-X"
Indicates that the graphical interface is allowed to extend

the corresponding configuration in 2.4.1.2, ssh_config files

"-X" allows the graphical interface extension, which can be configured in the "Ssh_config file", and the configuration option is "ForwardX11".

2.4.2, principle analysis

The SSH connection established is connected as a tunnel, allowing to open the GUI application on the machine where the SSH server is located and display it on the SSH client machine, another salutation to this scenario is to establish an "X11" SSH connection.
In this scenario, x client and X server do not transmit data through the X-Protocol direct connection, but instead transfer the data via SSH connection tunnel, and thus belong to the SSH Tunneling application category.
The specific flow diagram is shown in 4.

Figure 4

Here are a few things to note:

• SSH client requires the support of SSH server to turn on the "-X" option, and SSH server can configure whether the support "-X" option is turned on in the "Sshd_config file". See "Man 5 sshd_config" For more information on "X11"
• Perform a ssh -X RemoteHost "X11" SSH connection tunnel
• According to the introduction of "X Window System", x server is specified by the "Display" environment variable, in the process of establishing "X11" SSH connection, "display" Environment variable on "RemoteHost" will be automatically configured, and finally make SSH The server is used as a virtual X server. At this point the SSH client is used as a virtual x client
• After the "X11" SSH connection is established, the SSH Connection tunnel is established, at which point the SSH client initiates the request to open the graphical interface application on "RemoteHost" (which must be initiated by the SSH client because the SSH client does not act as a virtual X Server), then the application's graphical data is passed from the corresponding X client on "RemoteHost" to the SSH server (virtual x server) on "RemoteHost", and then via SSH tunnel to SSH on the local machine Client (virtual x client), which is finally passed to the real x Server on the local machine. Data flow path: Data channel 2--SSH tunnel--Data channel 1

Third, other 3.1. Print log information

When the SSH command is executed, the "-V" option can be added, and the "-V" option indicates the print log information, which helps us to debug and resolve the problem encountered. You can add up to 3 "-V" options, and the more "-V" option, the more detailed the log information is printed.

3.2. Port selection Principle

In the case of local forwarding, remote forwarding, or dynamic forwarding, the port number of the ports being monitored for forwarding must be greater than 1023 (otherwise root is required) and the port is not occupied by other programs.

3.3, about the "local forwarding, remote forwarding, dynamic forwarding" mentioned in the "[Bind_address:]port" a few notes

1, "bind_address" value is "*" or "null" in the "empty" refers to the form of ":p ort", rather than the form "port"
2. The "gatewayports" parameter value can be configured in "Ssh_config file" (in the remote forwarding, corresponding to "Sshd_config file"). When the value is "yes", "port" is equivalent to "*:p ort" and when the value is "no", "port" is equivalent to "Localhost:port"
3, when executing the SSH command, add "-g" option, equivalent to "*:p ort" form
4, for better readability and more precise definition, "bind_address" or explicit configuration is better

Reference documents:
[1]man SSH
[2]http://docstore.mik.ua/orelly/networking_2nded/ssh/ch09_03.htm
[3]http://blog.csdn.net/dslztx/article/details/46654383

Openssh--ssh