Summary of common ssh usage

In our daily work, we often involve server maintenance. to facilitate operations and security, we usually install the ssh server on the server, connect to the server through ssh client on our own machine, which is both convenient and... summary of common usage of information ssh in our daily work, we often involve server maintenance. to facilitate operations and security considerations, we usually install the ssh server on the server, it is convenient and secure to connect to the server on our own machine through the ssh client tool. The following describes the basic functions of the ssh application. Www.2cto.com 1. connect to the remote host. command format: ssh name @ remoteserver or ssh remoteserver-l name. note: you can remotely log on to the remote host in either of the two methods. server represents the remote host, name is the username used to log on to the remote host. 2. connect to the port specified by the remote host. command format: ssh name @ remoteserver-p 2222 or ssh remoteserver-l name-p 2222. Description: The p parameter specifies the port number, generally, when Port ING is performed in a route, we do not directly map port 22, but convert it to another port number. in this case, we need to use the-p port number command format. 3. jump to remote host 2 through remote host 1: command format: ssh-t remoteserver1 ssh remoteserver2 description: When remote host remoteserver2 cannot be directly delivered, you can use the-t parameter, then, remoteserver1 redirects to remoteserver2. In this process, you must first enter the password of remoteserver1, then enter the password of remoteserver2, and then you can operate remoteserver2. 4. run the remote shell command via SSH: command format: ssh-l name remoteserver 'command' description: connect to the remote host and execute the command of the remote host. For example, view the memory usage of the remote host. $ Ssh-l root 192.168.1.100 svmon-G www.2cto.com 5. modify the SSH listening port: SSH listening port 22 by default, attackers can use port scanning software to check whether the host runs the SSH service. it is wise to change the SSH port to a port greater than 1024, because most port scanning software (including nmap) by default, high ports are not scanned. Open the/etc/ssh/sshd_config file and find the following line: Port 22, remove the # sign before the line, modify the Port number, and restart the SSH service: $/etc/init. d/ssh restart 6. Only Version 2 of the SSH protocol is allowed: There are two versions of the SSH protocol. Only Version 2 of the SSH protocol is more secure. SSH protocol version 1 has security questions, man-in-the-middle and insertion attacks are included. Edit the/etc/ssh/sshd_config file and find the following line: # modify Protocol to Protocol 2 7. disable root user logon. generally, the root user is not directly used to log on to the remote host. because the root user has super permissions, this poses a security risk. Therefore, when you need to manage the remote host, switch to the root user. Open the/etc/ssh/sshd_config file and find the following line: # PermitRootLogin yes remove #, then modify yes to no, and restart the ssh service, this prevents the root user from logging on. 8. when logging on, you are prompted to edit a file first, for example, bannertest.txt. the file content is customized. Open the/etc/ssh/sshd_config file and find the following line: # Banner/some/path: replace the full path of the bannertest.txt file with/some/path, save the file, and restart the ssh service. When the client crashes, it will see the prompt information in the bannertest.txt file. 9. Port ing: if the company's intranet has a web server, but only internal and external, the Internet will not be accessible, you can use ssh to perform Port ING to access the intranet web server over the Internet. Assume that the web server is named webserver. webserver can access remoteserver on the remote host through ssh, log on to webserver, and run the following command to map the command format: ssh-R 3000: localhost: after the 80 remoteserver is executed, run netstat-an | grep 3000 on the remoteserver to check whether Port 3000 is enabled. Run the following command to check whether the web page on webserver can be opened: $ w3m http://127.0.0.1:3000 If the interface can be opened, the ING is successful. However, this is only limited to accessing the web server on the local machine, that is, only the remoteserver machine can access the webserver. Port 3000 is bound to Port 127.0.0.1 of the remoteserver. You can edit the/etc/ssh/sshd_config file on the remoteserver and add the following content: add GatewayPorts yes and bind the listening port 3000 to the 0.0.0.0 address, in this way, all external machines can access the listening port and save and exit. And restart the ssh service. After that, other machines can enter http://remoteserver:3000 To access webserver. 10. scp command: the scp command is the most convenient and useful command in SSH, which can be used to transmit files between two servers. In addition, ssh encryption is still used during transmission. Command format: scp-p root@192.168.1.120:/tmp/test/bak copy the remote host's/tmp/test file to the local/bak folder scp-p/bak/1234 root@192.168.1.120: /tmp copies local/bak/1234 files to the/tmp path of the remote host. There are many other usage of ssh, such as sftp, which are not described here, if you are interested, you can query some materials from the Internet ====================================== = ssh service FAQ (1) connection port failure prompt during ssh login (1): # ssh 172.16.81.221 ssh: connect to host 172.16.81.221 port 22: No route to host this is because the server is not started or the network is disconnected (this is a lot of reason, the simplest is that the network cable is not plugged in. There may be Nic down and so on) prompt (2): # ssh work@172.16.81.221 ssh: connect to host 172.16.81.221 port 22: Connection refused this is because the other server's ssh service is not open. This server enables the service. Problem 2 ssh to server when the password is correct but reported the following information: # ssh 172.16.81.221 root@172.16.81.221's password: Permission denied, please try again. this is because the root user is used by default when the user name is not entered, but the ssh service does not enable the root user's ssh permission by default during the security period. Solution: modify the root ssh permission, that is, change PermitRootLogin no in the/etc/ssh/sshd_config file to PermitRootLogin yes. Problem 3 the following prompt appears when you log on to the server: ssh root@172.16.81.221 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION Has changed! @ It is possible that someone is doing something nasty! Someone cocould be eavesdropping on you right now (man-in-the-middle attack )! It is also possible that the RSA host key has just been changed. the fingerprint for the RSA key sent by the remote host is 76: fb: b3: 70: 14: 48: 19: d6: 29: f9: ba: 42: 46: be: fb: 77. please contact your system administrator. add correct host key in/home/fante /. ssh/known_hosts to get rid of this message. offending key in/home/fante /. ssh/known_hosts: 68 RSA host key for 172.16.81.221 has changed and you have Requested strict checking. Host key verification failed. server end password or the server corresponding to the ip address. Generally, the solution needs to be deleted ~ /. Ssh/known_hosts, and then log on to it. Question 4: How to start a remote image to a local device through ssh. Run xhost + on the local machine to modify the remote/etc/ssh/sshd_config file. the X11Forwarding yes line is yes. Restart the ssh service. Execute ssh-X [remote IP address] during logon and then execute the graphical configuration tool to display it on the local machine. ================================================ Unable to connect to the ssh client. A large number of new servers have been created, therefore, I have summarized the solutions when the ssh connection fails for your reference. If you have any new ideas, you can discuss them together ~ There are no special instructions for the following tests: use a common account to log on to www.2cto.com. I. ssh IP_A or ssh root @ IP_A both show Permission denied (publickey, gssapi-with-mic ). idea: Check whether the SSH version above IP_A is correct. if the sshd path on the online server is/use/local/bin/sshd, you must upgrade the sshd version, the correct version is/usr/sbin/sshd. condition 2: ssh IP_A displays Permission denied (publickey, gssapi-with-mic ). but ssh root @ IP_A: check/etc/ssh/sshd_config, which contains a section of AllowUsers that writes User_name @ IP_ B [IP_ B _HOSTNAME, next, try again. 3. ssh IP_A always requires password. But ssh root @ IP_A is successful (or not, you also need a password). you can check the permissions of folders and. ssh/authorized_keys. if the permissions are too large, problems may occur. Grant authorized_keys to 740. A folder is not just a folder. for ssh, you also need to pay attention to the/home/user. when the user folder has too many permissions, the problem may also occur. here you need to pay attention to ssh-v root @ IP_A (display debug information, convenience for subsequent debugging) In addition, you need to pay attention to messlog and check whether there is any error message in it.