openssh教程_有用的OpenSSH技巧和教程

openssh教程

Since OpenSSH have been introduced, it has become the most popular and free SSH program for secure registration system, executing commands on a remote host and for transferring of files from one machine to another. The openssh is a wonderful program which can be used to perform several actions by using the following useful tips. In this article, you will go through various tips and techniques and different ways of using SSH in your everyday life.

自从引入OpenSSH以来，它已成为最流行和免费的SSH程序，用于安全注册系统，在远程主机上执行命令以及将文件从一台计算机传输到另一台计算机。 openssh是一个很棒的程序，可以通过使用以下有用的提示来执行多项操作。 在本文中，您将了解各种技巧和技术以及日常生活中使用SSH的不同方式。

如何限制对根的访问？ (How to restrict access to the root ?)

In most distributions, for security access by root via SSH is closed (PermitRootLogin no), and when anyone tries to login as root he will get an error message. To perform tasks requiring administrative privileges, you have to go as a normal user and use su or sudo. Nicely out of the situation helps directive Match. The argument is passed the selection criterion (User, Group, Host, Address), its value and setting that you want to apply.

在大多数发行版中，为了安全起见，关闭了通过SSH通过root进行安全访问(PermitRootLogin否)，当任何人尝试以root身份登录时，他都会收到一条错误消息。 要执行需要管理特权的任务，您必须以普通用户身份使用su或sudo。 很好地帮助指令Match。 参数将传递选择标准(用户，组，主机，地址)，其值和要应用的设置。

As an example, it enables the connection of the root only from localhost and from a trusted subnet you specify.

例如，它仅允许从本地主机和您指定的受信任子网连接根。

PermitRootLogin no #PermitRootLogin yes ( Comment this line or keep command active with no option. Both will deny direct SSH login for root user)

PermitRootLogin否 #PermitRootLogin是(注释此行或使命令处于活动状态且无任何选项。两者都将拒绝root用户的直接SSH登录)

You can also restrict SSH access for the specific Ips using TCP Wrapper setting.

您还可以使用TCP包装程序设置来限制对特定Ips的SSH访问。

Vi /etc/hosts.allow # Open /etc/hosts.allow file and add required IP as following. Sshd : 19.168.1.1 : allow sshd : ALL : deny # Make sure that you add All deny entry as default it will allow all host/IP.

Vi /etc/hosts.allow＃ 打开/etc/hosts.allow文件并添加所需的IP，如下所示。 Sshd：19.168.1.1：allow sshd：ALL：deny ＃确保您将All deny条目添加为默认值，它将允许所有主机/ IP。

如何监视用户连接？ (How to monitor user connections ?)

Installation files /etc/ssh/sshrc or ~/.ssh/Rc allows you to execute some actions when a user logs in. Here, you can use any shell command. As an example, the admin will send the mail notification that the system via SSH went Member:

安装文件/ etc / ssh / sshrc或〜/ .ssh / Rc允许您在用户登录时执行一些操作。在这里，您可以使用任何shell命令。 例如，管理员将通过SSH发送系统成员的邮件通知：

# vi /etc/ssh/sshrc echo $(date) $SSH_CONNECTION $USER $SSH_TTY | mail-s “ssh login” [email protected]

＃vi / etc / ssh / sshrc echo $(date)$ SSH_CONNECTION $ USER $ SSH_TTY | mail-s“ ssh登录” [受电子邮件保护]

如何在专用服务器上备份您的工作？ (How to backup your work on dedicated server ?)

Generate a key pair (private and public):

生成密钥对(私有和公开)：

$ sudo ssh-keygen-t rsa-C ‘remote backup’ Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa_backup

$ sudo ssh-keygen-t rsa-C'远程备份' 生成公用/专用rsa密钥对。 输入要保存密钥的文件( /home/user/.ssh/id_rsa)：/home/user/.ssh/id_rsa_backup

Add the public key in the list of authorized keys on the remote system:

将公用密钥添加到远程系统的授权密钥列表中：

$ ssh remotehost “umask 077; cat> .ssh/authorized_keys” <.ssh/id_rsa_backup.pub

$ ssh remotehost“ umask 077; cat> .ssh / authorized_keys” <.ssh / id_rsa_backup.pub

Then edit authorized_keys (Key ‘-t’ should be used when running programs that require for their work having pseudo):

然后编辑authorized_keys(在运行要求其工作具有伪性的程序时，应使用键“ -t”)：

$ ssh-t remotehost vi .ssh/authorized_keys from = “192.168.0 .*, 212.34.XX.YY”, command = “cd  /work; tar cvf -. / * | bzip2 -9”, no-pty, no-agent-forwarding, no-X11-forwarding, no-port-forwarding ssh-rsa AAAA […]

$ ssh-t remotehost vi .ssh / authorized_keys from =“ 192.168.0。*，212.34.XX.YY”，命令=“ cd / work; tar cvf-。 / * | bzip2 -9”， 无pty，无代理转发，无X11转发，无端口转发ssh-rsa AAAA […]

Now, run the backup procedure:

现在，运行备份过程：

$ ssh-i .ssh/id_rsa_backup remotehost> ~ /backup/work- `date +% d% m% Y`. tar.bz2 2> /dev/null

$ ssh-i .ssh / id_rsa_backup remotehost>〜/ backup / work-`date +％d％m％Y`。 tar.bz2 2> / dev / null

Catalog / work, on the server remotehost, will be stored in the archive ~ /backup/work-11052008.tar.bz2.

服务器remotehost上的目录/工作将存储在存档〜/backup /work- 11052008.tar.bz2中 。

如何传输文件和目录？ (How to transfer the files and directories ?)

Send a file using SSH, you can use one of the following ways:

使用SSH发送文件时，可以使用以下方式之一：

$ cat myfile | ssh remotehost ‘cat> myfile’ $ tar zcf – ~ /coding | ssh remotehost ‘cat> coding.tgz’

$ cat myfile | ssh remotehost'cat> myfile' $ tar zcf –〜/ coding | ssh remotehost'cat> encoding.tgz'

To recursively send the entire directory, type:

要递归发送整个目录，请键入：

$ scp-r mydir [email protected]

$ scp -r mydir [电子邮件保护]

Option to copy directory using ‘ssh’ and ‘tar’ from a local to a remote host:

使用“ ssh”和“ tar”将目录从本地主机复制到远程主机的选项：

$ tar cf – source | ssh remotehost “(cd  target; tar xpf -)”

$ tar cf –来源| ssh remotehost“(cd目标； tar xpf-)”

and from the remote host to localhost:

并从远程主机到本地主机：

$ ssh remotehost “tar cf – source” | (cd  target; tar xpf -)

$ ssh remotehost“ tar cf –源” | (cd目标; tar xpf-)

如何安全地接收电子邮件？ (How to receive emails safely ?)

In order to receive mails safely using the fetchmail, you can use the SSH. Open the configuration file ~ /.fetchmailrc and specify the following:

为了使用fetchmail安全接收邮件，可以使用SSH。 打开配置文件〜/.fetchmailrc并指定以下内容：

poll localhost with protocol pop3 and port 8110: preconnect “ssh-f-q-C [email protected] \ -L 8110:213.167. XX.YY: 110 sleep 10 “password noIdea;

使用协议pop3和端口8110轮询localhost： 预先连接“ ssh-fqC [电子邮件保护] \ -L 8110：213.167。 XX.YY：110睡眠10“密码noIdea；

Fetch mail:

提取邮件：

$ fetchmail A message for user at localhost (8062 octets). reading message [email protected]: 1 of 1 (8062 octets )……. flushed

$ fetchmail 给用户的本地主机消息(8062个八位字节)。 读取消息[受电子邮件保护] ：1之1(8062个八位字节)……。 酡

连接后如何执行指定的命令？ (How to execute the specified command after connecting ?)

ProxyCommand option lets you to execute arbitrary commands. As an example, to connect through a gateway to a file server which is behind a NAT.

ProxyCommand选项使您可以执行任意命令。 例如，通过网关连接到位于NAT之后的文件服务器。

$ vi .ssh / config Host gateway HostName ns.domain.com Host filesrv HostName 192.168.5.201 ProxyCommand ssh gateway nc-w 180% h% p

$ vi .ssh / config 主机网关 HostName ns.domain.com 主机文件 rv 主机名 192.168.5.201 ProxyCommand ssh网关nc-w 180％h％p

Connects:

连接：

$ ssh filesrv

$ ssh filesrv

I hope it helps.

希望对您有所帮助。

翻译自: https://www.eukhost.com/blog/webhosting/useful-openssh-tips-and-tutorials/

openssh教程