ssh-essentials
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSSH Essentials
SSH 必备指南
Secure Shell (SSH) for remote access and secure file transfers.
Secure Shell(SSH)用于远程访问和安全文件传输。
Basic Connection
基础连接
Connecting
连接操作
bash
undefinedbash
undefinedConnect with username
使用用户名连接
ssh user@hostname
ssh user@hostname
Connect to specific port
连接到指定端口
ssh user@hostname -p 2222
ssh user@hostname -p 2222
Connect with verbose output
显示详细输出连接
ssh -v user@hostname
ssh -v user@hostname
Connect with specific key
使用指定密钥连接
ssh -i ~/.ssh/id_rsa user@hostname
ssh -i ~/.ssh/id_rsa user@hostname
Connect and run command
连接并执行命令
ssh user@hostname 'ls -la'
ssh user@hostname 'uptime && df -h'
undefinedssh user@hostname 'ls -la'
ssh user@hostname 'uptime && df -h'
undefinedInteractive use
交互式使用
bash
undefinedbash
undefinedConnect with forwarding agent
带代理转发连接
ssh -A user@hostname
ssh -A user@hostname
Connect with X11 forwarding (GUI apps)
带X11转发连接(GUI应用)
ssh -X user@hostname
ssh -Y user@hostname # Trusted X11
ssh -X user@hostname
ssh -Y user@hostname # 受信任的X11转发
Escape sequences (during session)
会话中的转义序列
~. - Disconnect
~. - 断开连接
~^Z - Suspend SSH
~^Z - 暂停SSH会话
~# - List forwarded connections
~# - 列出转发的连接
~? - Help
~? - 查看帮助
undefinedundefinedSSH Keys
SSH 密钥
Generating keys
生成密钥
bash
undefinedbash
undefinedGenerate RSA key
生成RSA密钥
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Generate ED25519 key (recommended)
生成ED25519密钥(推荐)
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com"
Generate with custom filename
生成自定义文件名的密钥
ssh-keygen -t ed25519 -f ~/.ssh/id_myserver
ssh-keygen -t ed25519 -f ~/.ssh/id_myserver
Generate without passphrase (automation)
生成无密码短语的密钥(用于自动化场景)
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_deploy
undefinedssh-keygen -t ed25519 -N "" -f ~/.ssh/id_deploy
undefinedManaging keys
管理密钥
bash
undefinedbash
undefinedCopy public key to server
将公钥复制到服务器
ssh-copy-id user@hostname
ssh-copy-id user@hostname
Copy specific key
复制指定密钥
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
Manual key copy
手动复制密钥
cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> ~/.ssh/authorized_keys'
cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> ~/.ssh/authorized_keys'
Check key fingerprint
查看密钥指纹
ssh-keygen -lf ~/.ssh/id_rsa.pub
ssh-keygen -lf ~/.ssh/id_rsa.pub
Change key passphrase
修改密钥密码短语
ssh-keygen -p -f ~/.ssh/id_rsa
undefinedssh-keygen -p -f ~/.ssh/id_rsa
undefinedSSH agent
SSH 代理
bash
undefinedbash
undefinedStart ssh-agent
启动ssh-agent
eval $(ssh-agent)
eval $(ssh-agent)
Add key to agent
将密钥添加到代理
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_rsa
List keys in agent
列出代理中的密钥
ssh-add -l
ssh-add -l
Remove key from agent
从代理中移除指定密钥
ssh-add -d ~/.ssh/id_rsa
ssh-add -d ~/.ssh/id_rsa
Remove all keys
移除代理中的所有密钥
ssh-add -D
ssh-add -D
Set key lifetime (seconds)
设置密钥有效期(秒)
ssh-add -t 3600 ~/.ssh/id_rsa
undefinedssh-add -t 3600 ~/.ssh/id_rsa
undefinedPort Forwarding & Tunneling
端口转发与隧道
Local port forwarding
本地端口转发
bash
undefinedbash
undefinedForward local port to remote
将本地端口转发到远程端口
ssh -L 8080:localhost:80 user@hostname
ssh -L 8080:localhost:80 user@hostname
Access via: http://localhost:8080
Forward to different remote host
转发到其他远程主机
ssh -L 8080:database.example.com:5432 user@jumphost
ssh -L 8080:database.example.com:5432 user@jumphost
Access database through jumphost
通过跳板机访问数据库
Multiple forwards
多端口转发
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname
undefinedssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname
undefinedRemote port forwarding
远程端口转发
bash
undefinedbash
undefinedForward remote port to local
将远程端口转发到本地端口
ssh -R 8080:localhost:3000 user@hostname
ssh -R 8080:localhost:3000 user@hostname
Remote server can access localhost:3000 via its port 8080
远程服务器可通过自身8080端口访问本地3000端口
Make service accessible from remote
让服务可从远程访问
ssh -R 9000:localhost:9000 user@publicserver
undefinedssh -R 9000:localhost:9000 user@publicserver
undefinedDynamic port forwarding (SOCKS proxy)
动态端口转发(SOCKS代理)
bash
undefinedbash
undefinedCreate SOCKS proxy
创建SOCKS代理
ssh -D 1080 user@hostname
ssh -D 1080 user@hostname
Use with browser or apps
在浏览器或应用中使用
Configure SOCKS5 proxy: localhost:1080
配置SOCKS5代理:localhost:1080
With Firefox
Firefox 配置示例
firefox --profile $(mktemp -d)
--preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080"
--preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080"
undefinedfirefox --profile $(mktemp -d)
--preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080"
--preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080"
undefinedBackground tunnels
后台隧道
bash
undefinedbash
undefinedRun in background
在后台运行隧道
ssh -f -N -L 8080:localhost:80 user@hostname
ssh -f -N -L 8080:localhost:80 user@hostname
-f: Background
-f: 后台运行
-N: No command execution
-N: 不执行命令
-L: Local forward
-L: 本地转发
Keep alive
保持连接活跃
ssh -o ServerAliveInterval=60 -L 8080:localhost:80 user@hostname
undefinedssh -o ServerAliveInterval=60 -L 8080:localhost:80 user@hostname
undefinedConfiguration
配置
SSH config file (~/.ssh/config
)
~/.ssh/configSSH 配置文件(~/.ssh/config
)
~/.ssh/configundefinedundefinedSimple host alias
简单主机别名
Host myserver
HostName 192.168.1.100
User admin
Port 2222
Host myserver
HostName 192.168.1.100
User admin
Port 2222
With key and options
带密钥和选项的配置
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_prod
ForwardAgent yes
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_prod
ForwardAgent yes
Jump host (bastion)
跳板机(堡垒机)配置
Host internal
HostName 10.0.0.5
User admin
ProxyJump bastion
Host bastion
HostName bastion.example.com
User admin
Host internal
HostName 10.0.0.5
User admin
ProxyJump bastion
Host bastion
HostName bastion.example.com
User admin
Wildcard configuration
通配符配置
Host *.example.com
User admin
ForwardAgent yes
Host *.example.com
User admin
ForwardAgent yes
Keep connections alive
保持连接活跃
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
undefinedHost *
ServerAliveInterval 60
ServerAliveCountMax 3
undefinedUsing config
使用配置文件
bash
undefinedbash
undefinedConnect using alias
使用别名连接
ssh myserver
ssh myserver
Jump through bastion automatically
自动通过跳板机连接
ssh internal
ssh internal
Override config options
覆盖配置选项
ssh -o "StrictHostKeyChecking=no" myserver
undefinedssh -o "StrictHostKeyChecking=no" myserver
undefinedFile Transfers
文件传输
SCP (Secure Copy)
SCP(安全复制)
bash
undefinedbash
undefinedCopy file to remote
将本地文件复制到远程
scp file.txt user@hostname:/path/to/destination/
scp file.txt user@hostname:/path/to/destination/
Copy file from remote
从远程复制文件到本地
scp user@hostname:/path/to/file.txt ./local/
scp user@hostname:/path/to/file.txt ./local/
Copy directory recursively
递归复制目录
scp -r /local/dir user@hostname:/remote/dir/
scp -r /local/dir user@hostname:/remote/dir/
Copy with specific port
使用指定端口复制
scp -P 2222 file.txt user@hostname:/path/
scp -P 2222 file.txt user@hostname:/path/
Copy with compression
压缩后复制
scp -C large-file.zip user@hostname:/path/
scp -C large-file.zip user@hostname:/path/
Preserve attributes (timestamps, permissions)
保留文件属性(时间戳、权限)
scp -p file.txt user@hostname:/path/
undefinedscp -p file.txt user@hostname:/path/
undefinedSFTP (Secure FTP)
SFTP(安全FTP)
bash
undefinedbash
undefinedConnect to SFTP server
连接到SFTP服务器
sftp user@hostname
sftp user@hostname
Common SFTP commands:
常用SFTP命令:
pwd - Remote working directory
pwd - 查看远程工作目录
lpwd - Local working directory
lpwd - 查看本地工作目录
ls - List remote files
ls - 列出远程文件
lls - List local files
lls - 列出本地文件
cd - Change remote directory
cd - 切换远程目录
lcd - Change local directory
lcd - 切换本地目录
get file - Download file
get file - 下载文件
put file - Upload file
put file - 上传文件
mget *.txt - Download multiple files
mget *.txt - 下载多个文件
mput *.jpg - Upload multiple files
mput *.jpg - 上传多个文件
mkdir dir - Create remote directory
mkdir dir - 创建远程目录
rmdir dir - Remove remote directory
rmdir dir - 删除远程目录
rm file - Delete remote file
rm file - 删除远程文件
exit/bye - Quit
exit/bye - 退出
Batch mode
批处理模式
sftp -b commands.txt user@hostname
undefinedsftp -b commands.txt user@hostname
undefinedRsync over SSH
通过SSH使用Rsync
bash
undefinedbash
undefinedSync directory
同步目录
rsync -avz /local/dir/ user@hostname:/remote/dir/
rsync -avz /local/dir/ user@hostname:/remote/dir/
Sync with progress
显示同步进度
rsync -avz --progress /local/dir/ user@hostname:/remote/dir/
rsync -avz --progress /local/dir/ user@hostname:/remote/dir/
Sync with delete (mirror)
镜像同步(删除远程多余文件)
rsync -avz --delete /local/dir/ user@hostname:/remote/dir/
rsync -avz --delete /local/dir/ user@hostname:/remote/dir/
Exclude patterns
排除指定模式
rsync -avz --exclude '*.log' --exclude 'node_modules/'
/local/dir/ user@hostname:/remote/dir/
/local/dir/ user@hostname:/remote/dir/
rsync -avz --exclude '*.log' --exclude 'node_modules/'
/local/dir/ user@hostname:/remote/dir/
/local/dir/ user@hostname:/remote/dir/
Custom SSH port
使用自定义SSH端口
rsync -avz -e "ssh -p 2222" /local/dir/ user@hostname:/remote/dir/
rsync -avz -e "ssh -p 2222" /local/dir/ user@hostname:/remote/dir/
Dry run
模拟运行(不实际同步)
rsync -avz --dry-run /local/dir/ user@hostname:/remote/dir/
undefinedrsync -avz --dry-run /local/dir/ user@hostname:/remote/dir/
undefinedSecurity Best Practices
安全最佳实践
Hardening SSH
SSH 安全加固
bash
undefinedbash
undefinedDisable password authentication (edit /etc/ssh/sshd_config)
禁用密码认证(编辑 /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
PubkeyAuthentication yes
Disable root login
禁用root登录
PermitRootLogin no
PermitRootLogin no
Change default port
修改默认端口
Port 2222
Port 2222
Use protocol 2 only
仅使用协议2
Protocol 2
Protocol 2
Limit users
限制可登录用户
AllowUsers user1 user2
AllowUsers user1 user2
Restart SSH service
重启SSH服务
sudo systemctl restart sshd
undefinedsudo systemctl restart sshd
undefinedConnection security
连接安全
bash
undefinedbash
undefinedCheck host key
检查主机密钥
ssh-keygen -F hostname
ssh-keygen -F hostname
Remove old host key
移除旧主机密钥
ssh-keygen -R hostname
ssh-keygen -R hostname
Strict host key checking
严格主机密钥检查
ssh -o StrictHostKeyChecking=yes user@hostname
ssh -o StrictHostKeyChecking=yes user@hostname
Use specific cipher
使用指定加密算法
ssh -c aes256-ctr user@hostname
undefinedssh -c aes256-ctr user@hostname
undefinedTroubleshooting
故障排查
Debugging
调试
bash
undefinedbash
undefinedVerbose output
显示详细输出
ssh -v user@hostname
ssh -vv user@hostname # More verbose
ssh -vvv user@hostname # Maximum verbosity
ssh -v user@hostname
ssh -vv user@hostname # 更详细输出
ssh -vvv user@hostname # 最详细输出
Test connection
测试连接
ssh -T user@hostname
ssh -T user@hostname
Check permissions
检查权限
ls -la ~/.ssh/
ls -la ~/.ssh/
Should be: 700 for ~/.ssh, 600 for keys, 644 for .pub files
权限要求:~/.ssh为700,密钥文件为600,.pub文件为644
undefinedundefinedCommon issues
常见问题解决
bash
undefinedbash
undefinedFix permissions
修复权限
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
Clear known_hosts entry
清除known_hosts中的条目
ssh-keygen -R hostname
ssh-keygen -R hostname
Disable host key checking (not recommended)
禁用主机密钥检查(不推荐)
ssh -o StrictHostKeyChecking=no user@hostname
undefinedssh -o StrictHostKeyChecking=no user@hostname
undefinedAdvanced Operations
高级操作
Jump hosts (ProxyJump)
跳板机(ProxyJump)
bash
undefinedbash
undefinedConnect through bastion
通过堡垒机连接
ssh -J bastion.example.com user@internal.local
ssh -J bastion.example.com user@internal.local
Multiple jumps
多级跳板
ssh -J bastion1,bastion2 user@final-destination
ssh -J bastion1,bastion2 user@final-destination
Using config (see Configuration section above)
使用配置文件(见上方配置章节)
ssh internal # Automatically uses ProxyJump
undefinedssh internal # 自动使用ProxyJump
undefinedMultiplexing
连接复用
bash
undefinedbash
undefinedMaster connection
建立主连接
ssh -M -S ~/.ssh/control-%r@%h:%p user@hostname
ssh -M -S ~/.ssh/control-%r@%h:%p user@hostname
Reuse connection
复用已有连接
ssh -S ~/.ssh/control-user@hostname:22 user@hostname
ssh -S ~/.ssh/control-user@hostname:22 user@hostname
In config:
在配置文件中设置:
ControlMaster auto
ControlMaster auto
ControlPath ~/.ssh/control-%r@%h:%p
ControlPath ~/.ssh/control-%r@%h:%p
ControlPersist 10m
ControlPersist 10m
undefinedundefinedExecute commands
执行命令
bash
undefinedbash
undefinedSingle command
执行单个命令
ssh user@hostname 'uptime'
ssh user@hostname 'uptime'
Multiple commands
执行多个命令
ssh user@hostname 'cd /var/log && tail -n 20 syslog'
ssh user@hostname 'cd /var/log && tail -n 20 syslog'
Pipe commands
管道传输命令
cat local-script.sh | ssh user@hostname 'bash -s'
cat local-script.sh | ssh user@hostname 'bash -s'
With sudo
执行sudo命令
ssh -t user@hostname 'sudo command'
undefinedssh -t user@hostname 'sudo command'
undefinedTips
小贴士
- Use SSH keys instead of passwords
- Use for frequently accessed hosts
~/.ssh/config - Enable SSH agent forwarding carefully (security risk)
- Use ProxyJump for accessing internal networks
- Keep SSH client and server updated
- Use fail2ban or similar to prevent brute force
- Monitor for suspicious activity
/var/log/auth.log - Use port knocking or VPN for additional security
- Backup your SSH keys securely
- Use different keys for different purposes
- 使用SSH密钥而非密码登录
- 对频繁访问的主机使用配置
~/.ssh/config - 谨慎启用SSH代理转发(存在安全风险)
- 使用ProxyJump访问内部网络
- 保持SSH客户端和服务器版本更新
- 使用fail2ban等工具防止暴力破解
- 监控排查可疑活动
/var/log/auth.log - 使用端口敲门或VPN增强安全性
- 安全备份SSH密钥
- 为不同场景使用不同的SSH密钥
Documentation
参考文档
Official docs: https://www.openssh.com/manual.html
Man pages: , ,
man sshman ssh_configman sshd_config