ssh

概览

ssh — OpenSSH SSH client (remote login program)
man ssh

ssh 默认使用 22 端口通信
netstat -lntup | grep ssh

systemctl status sshd

rpm -qa | grep ssh

[dc2-user@10-255-20-218 ~]$ rpm -ql  openssh-clients
/etc/ssh/ssh_config
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id
/usr/bin/ssh-keyscan
......


[dc2-user@10-255-20-218 ~]$ rpm -ql  openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/lib/systemd/system/sshd.service
......


ssh 192.168.1.10
ssh root@192.168.1.10
ssh username@192.168.1.10
ssh -p 22 username@192.168.1.10

ssh node1 echo
ssh node1 hostname -I

ssh -vvv root@192.168.1.10

sshd 配置文件

cat /etc/ssh/sshd_config && echo

配置文件全览

[root@node2 ~]# cat   /etc/ssh/sshd_config
#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
[root@node2 ~]# 

常用配置项

Port 监听的端口
PermitEmptyPasswords   是否允许密码为空的用户远程登陆,默认no,表示不允许
PermitRootLogin        是否允许root用户直接ssh登陆,yes允许,no禁止
UseDNS                 一般都设置为no,加快登陆上机器的速度,不需要反向解析IP
PermitRootLogin yes    允许root登陆
更多配置项 man sshd_config

修改配置后需要重启服务  systemctl restart sshd

调整配置使机器可以root直接登陆

# echo "xys829475K" | passwd --stdin root
# egrep -v "^$|^#" /etc/ssh/sshd_config.bak  > /etc/ssh/sshd_config

# 允许root登陆 保证下面这行配置有就可以了
PermitRootLogin yes

ssh 命令使用

man ssh

ssh [-i identity_file] [-o option] [-p port] [user@]hostname [command]

ssh 192.168.1.9
ssh node1
ssh root@node1
ssh -p 22 root@node1
ssh -p 22 root@baidu.com
ssh -p 22 user1@192.168.1.9


ssh node1 echo hello
ssh node1 hostname -I

第1次连接时,会提示输入yes确认,之后会在本地的 ~/.ssh/known_hosts 生产一条密钥文件,如果发生密钥登陆冲突(比如同一台机器重装系统了,则把这条密钥删掉重新连接即可),如下所示

[root@node1 ~]# ssh root@192.168.1.112
The authenticity of host '192.168.1.112 (192.168.1.112)' can't be established.
ECDSA key fingerprint is SHA256:G2IJANu1Lrtz2RRPMXPyWdSwozenlwf8jfQOaDSJnNA.
ECDSA key fingerprint is MD5:8f:2d:dc:49:e7:17:ca:a5:80:40:e2:7d:6b:77:d6:fd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.112' (ECDSA) to the list of known hosts.
Last login: Wed Apr  1 09:46:01 2020 from 192.168.1.8
[root@node1 ~]# cat /root/.ssh/known_hosts 
192.168.1.112 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCVKx7janxHsfiJdaHwEwGOFD56ZbSnZDFVsw3Lnr3/CIvWMm5WVIidA7syfkAp0vyKjbzBUN37R6hmEl09PPPE=
[root@node1 ~]# ssh 192.168.1.112 hostname -I
192.168.1.112 172.17.0.1 2408:8207:7897:f130:a00:27ff:fee7:284 

scp 命令使用

这个命令依托于sshd服务,是最方便的,跨机器传输文件的工具了,可以把本机的文件传输到远端机器,也可以把远端的机器传输到本地

man scp
[root@node1 ~]# scp
usage: scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
           [-l limit] [-o ssh_option] [-P port] [-S program]
           [[user@]host1:]file1 ... [[user@]host2:]file2

scp hello.txt root@192.168.1.112:/tmp
scp root@192.168.1.112:/tmp/hello.txt .

如果是拷贝目录,可以加上 -rp 参数

使用scp每次做的都是全量拷贝,无法实现增量拷贝

使用scp拷贝文件,需要知道远程服务器对应用户的登陆密码,或者是两台机器之间已经做了免密

免密登陆

https://blog.csdn.net/xys2015/article/details/110442383

SSH连接复用

场景:SSH连接复用是SSH客户端的配置,开启之后只要我们连接一次机器,即便是我们用6位动态密码连接的机器,第1次成功连接后,后面均无需再输入密码

ControlPersist 特性需要高版本的 SSH 才支持,CentOS 6 默认是不支持的,如果需要使用,需要自行升级 openssh。ControlPersist 即持久化 socket,一次验证,多次通信。

# cat  ~/.ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.sock
ControlPersist 10h
  • 没有~/.ssh/config这个文件,新创建即可
  • ControlPersist 表示持续时间10消失
  • ControlPath sock文件生成路径

效果演示

csdn 109657408

xshell ssh 帮助

xshell 5

xshell 6

给docker容器增加ssh服务

docker run --detach --rm --name dpc -p 2200:22  -v /root:/opt -w /opt daocloud.io/library/centos:7.6.1810 tail -F /tmp/tmp.txt
docker exec -it dpc bash
yum install passwd openssl openssh-server openssh-clients net-tools

mkdir -p /var/run/ssh
ssh-keygen -q -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key -N ''

sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config
sed -i "s/UsePAM.*/UsePAM no/g" /etc/ssh/sshd_config
echo 123456 | passwd --stdin root

/usr/sbin/sshd -D &

参考资料 https://www.cnblogs.com/ruanqj/p/7374544.html

延长终端保持时间 避免自动掉线

[root@xingyongsheng ~]# egrep -v "^$|^#" /etc/ssh/sshd_config 
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile	.ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes

#  增加下面两行参数
ClientAliveInterval 7200
ClientAliveCountMax 3
#############

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem	sftp	/usr/libexec/openssh/sftp-server
UseDNS no
AddressFamily inet
SyslogFacility AUTHPRIV
PermitRootLogin yes
PasswordAuthentication no

https://blog.51cto.com/leoheng/1964135

ClientAliveInterval指定了服务器端向客户端请求消息 的时间间隔, 默认是0, 不发送. ClientAliveInterval 7200表示每2个小时发送一次, 然后客户端响应, 这样就保持长连接了.
ClientAliveCountMax,使用默认值3即可.   ClientAliveCountMax表示服务器发出请求后客户端没有响应的次数达到一定值, 就自动断开.

远程执行命令

[root@shihaohan cluster]# cat  create_swarm.sh 
#!/bin/bash

#filename: dp_create_swarm.sh
workdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd $workdir
source ../manifest.sh

SSH_PORT=22
SSH_CMD="ssh -p $SSH_PORT -oStrictHostKeyChecking=no"
LABEL="manager"

for ip in ${MANAGERS[*]} ${WORKERS[*]}; do
$SSH_CMD $ip docker login registry.as4k.com -uas4k -pas4k
$SSH_CMD $ip docker swarm leave --force
$SSH_CMD $ip mkdir -vp \
$DP_MYSQL_DATA_HOME \
$DP_LOG_HOME \
$DP_LOG_HOME/dpthrall \
$DP_LOG_HOME/sourcedp \
$DP_LOG_HOME/sinkdp \
$DP_LOG_HOME/manager \
$DP_LOG_HOME/thirdparty \
$ZK_DATA_DIR \
$ZK_LOG_DIR \
$ES_DIR \
$KAFKA_DIR \
$REDIS1_DIR \
$REDIS2_DIR \
$REDIS3_DIR \
$WB_LIST \
$DP_CODE \
$DP_CODE_LIB \
/root/as4k
rsync -av -e ssh --exclude='cluster' ../* $ip:/root/as4k/
done

sleep 3
docker swarm init
join_manager_str=$(docker swarm join-token manager | grep 2377)
join_worker_str=$(docker swarm join-token worker | grep 2377)
for ip in ${MANAGERS[*]}; do $SSH_CMD $ip $join_manager_str; done
for ip in ${WORKERS[*]};  do $SSH_CMD $ip $join_worker_str; done

i=0
for ip in ${MANAGERS[*]} ${WORKERS[*]}; do
let i++
h=$($SSH_CMD $ip hostname)
docker node update --label-add host_id=${LABEL}-${i} $h
done

echo "docker swarm statsu are below:"
echo "########################################################################################"
docker node ls
for ip in ${MANAGERS[*]} ${WORKERS[*]}; do
h="$($SSH_CMD $ip hostname)"
docker node inspect --pretty $h | sed -n '/Labels/,/Hostname/p'
done

docker swarm update --dispatcher-heartbeat 2m



##################################################################
https://www.cnblogs.com/youngerger/p/9104144.html
执行需要交互的命令
ssh -t nick@xxx.xxx.xxx.xxx "top"

远程执行脚本
ssh nick@xxx.xxx.xxx.xxx < test.sh

ssh node2 "cd /root/dp-on-docker-compose/as4k/node2; ./start.sh zk2"
ssh node1 "cd /root/dp-on-docker-compose/as4k/node2; ./stop.sh zk1"

web界面终端

http://web-console.org/

参考资料

https://weread.qq.com/web/reader/36732010719ecf6b3676799k9f6326602389f61408e3715

虚拟机使用ssh命令出现:packet_write_wait: Connection to **** port 22: Broken pipe 解决!
https://blog.csdn.net/qq_31841025/article/details/88992618

Linux ssh命令详解
https://www.cnblogs.com/ftl1012/p/ssh.html