新浦京81707con > 首页 > 利用ssh端口转发实现加密通道,ssh命令中文手册

原标题:利用ssh端口转发实现加密通道,ssh命令中文手册

浏览次数:123 时间:2019-05-22


若是远程服务器上正在运作的sshd,那么就有异常的大大概通过ssh来“隧道连通”某个服务。这些职能大概很有用,举个例子可对POP或许SMTP连接进行加密,纵然该软件不直接匡助加密通讯。隧道是行使端口转载来创制客户端和服务器之间的连年。 客户端软件必须能够钦点3个非规范的端口来连接,本事令其健康办事。

正文为命令ssh的man文书档案翻译,翻译了九成的剧情,剩余是一些没供给翻译的东西,请见谅。

-L option, which allow the user to forward connections from local to remote
-R option, which allow the user to forward connections from remote to local
-D option, which permits dynamic port forwarding
-f option, which instructs ssh to put itself in the background after authentication.
-g option, which permits other hosts to use port forwards

如此文有所疑忌,希望小编的另壹篇作品能回应:http://www.cnblogs.com/f-ck-need-u/p/7129122.html

─────────────────────────────────
应用语法和中央范例:
─────────────────────────────────
语法格式:[ -D  |  -L  |  -R ]
        [   帮定地址:   ]  转载端口 [ : 主机 : 主机端口 ]
        [ bind_address: ]  port     [ : host : hostport ]

自家译作会集:http://www.cnblogs.com/f-ck-need-u/p/7048359.html

 -D [bind_address:]port  动态正向代理转载
 -L [bind_address:]port:host:hostport 本地正向转发
 -R [bind_address:]port:host:hostport 远端反向转载


小心: 请内定大于十二4的监听端口,在Linux系统只有root才有权力钦赐小于拾24的端口。

 

SSH(1)                    BSD General Commands Manual                   SSH(1)

 

NAME

     ssh -- OpenSSH SSH 客户端工具(远程登6程序)

 

SYNOPSIS

     ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

         [-D [bind_address:]port] [-E log_file] [-e escape_char]

         [-F configfile] [-I pkcs11] [-i identity_file] [-L address]

         [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

         [-Q query_option] [-R address] [-S ctl_path] [-W host:port]

         [-w local_tun[:remote_tun]] [user@]hostname [command]

 

DESCRIPTION

     ssh(SSH客户端)是三个登入远程主机和在远距离主机上推行命令的程序。它的目

     的是在不安全的网络中为三个互不信任的主机提供安全加密的通讯方式。也

     能够通过安全隧道被转载X1壹再而三、任意TCP端口和UNIX套接字上的数据包。

     ssh连接并报到钦定的主机(还足以内定用户名)。客户端必须提供身份标志给

     远程主机,提供格局有二种,见下文。

     借使ssh命令行中钦赐了命令,则就要长距离主机上实行而不是登入远程主机。

   

     选项表达如下:

     -一      强制行使ssh v壹版本。

     -二      强制行使ssh v二版本。

     -4      强制只使用IPv四地址。

     -6      强制只使用IPv4地址。

     -A      启用代理转载作用,也可在全局配置文件(/etc/ssh/ssh_config)中配置。

             代理转载作用应该要如履薄冰开启。

     -a      禁止使用代理转载成效。

     -b bind_address 

             在当地主机上绑定用于ssh连接的地址,当系统有四个ip时才生效。

     -C      请求会话间的数据压缩传递。对于互连网缓慢的主机,压缩对连续有所

             提高。但对互联网通畅的主机来讲,压缩只会更不好。

     -c      选用ssh会话间数据加密算法。

     -D [bind_address:]port

      钦命一个本地动态应用层端口做转账端口。工作办法是分配1个套接
      字监听在此端口,当监听到此端口有三番五次时,此接二连三中的数据将通过
      安全隧道转载到server端,server端再和指标地(端口)创设连接,目
      的地(端口)由应用层协议决定。近期支SOCK4和SOCK5两种协议,并且
      SSH将饰演SOCKS服务端剧中人物。

             只有root用户能够拉开特权端口。动态转载端口也得以在布局文件

             中指定。

             私下认可情形下,转载端口将绑定在GatewayPorts指令钦定的地方上,但

             是足以显式钦点bind_address,如果bind_address设置为"localhost",

             则转向端口将绑定在围绕地址上,若是bind_address不安装或设置为

             "*",则转向端口绑定在全部网路接口上。

     -E log_file

             将debug日志写入到log_file中,而不是暗中同意的正规错误输出stderr。

     -e escape_char

             设置逃逸首字符,默以为"~",设置为"none"将禁止使用逃逸字符,并使

             得会话完全透明。详细用法见后文。

     -F configfile

             内定用户配置文件,默认为~/.ssh/config,假设在命令行钦定了该

             选项,则全局配置文件/etc/ssh_config将被忽略。

     -f      请求ssh在办事在后台格局。该选项隐含了"-n"选项,所以规范输入

             将变为/dev/null。

     -G      使用该选项将使得ssh在极度完Host后将出口与之相应的布署选项,

             然后脱离

     -g      允许远程主机连接到地面转化端口上。

     -I pkcs11

             Specify the PKCS#11 shared library ssh should use to communicate

             with a PKCS#11 token providing the user's private RSA key.

     -i identity_file 

             钦命公钥认证时要读取的私钥文件。默认为~/.ssh/id_rsa。

     -K      启用GSSAPI认证并将GSSAPI凭据转载(分派)到服务端。

     -k      禁止转会(分派)GSSAPI凭据到服务端。

     -L [bind_address:]port:host:hostport

     -L [bind_address:]port:remote_socket

     -L local_socket:host:hostport

     -L local_socket:remote_socket

      对地面钦命的TCP端口port的总是都将中间转播到钦点的长途主机及其端
      口上(host:hostport)。职业方法是在该地端分配一个socket监听TCP
      端口。当监听到地头此端口有连日时,连接将经过平安隧道转载给
      远程主机(server),然后从远程主机(是server端)上创设三个到
      host:hostport的接连,达成多少转载。

      译者注:隧道建构在地点和长途主机(server端,即中间主机)之间,
      而非本地和host之间,也不是长距离主机和host之间。

             端口转载也能够在配置文件中指定。只有root用户手艺转化特权端口

             (小于1024)。

             暗中认可本地端口被绑定在GatewayPorts指令钦点的地点上。可是,显式

             指定的bind_address能够用于绑定连接到钦赐的地点上。假设设置

             bind_address为"localhost",则意味着被绑定的监听端口只可用于地点

             连接(即该端口监听在围绕地址上),如若不设置bind_address或设置

             为"*"则表示绑定的端口可用来全体互连网接口上的连天(即表示该端口

             监听在全体地点上)。

     -l login_name

             钦命登六在中远距离机器上的用户名。那也足以在大局配置文件中安装。

     -M      将ssh客户端置入"master"形式,以便连接共享(连接复用)。

             即落到实处ControlMaster和ControlPersist的有关职能。

     -m mac_spec

             A comma-separated list of MAC (message authentication code)

             algorithms, specified in order of preference.  See the MACs key‐

             word for more information. 

     -N      显著表示不进行长途命令。仅作端口转载时相比有用。 

     -n      将/dev/null作为正式输入stdin,能够幸免从标准输入中读取内容。

             当ssh在后台运转时务必采用该项。但当ssh被驾驭输入密码时失效。

     -O ctl_cmd

             Control an active connection multiplexing master process.  When

             the -O option is specified, the ctl_cmd argument is interpreted

             and passed to the master process.  Valid commands are: “check”

             (check that the master process is running), “forward” (request

             forwardings without command execution), “cancel” (cancel for‐

             wardings), “exit” (request the master to exit), and “stop”

             (request the master to stop accepting further multiplexing

             requests).

     -o option

             Can be used to give options in the format used in the configura‐

             tion file.  This is useful for specifying options for which there

             is no separate command-line flag.  For full details of the

             options listed below, and their possible values, see

             ssh_config(5).

                   AddKeysToAgent

                   AddressFamily

                   BatchMode

                   BindAddress

                   CanonicalDomains

                   CanonicalizeFallbackLocal

                   CanonicalizeHostname

                   CanonicalizeMaxDots

                   CanonicalizePermittedCNAMEs

                   CertificateFile

                   ChallengeResponseAuthentication

                   CheckHostIP

                   Cipher

                   Ciphers

                   ClearAllForwardings

                   Compression

                   CompressionLevel

                   ConnectionAttempts

                   ConnectTimeout

                   ControlMaster

                   ControlPath

                   ControlPersist

                   DynamicForward

                   EscapeChar

                   ExitOnForwardFailure

                   FingerprintHash

                   ForwardAgent

                   ForwardX11

                   ForwardX11Timeout

                   ForwardX11Trusted

                   GatewayPorts

                   GlobalKnownHostsFile

                   GSSAPIAuthentication

                   GSSAPIDelegateCredentials

                   HashKnownHosts

                   Host

                   HostbasedAuthentication

                   HostbasedKeyTypes

                   HostKeyAlgorithms

                   HostKeyAlias

                   HostName

                   IdentityFile

                   IdentitiesOnly

                   IPQoS

                   KbdInteractiveAuthentication

                   KbdInteractiveDevices

                   KexAlgorithms

                   LocalCommand

                   LocalForward

                   LogLevel

                   MACs

                   Match

                   NoHostAuthenticationForLocalhost

                   NumberOfPasswordPrompts

                   PasswordAuthentication

                   PermitLocalCommand

                   PKCS11Provider

                   Port

                   PreferredAuthentications

                   Protocol

                   ProxyCommand

                   ProxyUseFdpass

                   PubkeyAcceptedKeyTypes

                   PubkeyAuthentication

                   RekeyLimit

                   RemoteForward

                   RequestTTY

                   RhostsRSAAuthentication

                   RSAAuthentication

                   SendEnv

                   ServerAliveInterval

                   ServerAliveCountMax

                   StreamLocalBindMask

                   StreamLocalBindUnlink

                   StrictHostKeyChecking

                   TCPKeepAlive

                   Tunnel

                   TunnelDevice

                   UpdateHostKeys

                   UsePrivilegedPort

                   User

                   UserKnownHostsFile

                   VerifyHostKeyDNS

                   VisualHostKey

                   XAuthLocation

     -p port

             钦点要一连远程主机上哪个端口,也可在全局配置文件中钦命。

     -Q query_option

             Queries ssh for the algorithms supported for the specified ver‐

             sion 2.  The available features are: cipher (supported symmetric

             ciphers), cipher-auth (supported symmetric ciphers that support

             authenticated encryption), mac (supported message integrity

             codes), kex (key exchange algorithms), key (key types), key-cert

             (certificate key types), key-plain (non-certificate key types),

             and protocol-version (supported SSH protocol versions).

     -q      静默格局。大繁多告诫信息将不出口。

     -R [bind_address:]port:host:hostport

     -R [bind_address:]port:local_socket

     -R remote_socket:host:hostport

     -R remote_socket:local_socket

             对长途(server端)钦命的TCP端口port的一连都就将中转到地面 style="line-height: 1.5; background-color: initial;">主机和

             端口上,职业措施是在远端(server)分配2个套接 style="line-height: 壹.5; background-color: initial;">字socket监听TCP端

             口。当监听到此端口有连日时,连接将透过安全隧 style="line-height: 一.伍; background-color: initial;">道转载给本地,然后

            从地点主机建一条到host:hostport的连日。

             端口转载也得以在配备文件中钦点。只有root用户技术转化特权端口

             (小于1024)。

             私下认可远程(server)套接字被绑定在缠绕地址上。可是,显式钦赐的

             bind_address能够用于绑定套接字到钦赐的地址上。要是不设置

             bind_address或设置为"*"则意味套接字监听在具有互连网接口上。

             唯有当远程(server)主机的GatewayPorts选项开启时,钦点的

             bind_address工夫卓有功用。(见sshd_config(5))。

             假设port值为0,远程主机(server)监听的端口将被动态分配,并且在

             运转时告诉给客户端。

     -S ctl_path

             Specifies the location of a control socket for connection shar‐

             ing, or the string “none” to disable connection sharing.  Refer

             to the description of ControlPath and ControlMaster in

             ssh_config(5) for details.

     -s      请求在长途主机上调用1个子种类(subsystem)。子系统推进ssh为

              别的程序(如sftp)提供安全传输。子系统由长途命令钦点。

     -T      禁止为ssh分配伪终端。

     -t       强制分配伪终端,重复使用该选项"-tt"将尤其强制。

     -V      呈现版本号并退出。

     -v      详细情势,将出口debug音信,可用以调节和测试。"-vvv"可更详细。

     -W host:port

             请求客户端上的正统输入和出口通过平安隧道转载到host:port上,该选

             项隐含了"-N","-T",ExitOnForwardFailure和ClearAllForwardings选项。

     -w local_tun[:remote_tun]

             Requests tunnel device forwarding with the specified tun(4)

             devices between the client (local_tun) and the server

             (remote_tun).

             The devices may be specified by numerical ID or the keyword

             “any”, which uses the next available tunnel device.  If

             remote_tun is not specified, it defaults to “any”.  See also

             the Tunnel and TunnelDevice directives in ssh_config(5).  If the

             Tunnel directive is unset, it is set to the default tunnel mode,

             which is “point-to-point”.

     -X      Enables X11 forwarding.  This can also be specified on a per-host

             basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the

             ability to bypass file permissions on the remote host (for the

             user's X authorization database) can access the local X11 display

             through the forwarded connection.  An attacker may then be able

             to perform activities such as keystroke monitoring.

             For this reason, X11 forwarding is subjected to X11 SECURITY

             extension restrictions by default.  Please refer to the ssh -Y

             option and the ForwardX11Trusted directive in ssh_config(5) for

             more information.            

     -x      Disables X11 forwarding.

     -Y      Enables trusted X11 forwarding.  Trusted X11 forwardings are not

             subjected to the X11 SECURITY extension controls.

     -y      使用syslog发送日志音信。暗中同意情状下日志信息发送到标准错误输出

 

     除了从命令行获取配置音讯,还足以从用户配置文件和大局配置文件中

     获取额外铺排音讯。详细新闻见ssh_config(5)

 

评释机制

     可用的表明机制及它们的先后顺序为:GSSAPI-based,host-based,public key,

     challenge-response,password。PreferredAuthentications选项能够改变暗中同意的表明顺序

         

     Host-based authentication works as follows: If the machine the user logs

     in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote

     machine, and the user names are the same on both sides, or if the files

     ~/.rhosts or ~/.shosts exist in the user's home directory on the remote

     machine and contain a line containing the name of the client machine and

     the name of the user on that machine, the user is considered for login.

     Additionally, the server must be able to verify the client's host key

     (see the description of /etc/ssh_known_hosts and ~/.ssh/known_hosts,

     below) for login to be permitted.  This authentication method closes

     security holes due to IP spoofing, DNS spoofing, and routing spoofing.

     [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the

     rlogin/rsh protocol in general, are inherently insecure and should be

     disabled if security is desired.]

 

     公钥认证机制:用户创设公钥/私钥密钥对,将公钥发送给服务端,所以服务端

     知道的是公钥,私钥唯有团结了然。   

 

     ~/.ssh/authorized_keys文件列出了允许登入的公钥。当发起连接时,ssh客户端程序

     告诉服务端程序要利用哪个密钥对来造成身份验证,并报告服务端本人曾经访问过

     私钥部分(译者注:不可能直接提供私钥给服务端进行比对监测,因为私钥不能够走漏),

     然后服务端则检核查应的公钥部分以显然是还是不是要经受该客户端的总是。

 

     用户使用ssh-keygen创造密钥对(以rsa算法为例),将保存在~/.ssh/id_rsa和~/.ssh/id_rsa.pub。

     然后该用户拷贝公钥文件到长途主机上某用户(如A)家目录下的~/.ssh/authorized_keys,

     之后用户就足以以用户A的地方登入到长途主机上。

 

     公钥认证机制的壹种变体是注脚认证:唯有被信任的证件才允许连接。 style="line-height: 一.伍;">详细新闻见

     ssh-keygen(1)的CERTIFICATES段说明。

 

     使用公钥认证机制或表明认证机制最便宜的主意是"认证代理",

     详细音讯见ssh-agent(1)和ssh_config(5)中的AddKeysToAgent指令段。

 

     Challenge-response authentication works as follows: The server sends an

     arbitrary "challenge" text, and prompts for a response.  Examples of

     challenge-response authentication include BSD Authentication (see

     login.conf(5)) and PAM (some non-OpenBSD systems).

 

     最终,如果全部认证方式都未果,将唤起输入密码。输入的密码将被加密传送,

     然后棉被和衣服务端检查测试是不是科学。

 

     SSH客户端自动爱惜和检讨叁个主机认证新闻数据库,全数已知的主机公钥都会

     记录到此文件中。主机音讯条款(host key)存放在~/.ssh/known_hosts文件中。

     另外,在检查host key时,/etc/ssh_known_hosts也会被自动物检疫查测试。

     当host key被转移时,ssh将发出警告,并取缔密钥认证机制以免止服务端棍骗

     或中等人攻击。选项StrictHostKeyChecking选项可用以调控登6时那些无人问津host key

     怎么样管理。

 

     当客户端被服务端接受,服务段将以非交互会话试行给定的授命,若未有给定命令,

     则登入到服务端,并跻身到互会晤话形式,同时会为报到的用户分配shell,之后

     全体的竞相音讯都将被加密传输。

    

     ssh暗许会请求交互式会话,那将请求1个伪终端(pty),使用"-T"或"-t"选项能够

     改换该表现,"-T"是禁止分配伪终端,"-t"则是挟持分配伪终端,可使用"-tt"

     表示进一步强制。

 

     如若为ssh分配了伪终端,则用户能够在此伪终端中使用逃逸字符完成特殊调节。

 

     借使未分配伪终端给ssh,则连接会话是透明的,可以用来可信传输2进制数据。

     假若设置逃逸字符为"none",将使得会话透明,就算它应用了tty终端。

     当命令甘休或shell退出时将终止会话总是,全数的X1一和TCP连接也都被关闭。

 

逃脱字符

     当分配了伪终端时,ssh扶助1多级的出逃字符完毕特殊成效。

     私下认可的逃脱首字符为"~",其后可跟某个特定字符(如下列出),逃逸字符必须放

     在行尾以贯彻特定的中断。可在配备文件中动用EscapeChar指令或命令行的"-e"

     选项来更改逃逸首字符。

     ~.      禁止连接

     ~^Z     将ssh放入后台

     ~#      列出已转向的连天

     ~&      Background ssh at logout when waiting for forwarded connection /

               X11 sessions to terminate.

     ~?      列出逃逸字符列表

     ~B      发送BREAK数字信号给长途主机

     ~C      展开命令行。Open command line.  Currently this allows the addition of port

             forwardings using the -L, -R and -D options (see above).  It also

             allows the cancellation of existing port-forwardings with

             -KL[bind_address:]port for local, -KR[bind_address:]port for

             remote and -KD[bind_address:]port for dynamic port-forwardings.

             !command allows the user to execute a local command if the

             PermitLocalCommand option is enabled in ssh_config(5).  Basic

             help is available, using the -h option.

     ~奥德赛      请求该会话举行密钥更新

     ~V      当错误被写入到stderr时,下跌消息的事无巨细程度(loglevel)

     ~v      当错误被写入到stderr时,扩大音讯的事无巨细程度

 

TCP转发

     可在计划文件或指令行选项上张开基于安全隧道的大四TCP连接转载功用。

     2个TCP转载可能的采纳场景是为了安全连接到邮件服务器,别的场景则主要

     是为着通过防火墙。

 

     上面包车型大巴例子中,建构了I途乐C客户端和服务端的加密总是,尽管I库罗德C服务端不直

     接帮衬加密连接。用户在该地钦定3个用于转载到长途服务器上的端口,那

     样在本地主机上校翻开贰个加密的劳务,当连接到地点转化端口时,ssh将

     加密和转化此接二连三。  

 

     下边包车型客车身体力行中,从客户端主机"1二7.0.0.1"到"server.example.com"的连接将

     使用隧道技巧。

 

         $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10

         $ irc -c '#users' -p 1234 pinky 127.0.0.1

 

     那几个隧道营造在地头和"server.example.com"之间,隧道传递的内容有:

     “#users","pinky",using port 123四. 不管选用的是何等端口,只要当先

     拾二三(唯有root能够在特权端口上确立套接字),纵然端口已被应用也不

     会产生冲突。连接将被转正到长途主机的66陆7端口上,因为ICR-VC服务的

     默许端口为66六7。

 

     "-f"选项将ssh放入后台,而远程命令"sleep 10"则意味在壹段时间(十秒)

     内的接连将经过隧道传输。假设在十秒内尚未连接,则ssh退出。

     (也便是说该隧道只在后台保持拾分钟。)

 

X11 FORWARDING

     If the ForwardX11 variable is set to “yes” (or see the description of

     the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY

     environment variable is set), the connection to the X11 display is auto‐

     matically forwarded to the remote side in such a way that any X11 pro‐

     grams started from the shell (or command) will go through the encrypted

     channel, and the connection to the real X server will be made from the

     local machine.  The user should not manually set DISPLAY.  Forwarding of

     X11 connections can be configured on the command line or in configuration

     files.

 

     The DISPLAY value set by ssh will point to the server machine, but with a

     display number greater than zero.  This is normal, and happens because

     ssh creates a “proxy” X server on the server machine for forwarding the

     connections over the encrypted channel.

 

     ssh will also automatically set up Xauthority data on the server machine.

     For this purpose, it will generate a random authorization cookie, store

     it in Xauthority on the server, and verify that any forwarded connections

     carry this cookie and replace it by the real cookie when the connection

     is opened.  The real authentication cookie is never sent to the server

     machine (and no cookies are sent in the plain).

 

     If the ForwardAgent variable is set to “yes” (or see the description of

     the -A and -a options above) and the user is using an authentication

     agent, the connection to the agent is automatically forwarded to the

     remote side.

 

VERIFYING HOST KEYS

     当用户率先次延续到四个服务端,将出口服务端公钥的指印(fingerprint)给用户

     (除非StrictHostKeyChecking配置被剥夺了)。那些指纹可经过ssh-keygen来总计。

 

           $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

 

     倘若某指纹已经存在,可调控对应的密钥是经受只怕拒绝。如若仅能得到到服

     务端的历史观指纹(MD5),ssh-keygen的"-E"选项恐怕会将指纹降级以做指纹相配。

 

     由于仅经过搜寻指纹来相比host key比较不方便,所以也支撑采用随机数的点子

     可视化比较host key。通过设置VisualHostKey选项为"yes",客户端连接服务

     端时将突显一小段ASCII图形消息(即图形化的螺纹),无论会话是不是是供给互相

     的。通过相比较已成形的图纸指纹,用户能够轻易地找寻host key是还是不是产生了改

     变。不过,由于图片指纹不是很清楚,所以一般的图样指纹并不能担保host key

     是未有改换过的,只可是经过图片指纹的办法提供了3个相比较好的相比较艺术。

    

     要获得具备已知主机(known host)的图片指纹列表,使用下边的授命:

 

           $ ssh-keygen -lv -f ~/.ssh/known_hosts

 

     如若指纹是大惑不解的,有一种艺术能够证实它:使用DNS。可在DNS的区域文件中添

     加财富记录SSHFP,这样客户端就足以包容那多少个已存在的主机指纹。

    

     在下边包车型的士事例中,将接纳客户端连接到服务端"host.example.com"。但在此以前,

     应该先将"host.example.com"的SSHFP能源记录增加到DNS区域文件中:

 

           $ ssh-keygen -r host.example.com.

 

     将上边命令的输出结果增加到区域文件中。可以检查该财富记录是或不是可剖判:

 

           $ dig -t SSHFP host.example.com

 

     最终动用客户端去老是服务端:

 

           $ ssh -o "VerifyHostKeyDNS ask" host.example.com

           [...]

           Matching host key fingerprint found in DNS.

           Are you sure you want to continue connecting (yes/no)?

 

     越来越多音讯请查看ssh_config(五)的VerifyHostKeyDNS选项表达段。

 

SSH-BASED VIRTUAL PRIVATE NETWORKS

     The following example would connect client network 10.0.50.0/24 with

     remote network 10.0.99.0/24 using a point-to-point connection from

     10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway

     to the remote network, at 192.168.1.15, allows it.

 

     on client:

 

           # ssh -f -w 0:1 192.168.1.15 true

           # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252

           # route add 10.0.99.0/24 10.1.1.2

 

     on server:

 

           # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252

           # route add 10.0.50.0/24 10.1.1.1

 

     Client access may be more finely tuned via the /root/.ssh/authorized_keys

     file (see below) and the PermitRootLogin server option.  The following

     entry would permit connections on tun(4) device 1 from user “jane” and

     on tun device 2 from user “john”, if PermitRootLogin is set to

     “forced-commands-only”:

 

       tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane

       tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john

 

     Since an SSH-based setup entails a fair amount of overhead, it may be

     more suited to temporary setups, such as for wireless VPNs.  More perma‐

     nent VPNs are better provided by tools such as ipsecctl(8) and

     isakmpd(8).

 

ENVIRONMENT

     ssh will normally set the following environment variables:

 

     DISPLAY               The DISPLAY variable indicates the location of the

                           X11 server.  It is automatically set by ssh to

                           point to a value of the form “hostname:n”, where

                           “hostname” indicates the host where the shell

                           runs, and ‘n’ is an integer ≥ 1.  ssh uses this

                           special value to forward X11 connections over the

                           secure channel.  The user should normally not set

                           DISPLAY explicitly, as that will render the X11

                           connection insecure (and will require the user to

                           manually copy any required authorization cookies).

 

     HOME                  Set to the path of the user's home directory.

 

     LOGNAME               Synonym for USER; set for compatibility with sys‐

                           tems that use this variable.

 

     MAIL                  Set to the path of the user's mailbox.

 

     PATH                  Set to the default PATH, as specified when compil‐

                           ing ssh.

 

     SSH_ASKPASS           If ssh needs a passphrase, it will read the

                           passphrase from the current terminal if it was run

                           from a terminal.  If ssh does not have a terminal

                           associated with it but DISPLAY and SSH_ASKPASS are

                           set, it will execute the program specified by

                           SSH_ASKPASS and open an X11 window to read the

                           passphrase.  This is particularly useful when

                           calling ssh from a .xsession or related script.

                           (Note that on some machines it may be necessary to

                           redirect the input from /dev/null to make this

                           work.)

 

     SSH_AUTH_SOCK         Identifies the path of a UNIX-domain socket used to

                           communicate with the agent.

 

     SSH_CONNECTION        Identifies the client and server ends of the con‐

                           nection.  The variable contains four space-sepa‐

                           rated values: client IP address, client port num‐

                           ber, server IP address, and server port number.

 

     SSH_ORIGINAL_COMMAND  This variable contains the original command line if

                           a forced command is executed.  It can be used to

                           extract the original arguments.

 

     SSH_TTY               This is set to the name of the tty (path to the

                           device) associated with the current shell or com‐

                           mand.  If the current session has no tty, this

                           variable is not set.

 

     TZ                    This variable is set to indicate the present time

                           zone if it was set when the daemon was started

                           (i.e. the daemon passes the value on to new con‐

                           nections).

 

     USER                  Set to the name of the user logging in.

 

     Additionally, ssh reads ~/.ssh/environment, and adds lines of the format

     “VARNAME=value” to the environment if the file exists and users are

     allowed to change their environment.  For more information, see the

     PermitUserEnvironment option in sshd_config(5).

 

FILES

     ~/.rhosts

             这一个文件用于基于主机的认证机制(见上文),里面列出允许登入的

             主机/用户对。该公文属主必须是其一相应的用户,且其余用户不

             能有写权限。但只要用户家目录位于NFS分区上时,该公文供给全

             局可读,因为sshd(8)使用root身份读取该公文。大大多情景下,

             推荐权限为"600"。

     ~/.shosts

             该公文的用法与".rhosts"完全同样,但允许基于主机认证的同时

             禁止选用"rlogin/rsh"登6。

     ~/.ssh/

             该目录是具备用户配置文件和用户认证信息的暗中同意放置目录。固然

             未有规定要确定保障该目录中剧情的平安, style="color: #ff0000;">但推荐其内文件只对主人

             有读/写/实践权限,对别的人完全回绝

     ~/.ssh/authorized_keys

             该文件列出了足以用来报到的用户的公钥(DSA,ECDSA,艾德2551九,奇骏SA)。

             在sshd(八)的man文书档案中讲述了该文件的格式。该公文不须求高安全性,

             但 style="color: #ff0000;">推荐唯有其主人有读/写权限,对别的人完全回绝

     ~/.ssh/config

             该文件是ssh的用户配置文件。在ssh_config(5)的man文书档案中描述了该

             文件的格式。由于可能会滥用该公文, style="color: #ff0000;">该公文有严厉的权限供给:只

             对主人有读/写权限,对别的人完全拒绝写权限

     ~/.ssh/environment

             包涵了附加定义的处境变量。见上文ENVIRONMENT。

     ~/.ssh/identity

     ~/.ssh/id_dsa

     ~/.ssh/id_ecdsa

     ~/.ssh/id_ed25519

     ~/.ssh/id_rsa

             包罗了注脚的私钥。这几个文件包含了敏感数据, style="color: #ff0000;">应该只对物主可读,

             并驳回其余人的装有权力(rwx)。若是该文件可被别的人访问,则ssh

             会忽略该文件。能够在生产密钥文件的时候钦点passphrase使用3DES

             算法加密该公文。

     ~/.ssh/identity.pub

     ~/.ssh/id_dsa.pub

     ~/.ssh/id_ecdsa.pub

     ~/.ssh/id_ed25519.pub

     ~/.ssh/id_rsa.pub

             包括了认证时的公钥。这几个文件中的数据不灵动,允许任什么人读取。

     ~/.ssh/known_hosts

             包蕴了颇具已知主机的host key列表。该公文的事无巨细格式见sshd(八)。

     ~/.ssh/rc

             该马鞍包蕴了用户采纳ssh登入成功,但启用shell(或钦点命令实践)

             在此之前执行的吩咐。详细新闻见sshd(捌)的man文书档案。

             (译者注:也便是说,登入成功后做的率先件事正是实施该文件中的

             命令)

     /etc/ssh/hosts.equiv

             该文件是基于主机认证的文件(见上文)。应该只好让root有写权限。

     /etc/ssh/shosts.equiv

             用法等同于"hosts.equiv",但允许基于主机认证的还要取缔利用

             "rlogin/rsh"登录。

     /etc/ssh/ssh_config

             ssh的全局配置文件。该公文的格式和甄选音讯见ssh_config(5)。

     /etc/ssh/ssh_host_key

     /etc/ssh/ssh_host_dsa_key

     /etc/ssh/ssh_host_ecdsa_key

     /etc/ssh/ssh_host_ed25519_key

     /etc/ssh/ssh_host_rsa_key

             那个文件包括了host key的私密部分音信,它们用于基于主机认证。

             (译者注:服务端生成的私钥,主机验证时会将对应公钥存入到客户

               端的known_hosts文件中,那个文件在sshd服务重启时会自动生成)

     /etc/ssh/ssh_known_hosts

             已知host key的全局列表文件。该文件中要含有的host key应该由

             系统管理员策画好。 style="color: #ff0000;">该文件应该要全局可读。详细消息见sshd(捌)。

     /etc/ssh/rc

             等同于~/.ssh/rc文件,包涵了用户选用ssh登入成功,但启用shell

             (或钦定命令实施)在此以前实行的授命。详细音信见sshd(八)的man文书档案。

             (译者注:也便是说,登录成功后做的首先件事正是施行该文件中的

             命令)

 

退出状态码

     ssh将以长途命令推行结果为状态码退出,恐怕出现谬误时以25伍状态码退出。

其它常用参数:
 -f Requests ssh to go to background just before command execution.
 -g Allows remote hosts to connect to local forwarded ports.
 -N Do not execute a remote command. 转载端口专项使用参数(protocol version 2only).

 

简单的讲用例:

树立连线到远端server,并正向转载本地的8080端口到远端主机的localhost的80端口:
# ssh jason@server -N -g -L 8080:localhost:80;#连天之后在前端运维;
# ssh jason@server -N -g -L 8080:localhost:80 -f;#连年之后转入后端运维;

确立连线到远端server,并反向转载远端的8080端口到本地主机(localhost)的80端口:
# ssh jason@server -N -g -R 8080:localhost:80;#连接之后在前者运营;
# ssh jason@server -N -g -R 8080:localhost:80 -f;#连天之后转入后端运营;

主机[host]事实上能够是别的地点,只要主机能延续到该host及其hostport就可以,比方:
# ssh jason@server -N -g -R 8080:www.google.com:80
# ssh jason@server -N -g -R 8080:www.yahoo.com:80

以上范例使用80端口是为着便利测试,请访问相应主机的转折监听端口进行测试:
那是正向转载模范的测试;
那是反向转载表率的测试;

 

如下是2个动态代理转载的施用例子:
# ssh -g -D 8888 root@server;
下一场可在浏览器里(如firefox)设置使用此socks5代理:1二七.0.0.一:888八
注:动态代理转载属王丽萍向转载,暗许监听本地的有所绑定地址,也可机关钦定地方。

本文由新浦京81707con发布于首页,转载请注明出处:利用ssh端口转发实现加密通道,ssh命令中文手册

关键词: 新浦京81707con

上一篇:SQL语句的优化建议

下一篇:没有了