Records
- user’s configuration file (~/.ssh/config)
- sstem-wide configuration file (/etc/ssh/ssh_config)
参数含义
- %L 本地主机名的第一个组件
- %l 本地主机名(包括域名)
- %h 远程主机名(命令行输入)
- %n 远程原始主机名
- %p 远程主机端口
- %r 远程登录用户名
- %u 本地 ssh 正在使用的用户名
- %i 本地 ssh 正在使用 uid
- %C 值为 %l%h%p%r 的 hash
通配符
*- Matches zero or more characters. For example,Host *matches all hosts, while192.168.0.*matches hosts in the192.168.0.0/24subnet.?- Matches exactly one character. The pattern,Host 10.10.0.?matches all hosts in10.10.0.[0-9]range.!- When used at the start of a pattern, it negates the match. For example,Host 10.10.0.* !10.10.0.5matches any host in the10.10.0.0/24subnet except10.10.0.5.
路径
Override SSH Config File Option
The ssh client reads its configuration in the following precedence order:
- Options specified from the command line.
- Options defined in the
~/.ssh/config. - Options defined in the
/etc/ssh/sshd_config.
Or ocate sshd_config file by typing the following command
$ find / -name "sshd_config" 2>/dev/null
# Sample outputs:
/etc/ssh/sshd_config
在修改该配置文件后,可以重启 sshd
$ sudo systemctl restart ssh
常见参数类型
Host - 昵称/HostName - 主机 domain
HostName
Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications).
配置文件:
# configuration 1
Host cluster1
HostName 192.168.1.1
# 登录时用的主机名
User tom
例如我们想要ssh连接到上例中的 cluster1 主机,则在命令行执行如下命令即可:
$ ssh cluster1
用于我们执行 SSH 命令的时候如何匹配到该配置。
*,匹配所有主机名。*.example.com,匹配以 .example.com 结尾。!*.dialup.example.com,*.example.com,以 ! 开头是排除的意思。192.168.0.?,匹配 192.168.0.[0-9] 的 IP。
User
指定登录用户名。
IdentityFile - 指定密钥认证使用的私钥文件路径
Specifies a file from which the user’s RSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication.
The file name may use the tilde syntax to refer to a user’s home directory or one of the following escape characters: ‘%d’ (local user’s home directory), ‘%u’ (local user name), ‘%l’ (local host name), ‘%h’ (remote host name) or ‘%r’ (remote user name).
It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.
文件名称可以使用以下转义符:
'%d' 本地用户目录
'%u' 本地用户名称
'%l' 本地主机名
'%h' 远程主机名
'%r' 远程用户名
可以指定多个密钥文件,在连接的过程中会依次尝试这些密钥文件。
Port
指定远程主机端口号,默认为 22 。
ProxyCommand
指定连接的服务器需要执行的命令。%h(远程主机名(命令行输入)),%p(远程主机端口),%r(远程登录用户名)。
Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user’s shell. In the command string, ‘%h’ will be substituted by the host name to connect and ‘%p’ by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user).
如:
Host 192.168.2.1
ProxyCommand ssh 192.168.1.1 -W %h:%p
因为我无法直接连接 192.168.2.1,因而通过192.168.1.1 跳板机进行连接。
LocalForward
指定一个本地主机的端口,并将该端口接收到的 TCP 通过 ssh 转发到指定远程主机。格式:LocalForward [bind_address:]post host:hostport,支持 IPv6。
Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address]port and host/hostport.
Example
通过 LocalForward 将本地端口上的数据流量通过 ssh 转发到远程主机的指定端口。感觉你是使用的本地服务,其实你使用的远程服务。如远程服务器上运行着 Postgres,端口 5432(未暴露端口给外部)。那么,你可以:
Host db
HostName db.example.com
LocalForward 5433 localhost:5432
当你连接远程主机后,它会在本地打开一个 5433 端口,并将该端口的流量通过 ssh 转发到远程服务器上的 5432 端口。
首先,建立连接:
$ ssh db
之后,就可以通过 Postgres 客户端连接本地 5433 端口:
$ psql -h localhost -p 5433 orders
ConnectionAttempts/ConnectTimeout/ControlMaster/ControlPath/ControlPersist
ConnectionAttempts
退出前尝试连接的次数,值必须为整数,1(default)。
ConnectTimeout
连接 SSH 服务器超时时间,单位 s,默认系统 TCP 超时时间。
ControlMaster
是否开启单一网络共享多个 session,值可以为 no(default)/yes/ask/auto。需要和 ControlPath 配合使用,当值为 yes 时,ssh 会监听该路径下的 control socket,多个 session 会去连接该 socket,它们会尽可能的复用该网络连接而不是重新建立新的。
ControlPath
指定 control socket 的路径,值可以直接指定也可以用一下参数代替:
- %L 本地主机名的第一个组件
- %l 本地主机名(包括域名)
- %h 远程主机名(命令行输入)
- %n 远程原始主机名
- %p 远程主机端口
- %r 远程登录用户名
- %u 本地 ssh 正在使用的用户名
- %i 本地 ssh 正在使用 uid
- %C 值为 %l%h%p%r 的 hash
请最大限度的保持 ControlPath 的唯一。至少包含 %h,%p,%r(或者 %C)。
ControlPersist 结合 ControlMaster 使用,指定连接打开后后台保持的时间。值可以为 no/yes/整数,单位 s。如果为 no,最初的客户端关闭就关闭。如果 yes/0,无限期的,直到杀死或通过其它机制,如:ssh -O exit。
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers.
See PATTERNS in ssh_config(5) for more information on patterns.
Example
# allow all users
AllowUsers *
# allow sw user only
AllowUsers sw
Security-related Setting
PermitLogin yes
# allow only Public Key Authentication.
PasswordAuthentication no
# allow only Public Key Authentication.
PubkeyAuthentication yes
Example
$ vim ~/.ssh/config
Host sshtest
HostName ssh.test.com
User user
Port 2200
IdentityFile ~/.ssh/id_rsa_test
Host ssttest2
HostName ssh.test2.com
User user2
Port 2345
IdentityFile ~/.ssh/id_rsa_test2
$ ssh sshtest