SSH on huluhuluu https://my-blog-p39q.vercel.app/tags/ssh/ Recent content in SSH on huluhuluu Hugo -- gohugo.io zh Sat, 28 Mar 2026 00:00:00 +0800 SSH 命令备忘 https://my-blog-p39q.vercel.app/p/ssh-guide/ Sat, 28 Mar 2026 00:00:00 +0800 https://my-blog-p39q.vercel.app/p/ssh-guide/ <h1 id="ssh-命令备忘">SSH 命令备忘 </h1><p>SSH (Secure Shell) 是远程登录和服务器的标准协议,本文记录密钥管理、配置文件、端口转发等常用功能。</p> <h2 id="1-ssh-配置">1. SSH 配置 </h2><h3 id="11-安装并启动">1.1 安装并启动 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt install openssh-server -y </span></span><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> ssh </span></span><span class="line"><span class="cl">sudo systemctl start ssh </span></span></code></pre></td></tr></table> </div> </div><h3 id="12-生成密钥对">1.2 生成密钥对 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 生成密钥</span> </span></span><span class="line"><span class="cl">ssh-keygen </span></span></code></pre></td></tr></table> </div> </div><p>密钥出现在<code>~/.ssh</code>目录下,以<code>.pub</code>结尾的是公钥,需要拷贝到对应的服务器的<code>~/.ssh/authorized_keys</code>文件中,私钥需要保密。</p> <ul> <li> <p><code>~/.ssh</code>目录结构</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">~/.ssh/ </span></span><span class="line"><span class="cl">├── id_ed25519 # 私钥(绝对保密) </span></span><span class="line"><span class="cl">├── id_ed25519.pub # 公钥(可公开,放到服务器) </span></span><span class="line"><span class="cl">├── id_rsa # RSA 私钥 </span></span><span class="line"><span class="cl">├── id_rsa.pub # RSA 公钥 </span></span><span class="line"><span class="cl">├── authorized_keys # 授权的公钥列表(服务器端) </span></span><span class="line"><span class="cl">├── known_hosts # 已知主机 </span></span><span class="line"><span class="cl">├── config # SSH 客户端配置文件 </span></span><span class="line"><span class="cl">├── known_hosts.old # known_hosts 的备份 </span></span><span class="line"><span class="cl">└── *.pem # 其他密钥文件(如 AWS) </span></span></code></pre></td></tr></table> </div> </div></li> </ul> <h2 id="13-ssh-配置文件">1.3 SSH 配置文件 </h2><p><code>~/.ssh/config</code> 文件可以简化 SSH 连接:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 基本格式</span> </span></span><span class="line"><span class="cl">Host alias-name <span class="c1"># 别名</span> </span></span><span class="line"><span class="cl"> HostName server.example.com <span class="c1"># ip地址或域名</span> </span></span><span class="line"><span class="cl"> User username <span class="c1"># 登录用户名</span> </span></span><span class="line"><span class="cl"> Port <span class="m">22</span> <span class="c1"># 端口号,默认22</span> </span></span><span class="line"><span class="cl"> IdentityFile ~/.ssh/mykey <span class="c1"># 私钥路径, 默认是~/.ssh/id_rsa或id_ed25519</span> </span></span></code></pre></td></tr></table> </div> </div><p>配置别名后可以直接使用别名连接:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 配置后可直接用别名连接</span> </span></span><span class="line"><span class="cl">ssh alias-name </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 等价于</span> </span></span><span class="line"><span class="cl">ssh -p <span class="m">22</span> username@server.example.com -i ~/.ssh/mykey </span></span></code></pre></td></tr></table> </div> </div><ul> <li>跳板机配置,ssh可以通过跳板机连接内网服务器,使用情况:跳板机可以外网访问,内网服务器只能被跳板机访问。此时可以在ssh配置文件中配置跳板机为<code>ProxyJump</code>,如:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> Host jump-host </span></span><span class="line"><span class="cl"> HostName jump.example.com </span></span><span class="line"><span class="cl"> User jumpuser </span></span><span class="line"><span class="cl"> IdentityFile ~/.ssh/jump_key </span></span><span class="line"><span class="cl"> Host internal-server </span></span><span class="line"><span class="cl"> HostName internal.example.com </span></span><span class="line"><span class="cl"> User internaluser </span></span><span class="line"><span class="cl"> IdentityFile ~/.ssh/internal_key </span></span><span class="line"><span class="cl"> ProxyJump jump-host <span class="c1"># 通过jump-host跳转连接internal-server</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="14-密钥权限设置">1.4 密钥权限设置 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 私钥权限必须是 600</span> </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> ~/.ssh/id_ed25519 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 公钥权限</span> </span></span><span class="line"><span class="cl">chmod <span class="m">644</span> ~/.ssh/id_ed25519.pub </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># .ssh 目录权限</span> </span></span><span class="line"><span class="cl">chmod <span class="m">700</span> ~/.ssh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># authorized_keys 权限</span> </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> ~/.ssh/authorized_keys </span></span></code></pre></td></tr></table> </div> </div><h2 id="2-ssh-端口转发">2. SSH 端口转发 </h2><h3 id="21-本地端口转发-local-forward">2.1 本地端口转发 (Local Forward) </h3><p>将远程服务的端口映射到本地端口:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 基本格式</span> </span></span><span class="line"><span class="cl">ssh -L 本地端口:目标主机:目标端口 user@server </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 配置别名后</span> </span></span><span class="line"><span class="cl">ssh -L 本地端口:目标主机:目标端口 alias-name </span></span></code></pre></td></tr></table> </div> </div><h3 id="22-远程端口转发-remote-forward">2.2 远程端口转发 (Remote Forward) </h3><p>将本地服务的端口暴露到远程服务器端口:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 基本格式</span> </span></span><span class="line"><span class="cl">ssh -R 远程端口:本地主机:本地端口 user@server </span></span><span class="line"><span class="cl"><span class="c1"># 配置别名后</span> </span></span><span class="line"><span class="cl">ssh -R 远程端口:本地主机:本地端口 alias-name </span></span></code></pre></td></tr></table> </div> </div><h3 id="23-动态端口转发-socks-代理">2.3 动态端口转发 (SOCKS 代理) </h3><p>创建本地 SOCKS 代理,所有流量通过服务器转发:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 创建 SOCKS5 代理</span> </span></span><span class="line"><span class="cl">ssh -D <span class="m">1080</span> user@server </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 设置代理,让流量通过服务器转发</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">all_proxy</span><span class="o">=</span><span class="s2">&#34;socks5://127.0.0.1:1080&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="24-端口转发汇总">2.4 端口转发汇总 </h3><table> <thead> <tr> <th>类型</th> <th>参数</th> <th>场景</th> </tr> </thead> <tbody> <tr> <td>本地转发</td> <td><code>-L</code></td> <td>访问远程服务端口</td> </tr> <tr> <td>远程转发</td> <td><code>-R</code></td> <td>将本地服务端口暴露给远程</td> </tr> <tr> <td>动态转发</td> <td><code>-D</code></td> <td>创建代理,流量全部走服务器</td> </tr> </tbody> </table> <hr> <h2 id="3-参考链接">3. 参考链接 </h2><ul> <li><a class="link" href="https://www.openbsd.org/openssh/manuals.html" target="_blank" rel="noopener" >SSH 官方文档</a></li> <li><a class="link" href="https://linux.die.net/man/5/ssh_config" target="_blank" rel="noopener" >SSH 配置文件详解</a></li> <li><a class="link" href="https://www.ssh.com/academy/ssh/tunneling/example" target="_blank" rel="noopener" >SSH 端口转发详解</a></li> </ul>