ssh config & X11 & jump-machine

ssh config常见设置

Host node5
  HostName node5.xydustc.me   #或者ip
  IdentityFile ~/.ssh/id_rsa  #windows： "C:\Users\Administrator\.ssh\id_rsa"
  IdentitiesOnly yes          #IdentitiesOnly指定ssh只能使用配置文件指定的identity和certificate文件或通过ssh命令行通过身份验证，即使ssh-agent或PKCS11Provider提供了多个identities。
  User shaojiemike
  Port 22
  ProxyCommand E:\\commonSoftware\\Git\\mingw64\\bin\\connect.exe -S 127.0.0.1:7890 -a none %h %p
  # 注意ProxyCommand不能写全局，会代理其他ssh。出现ctrl-c会中断ssh连接之类的错误

Host *
   ForwardAgent yes     #是否将本地SSH代理转发到远程主机。如果设置为“yes”，则可以在远程主机上使用本地SSH代理，而无需在远程主机上设置新的SSH连接。
   AddKeysToAgent yes   #是否将私钥添加到ssh-agent中。如果设置为“yes”，则在使用ssh连接时，ssh客户端会自动将私钥添加到ssh-agent中。
   ForwardX11 yes
   ForwardX11Trusted yes
   Compression yes
   TCPKeepAlive=yes
   ServerAliveInterval 60 # Client每隔 60 秒发送一次请求给 Server，然后 Server响应，从而保持连接
   ServerAliveCountMax 3 # Client发出请求后，服务器端没有响应得次数达到3，就自动断开连接，正常情况下，Server 不会不响应 

更安全但是更简单的加密 ed25519

Use new way

The error message “userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]” indicates that the SSH server is configured to accept specific public key algorithms, and the client attempted to use the “ssh-rsa” algorithm, which is not included in the accepted algorithms list.

To resolve this issue, you have a few options:

1. Update SSH Key Algorithm:
   If you are generating a new key pair, consider using a more secure algorithm such as Ed25519 instead of the older RSA algorithm.

   ssh-keygen -t ed25519 -f /path/to/output/keyfile -C "Your Comment Here"

2. Update Server Configuration:
   If you don’t have control over the client’s key type, you may need to update the server’s SSH configuration to include support for the “ssh-rsa” algorithm. Open the SSH server configuration file (usually located at /etc/ssh/sshd_config), and add or modify the following line:

   PubkeyAcceptedAlgorithms +ssh-rsa

   After making the change, restart the SSH server.

   sudo service ssh restart

   Note: Adding “ssh-rsa” might reduce the security of your SSH server, as RSA is considered less secure than some newer algorithms.

3. Check Key Types:
   Ensure that you are using the correct key type when attempting to authenticate. If you are using an existing key, make sure it’s the right type (e.g., Ed25519) and not RSA.

Choose the option that best fits your security requirements and constraints. If possible, it’s generally recommended to use more modern and secure key algorithms like Ed25519 over older ones like RSA.

查看 ssh 日志

sudo journalctl -u ssh --since "yesterday" |less

X11 forward GUI

windows use mobaxterm, mac use xquartz + iterms

ssh -Y [email protected]

跳板机

目的

在管理外网服务器时，出于安全等因素的考虑，我们一般不会把所有服务器都设置成可ssh直连，而是会从中挑选出一台机器作为跳板机，当我们想要连接外网服务器时，我们要先通过ssh登录到跳板机，再从跳板机登录到目标服务器。

密钥认证

1. 开启ssh-agent，然后将我们的private key添加到ssh-agent中。

$ eval $(ssh-agent)
Agent pid 8350
$ ssh-add
Identity added: /home/yt/.ssh/id_rsa (yt@arch)
Identity added: /home/yt/.ssh/id_ed25519 (yt@arch)

2. ssh登录到跳板机（不过此次加上了-A参数，表示开启agent forwarding）。

ssh -A [email protected]

或者直接

ssh -J [email protected] [email protected]

这条命令将会首先连接到 [email protected] 的跳板机，然后再通过跳板机连接到 [email protected] 的目标服务器。

scp传递数据

scp -J [email protected] [email protected]:/path/to/source/file /path/to/destination/file

这个命令将会通过 [email protected] 的跳板机从源文件 /path/to/source/file 复制数据到 [email protected] 的目标文件 /path/to/destination/file。

config配置

Host <name>
    HostName 127.0.0.1 #是不是写错了??不是目标ip吗？
    User <user>
    Port <port>
    ProxyCommand ssh <cloud-user>@<cloud-host> -W %h:%p

//example
Host xunfei-V100
   HostName 172.31.97.164
   User root
   ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe node1 netcat -w 120 %h %p

如何判断当前ssh没用跳板机

check is ssh use direct connect not use jump host

基于跳板机的x11转发

google check ssh gui x11 use jump host

https://www.ibm.com/support/pages/how-forward-x11-client-through-jump-host-back-pc-x-emulator

1. server side
   1. /etc/ssh/sshd_config
      1. X11Forwarding yes
      2. X11UseForwarding yes
   2. install xauth
      1. environment variables on the server. DISPLAY and XAUTHORITY will automatically be set to their proper values.
      2. if DISPLAY is not set, it means ssh is not forwarding the X11 connection.
2. client side
   1. ForwardX11 yes in ~/.ssh/config
      1. X11UseLocalhost yes
   2. ssh -v -X name@ip # -v for debug

使用跳板机转发 vscode

vlab 能正常登录的情况下ssh -i D:\\PowerShell\\vlab-vm7096.pem [email protected]

有两种设置ssh config设置方法

Host jumpSnode6Ipv4W
  Hostname 202.38.72.23
  User shaojiemike
  Port 22
  ProxyCommand C:\\Windows\\System32\\OpenSSH\\ssh.exe -W %h:%p -i D:\\PowerShell\\vlab-vm7096.pem ubuntu@vlab.ustc.edu.cn

Host jumpSnode6Ipv4
  Hostname 202.38.72.23
  User shaojiemike
  Port 22
  ProxyCommand C:\\Windows\\System32\\OpenSSH\\ssh.exe -i D:\\PowerShell\\vlab-vm7096.pem ubuntu@vlab.ustc.edu.cn netcat -w 120 %h %p

参考文献

https://cloud.tencent.com/developer/article/1501977