ssh - Secure Shell Remote Access¶
Umfassende SSH-Befehle für sicheren Fernzugriff, Tunneling und Systemverwaltung auf allen Plattformen.
Einfache Verbindung¶
Einfache Verbindung¶
| Command | Description |
|---|---|
ssh user@hostname |
Connect to remote host |
ssh user@192.168.1.100 |
Connect using IP address |
ssh -p 2222 user@hostname |
Connect to custom port |
ssh hostname |
Connect with current username |
Verbindungsoptionen¶
| Command | Description |
|---|---|
ssh -v user@hostname |
Verbose output for debugging |
ssh -vv user@hostname |
More verbose output |
ssh -vvv user@hostname |
Maximum verbosity |
ssh -q user@hostname |
Quiet mode (suppress warnings) |
Authentifizierungsmethoden¶
Passwort Authentication¶
```bash
Standard password login¶
ssh user@hostname
Force password authentication¶
ssh -o PreferredAuthentications=password user@hostname
Disable password authentication¶
ssh -o PasswordAuthentication=no user@hostname ```_
Schlüsselbasierte Authentifizierung¶
```bash
Generate SSH key pair¶
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" ssh-keygen -t ed25519 -C "your_email@example.com" # Modern, secure
Copy public key to remote server¶
ssh-copy-id user@hostname ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
Manual key installation¶
cat ~/.ssh/id_rsa.pub|ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" ```_
Schlüsselverwaltung¶
| Command | Description |
|---|---|
ssh-keygen -t ed25519 |
Generate Ed25519 key (recommended) |
ssh-keygen -t rsa -b 4096 |
Generate 4096-bit RSA key |
ssh-keygen -f ~/.ssh/custom_key |
Generate key with custom name |
ssh-add ~/.ssh/private_key |
Add key to SSH agent |
ssh-add -l |
List loaded keys |
ssh-add -D |
Remove all keys from agent |
Konfiguration¶
SSH Client Config (~/.ssh/config)¶
```bash
Global defaults¶
Host * ServerAliveInterval 60 ServerAliveCountMax 3 TCPKeepAlive yes
Specific host configuration¶
Host myserver HostName server.example.com User myusername Port 2222 IdentityFile ~/.ssh/myserver_key ForwardAgent yes
Jump host configuration¶
Host target HostName 192.168.1.100 User admin ProxyJump jumphost
Host jumphost HostName jump.example.com User jumpuser ```_
Gemeinsame Konfigurationsoptionen¶
| Option | Description | Example |
|---|---|---|
HostName |
Real hostname or IP | HostName server.example.com |
User |
Username for connection | User admin |
Port |
SSH port number | Port 2222 |
IdentityFile |
Private key file | IdentityFile ~/.ssh/id_rsa |
ForwardAgent |
Enable agent forwarding | ForwardAgent yes |
Compression |
Enable compression | Compression yes |
Port Forwarding und Tunneling¶
Lokaler Hafen¶
```bash
Forward local port to remote service¶
ssh -L 8080:localhost:80 user@hostname
Forward to different remote host¶
ssh -L 3306:database.internal:3306 user@gateway
Multiple port forwards¶
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname ```_
Remote Port Forwarding¶
```bash
Forward remote port to local service¶
ssh -R 8080:localhost:3000 user@hostname
Allow remote connections to forwarded port¶
ssh -R 0.0.0.0:8080:localhost:3000 user@hostname ```_
Dynamic Port Forwarding (SOCKS Proxy)¶
```bash
Create SOCKS proxy on local port 1080¶
ssh -D 1080 user@hostname
Use with applications¶
Configure browser to use SOCKS proxy: localhost:1080¶
```_
X11 Weiterleitung¶
```bash
Enable X11 forwarding for GUI applications¶
ssh -X user@hostname
Trusted X11 forwarding¶
ssh -Y user@hostname
Run GUI application¶
ssh -X user@hostname firefox ```_
Integration von Dateiübertragungen¶
SCP Integration¶
```bash
Copy file to remote host¶
scp file.txt user@hostname:/path/to/destination/
Copy from remote host¶
scp user@hostname:/path/to/file.txt ./
Recursive copy¶
scp -r directory/ user@hostname:/path/to/destination/ ```_
FTP Integration¶
```bash
Start SFTP session¶
sftp user@hostname
SFTP with custom port¶
sftp -P 2222 user@hostname ```_
Erweiterte Funktionen¶
Jump Hosts und Bastion Server¶
```bash
Connect through jump host¶
ssh -J jumphost user@target
Multiple jump hosts¶
ssh -J jump1,jump2 user@target
Using ProxyCommand¶
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@target ```_
SSH Agent und Key Management¶
```bash
Start SSH agent¶
eval $(ssh-agent)
Add key to agent¶
ssh-add ~/.ssh/id_rsa
Add key with timeout (1 hour)¶
ssh-add -t 3600 ~/.ssh/id_rsa
List agent keys¶
ssh-add -l
Remove specific key¶
ssh-add -d ~/.ssh/id_rsa
Remove all keys¶
ssh-add -D ```_
Verbindung Multiplexing¶
```bash
Enable connection sharing in ~/.ssh/config¶
Host * ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h-%p ControlPersist 600
Create socket directory¶
mkdir -p ~/.ssh/sockets ```_
Sicherheit und Härten¶
Sichere Verbindungsoptionen¶
```bash
Disable password authentication¶
ssh -o PasswordAuthentication=no user@hostname
Use specific key only¶
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname
Disable host key checking (development only)¶
ssh -o StrictHostKeyChecking=no user@hostname
Use specific cipher¶
ssh -c aes256-ctr user@hostname ```_
Host Key Verifikation¶
```bash
Check host key fingerprint¶
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
Remove host key from known_hosts¶
ssh-keygen -R hostname
Add host key manually¶
ssh-keyscan hostname >> ~/.ssh/known_hosts ```_
Zertifikatbasierte Authentifizierung¶
```bash
Generate user certificate¶
ssh-keygen -s ca_key -I user_id -n username user_key.pub
Use certificate for authentication¶
ssh -o CertificateFile=user_key-cert.pub user@hostname ```_
Fehlerbehebung¶
Verbindungsprobleme¶
```bash
Debug connection problems¶
ssh -vvv user@hostname
Test specific authentication method¶
ssh -o PreferredAuthentications=publickey user@hostname
Check SSH service status¶
systemctl status ssh # Linux service ssh status # Linux (older) ```_
Gemeinsame Probleme und Lösungen¶
| Problem | Symptoms | Solution |
|---|---|---|
| Permission denied | Authentication fails | Check key permissions (600 for private key) |
| Connection timeout | No response | Check firewall, network connectivity |
| Host key verification failed | Key mismatch warning | Update known_hosts or verify host identity |
| Agent forwarding not working | Keys not available on remote | Enable ForwardAgent in config |
Schlüsselberechtigungsfragen¶
```bash
Fix SSH key permissions¶
chmod 700 ~/.ssh chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub chmod 644 ~/.ssh/authorized_keys chmod 644 ~/.ssh/known_hosts chmod 600 ~/.ssh/config ```_
Automatisierung und Schrift¶
Nicht interaktiv SSH¶
```bash
Run single command¶
ssh user@hostname "ls -la /var/log"
Run multiple commands¶
ssh user@hostname "cd /var/log && tail -f syslog"
Execute local script on remote host¶
ssh user@hostname 'bash -s' < local_script.sh
Execute with sudo¶
ssh user@hostname "sudo systemctl restart nginx" ```_
Batch Operationen¶
```bash
!/bin/bash¶
Deploy to multiple servers¶
servers=("web1.example.com" "web2.example.com" "web3.example.com")
for server in "\(\\\\{servers[@]\\\\}"; do echo "Deploying to \(server" ssh user@\)server "cd /var/www && git pull origin main" ssh user@\)server "sudo systemctl restart nginx" done ```_
SSH mit Expect (Password Automation)¶
```bash
!/usr/bin/expect¶
spawn ssh user@hostname expect "password:" send "your_password\r" interact ```_
Leistungsoptimierung¶
Kompression und Geschwindigkeit¶
```bash
Enable compression¶
ssh -C user@hostname
Disable compression for fast networks¶
ssh -o Compression=no user@hostname
Use faster cipher for trusted networks¶
ssh -c arcfour user@hostname ```_
Verbindung Persistence¶
```bash
Keep connection alive¶
ssh -o ServerAliveInterval=60 user@hostname
Persistent connection in background¶
ssh -f -N -L 8080:localhost:80 user@hostname ```_
Plattformspezifische Überlegungen¶
Windows (OpenSSH)¶
```powershell
Windows OpenSSH client¶
ssh user@hostname
Windows SSH config location¶
%USERPROFILE%.ssh\config
Start SSH agent on Windows¶
Start-Service ssh-agent ssh-add ~/.ssh/id_rsa ```_
macOS Keychain Integration¶
```bash
Add key to macOS keychain¶
ssh-add --apple-use-keychain ~/.ssh/id_rsa
Configure automatic keychain loading¶
Host * AddKeysToAgent yes UseKeychain yes ```_
Best Practices¶
Sicherheit¶
- **Benutze Schlüsselauthentifizierung*: Kennwort-Authentifizierung deaktivieren
- **Strong Keys*: Verwenden Sie Ed25519 oder 4096-bit RSA Schlüssel
- Key Rotation: Regelmäßig drehen SSH-Tasten
- **Principle of Least Privilege*: Benutzerzugriff beschränken
- Monitor Access: SSH-Verbindungen protokollieren und überwachen
Konfigurationsmanagement¶
- **Centralized Config*: Verwenden Sie ~/.ssh/config für gemeinsame Einstellungen
- **Host Aliases*: Wichtige Host-Aliase erstellen
- Könnungsmultiplikation: Reuse-Verbindungen für Effizienz
- ** Agent Forwarding*: Verwenden Sie vorsichtig, nur wenn nötig
- Dokumentation: Dokument benutzerdefinierte Konfigurationen
Betrieb¶
- **Backup Keys*: Sichere Sicherung privater Schlüssel
- **Test-Verbindungen*: Regelmäßig testen SSH-Zugang
- Update Software: SSH-Client/Server aktualisieren
- **Monitor Logs*: Uhr für verdächtige Aktivität
- Emergency Access: Alternativen Zugang erhalten