ssh - Secure Shell Remote Access
Umfassende SSH-Befehle für sicheren Fernzugriff, Tunneling und Systemverwaltung auf allen Plattformen.
Einfache Verbindung
Einfache Verbindung
| | Command | Description | |
| --- | --- |
| | ssh user@hostname | Connect to remote host | |
| | ssh user@192.168.1.100 | Connect using IP address | |
| | ssh -p 2222 user@hostname | Connect to custom port | |
| | ssh hostname | Connect with current username | |
Verbindungsoptionen
| | Command | Description | |
| --- | --- |
| | ssh -v user@hostname | Verbose output for debugging | |
| | ssh -vv user@hostname | More verbose output | |
| | ssh -vvv user@hostname | Maximum verbosity | |
| | ssh -q user@hostname | Quiet mode (suppress warnings) | |
Authentifizierungsmethoden
Passwort Authentication
```bash
Standard password login
ssh user@hostname
Force password authentication
ssh -o PreferredAuthentications=password user@hostname
Disable password authentication
ssh -o PasswordAuthentication=no user@hostname ```_
Schlüsselbasierte Authentifizierung
```bash
Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" ssh-keygen -t ed25519 -C "your_email@example.com" # Modern, secure
Copy public key to remote server
ssh-copy-id user@hostname ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
Manual key installation
cat ~/.ssh/id_rsa.pub|ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" ```_
Schlüsselverwaltung
| | Command | Description | |
| --- | --- |
| | ssh-keygen -t ed25519 | Generate Ed25519 key (recommended) | |
| | ssh-keygen -t rsa -b 4096 | Generate 4096-bit RSA key | |
| | ssh-keygen -f ~/.ssh/custom_key | Generate key with custom name | |
| | ssh-add ~/.ssh/private_key | Add key to SSH agent | |
| | ssh-add -l | List loaded keys | |
| | ssh-add -D | Remove all keys from agent | |
Konfiguration
SSH Client Config (~/.ssh/config)
```bash
Global defaults
Host * ServerAliveInterval 60 ServerAliveCountMax 3 TCPKeepAlive yes
Specific host configuration
Host myserver HostName server.example.com User myusername Port 2222 IdentityFile ~/.ssh/myserver_key ForwardAgent yes
Jump host configuration
Host target HostName 192.168.1.100 User admin ProxyJump jumphost
Host jumphost HostName jump.example.com User jumpuser ```_
Gemeinsame Konfigurationsoptionen
| | Option | Description | Example | |
| --- | --- | --- |
| | HostName | Real hostname or IP | HostName server.example.com | |
| | User | Username for connection | User admin | |
| | Port | SSH port number | Port 2222 | |
| | IdentityFile | Private key file | IdentityFile ~/.ssh/id_rsa | |
| | ForwardAgent | Enable agent forwarding | ForwardAgent yes | |
| | Compression | Enable compression | Compression yes | |
Port Forwarding und Tunneling
Lokaler Hafen
```bash
Forward local port to remote service
ssh -L 8080:localhost:80 user@hostname
Forward to different remote host
ssh -L 3306:database.internal:3306 user@gateway
Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname ```_
Remote Port Forwarding
```bash
Forward remote port to local service
ssh -R 8080:localhost:3000 user@hostname
Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:3000 user@hostname ```_
Dynamic Port Forwarding (SOCKS Proxy)
```bash
Create SOCKS proxy on local port 1080
ssh -D 1080 user@hostname
Use with applications
Configure browser to use SOCKS proxy: localhost:1080
```_
X11 Weiterleitung
```bash
Enable X11 forwarding for GUI applications
ssh -X user@hostname
Trusted X11 forwarding
ssh -Y user@hostname
Run GUI application
ssh -X user@hostname firefox ```_
Integration von Dateiübertragungen
SCP Integration
```bash
Copy file to remote host
scp file.txt user@hostname:/path/to/destination/
Copy from remote host
scp user@hostname:/path/to/file.txt ./
Recursive copy
scp -r directory/ user@hostname:/path/to/destination/ ```_
FTP Integration
```bash
Start SFTP session
sftp user@hostname
SFTP with custom port
sftp -P 2222 user@hostname ```_
Erweiterte Funktionen
Jump Hosts und Bastion Server
```bash
Connect through jump host
ssh -J jumphost user@target
Multiple jump hosts
ssh -J jump1,jump2 user@target
Using ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@target ```_
SSH Agent und Key Management
```bash
Start SSH agent
eval $(ssh-agent)
Add key to agent
ssh-add ~/.ssh/id_rsa
Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa
List agent keys
ssh-add -l
Remove specific key
ssh-add -d ~/.ssh/id_rsa
Remove all keys
ssh-add -D ```_
Verbindung Multiplexing
```bash
Enable connection sharing in ~/.ssh/config
Host * ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h-%p ControlPersist 600
Create socket directory
mkdir -p ~/.ssh/sockets ```_
Sicherheit und Härten
Sichere Verbindungsoptionen
```bash
Disable password authentication
ssh -o PasswordAuthentication=no user@hostname
Use specific key only
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname
Disable host key checking (development only)
ssh -o StrictHostKeyChecking=no user@hostname
Use specific cipher
ssh -c aes256-ctr user@hostname ```_
Host Key Verifikation
```bash
Check host key fingerprint
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
Remove host key from known_hosts
ssh-keygen -R hostname
Add host key manually
ssh-keyscan hostname >> ~/.ssh/known_hosts ```_
Zertifikatbasierte Authentifizierung
```bash
Generate user certificate
ssh-keygen -s ca_key -I user_id -n username user_key.pub
Use certificate for authentication
ssh -o CertificateFile=user_key-cert.pub user@hostname ```_
Fehlerbehebung
Verbindungsprobleme
```bash
Debug connection problems
ssh -vvv user@hostname
Test specific authentication method
ssh -o PreferredAuthentications=publickey user@hostname
Check SSH service status
systemctl status ssh # Linux service ssh status # Linux (older) ```_
Gemeinsame Probleme und Lösungen
| | Problem | Symptoms | Solution | | | --- | --- | --- | | | Permission denied | Authentication fails | Check key permissions (600 for private key) | | | | Connection timeout | No response | Check firewall, network connectivity | | | | Host key verification failed | Key mismatch warning | Update known_hosts or verify host identity | | | | Agent forwarding not working | Keys not available on remote | Enable ForwardAgent in config | |
Schlüsselberechtigungsfragen
```bash
Fix SSH key permissions
chmod 700 ~/.ssh chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub chmod 644 ~/.ssh/authorized_keys chmod 644 ~/.ssh/known_hosts chmod 600 ~/.ssh/config ```_
Automatisierung und Schrift
Nicht interaktiv SSH
```bash
Run single command
ssh user@hostname "ls -la /var/log"
Run multiple commands
ssh user@hostname "cd /var/log && tail -f syslog"
Execute local script on remote host
ssh user@hostname 'bash -s' < local_script.sh
Execute with sudo
ssh user@hostname "sudo systemctl restart nginx" ```_
Batch Operationen
```bash
!/bin/bash
Deploy to multiple servers
servers=("web1.example.com" "web2.example.com" "web3.example.com")
for server in "$\\{servers[@]\\}"; do echo "Deploying to $server" ssh user@$server "cd /var/www && git pull origin main" ssh user@$server "sudo systemctl restart nginx" done ```_
SSH mit Expect (Password Automation)
```bash
!/usr/bin/expect
spawn ssh user@hostname expect "password:" send "your_password\r" interact ```_
Leistungsoptimierung
Kompression und Geschwindigkeit
```bash
Enable compression
ssh -C user@hostname
Disable compression for fast networks
ssh -o Compression=no user@hostname
Use faster cipher for trusted networks
ssh -c arcfour user@hostname ```_
Verbindung Persistence
```bash
Keep connection alive
ssh -o ServerAliveInterval=60 user@hostname
Persistent connection in background
ssh -f -N -L 8080:localhost:80 user@hostname ```_
Plattformspezifische Überlegungen
Windows (OpenSSH)
```powershell
Windows OpenSSH client
ssh user@hostname
Windows SSH config location
%USERPROFILE%.ssh\config
Start SSH agent on Windows
Start-Service ssh-agent ssh-add ~/.ssh/id_rsa ```_
macOS Keychain Integration
```bash
Add key to macOS keychain
ssh-add --apple-use-keychain ~/.ssh/id_rsa
Configure automatic keychain loading
Host * AddKeysToAgent yes UseKeychain yes ```_
Best Practices
Sicherheit
- *Benutze Schlüsselauthentifizierung: Kennwort-Authentifizierung deaktivieren
- *Strong Keys: Verwenden Sie Ed25519 oder 4096-bit RSA Schlüssel
- Key Rotation: Regelmäßig drehen SSH-Tasten
- *Principle of Least Privilege: Benutzerzugriff beschränken
- Monitor Access: SSH-Verbindungen protokollieren und überwachen
Konfigurationsmanagement
- *Centralized Config: Verwenden Sie ~/.ssh/config für gemeinsame Einstellungen
- *Host Aliases: Wichtige Host-Aliase erstellen
- Könnungsmultiplikation: Reuse-Verbindungen für Effizienz
- ** Agent Forwarding*: Verwenden Sie vorsichtig, nur wenn nötig
- Dokumentation: Dokument benutzerdefinierte Konfigurationen
Betrieb
- *Backup Keys: Sichere Sicherung privater Schlüssel
- *Test-Verbindungen: Regelmäßig testen SSH-Zugang
- Update Software: SSH-Client/Server aktualisieren
- *Monitor Logs: Uhr für verdächtige Aktivität
- Emergency Access: Alternativen Zugang erhalten