ssh - acceso remoto seguro Shell

"Clase de la hoja"

########################################################################################################################################################################################################################################################## Copiar todos los comandos

########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button

■/div titulada

Comandos SSH completos para el acceso remoto seguro, el túnel y la administración del sistema en todas las plataformas.

Conexión básica

Conexión simple

Command	Description
ssh user@hostname	Connect to remote host
ssh user@192.168.1.100	Connect using IP address
ssh -p 2222 user@hostname	Connect to custom port
ssh hostname	Connect with current username

Opciones de conexión

Command	Description
ssh -v user@hostname	Verbose output for debugging
ssh -vv user@hostname	More verbose output
ssh -vvv user@hostname	Maximum verbosity
ssh -q user@hostname	Quiet mode (suppress warnings)

Métodos de autenticación

Contraseña Autenticación

# Standard password login
ssh user@hostname

# Force password authentication
ssh -o PreferredAuthentications=password user@hostname

# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname

Autenticación basada en clave

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com"  # Modern, secure

# Copy public key to remote server
ssh-copy-id user@hostname
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname

# Manual key installation
cat ~/.ssh/id_rsa.pub|ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Gestión clave

Command	Description
ssh-keygen -t ed25519	Generate Ed25519 key (recommended)
ssh-keygen -t rsa -b 4096	Generate 4096-bit RSA key
ssh-keygen -f ~/.ssh/custom_key	Generate key with custom name
ssh-add ~/.ssh/private_key	Add key to SSH agent
ssh-add -l	List loaded keys
ssh-add -D	Remove all keys from agent

Configuración

SSH Client Config (~/.ssh/config)

# Global defaults
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes

# Specific host configuration
Host myserver
    HostName server.example.com
    User myusername
    Port 2222
    IdentityFile ~/.ssh/myserver_key
    ForwardAgent yes

# Jump host configuration
Host target
    HostName 192.168.1.100
    User admin
    ProxyJump jumphost

Host jumphost
    HostName jump.example.com
    User jumpuser

Opciones de configuración común

Option	Description	Example
HostName	Real hostname or IP	HostName server.example.com
User	Username for connection	User admin
Port	SSH port number	Port 2222
IdentityFile	Private key file	IdentityFile ~/.ssh/id_rsa
ForwardAgent	Enable agent forwarding	ForwardAgent yes
Compression	Enable compression	Compression yes

Port Forwarding and Tunneling

Local Port Forwarding

# Forward local port to remote service
ssh -L 8080:localhost:80 user@hostname

# Forward to different remote host
ssh -L 3306:database.internal:3306 user@gateway

# Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname

Puerto remoto hacia adelante

# Forward remote port to local service
ssh -R 8080:localhost:3000 user@hostname

# Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:3000 user@hostname

Avance dinámico del puerto (SOCKS Proxy)

# Create SOCKS proxy on local port 1080
ssh -D 1080 user@hostname

# Use with applications
# Configure browser to use SOCKS proxy: localhost:1080

X11 Forwarding

# Enable X11 forwarding for GUI applications
ssh -X user@hostname

# Trusted X11 forwarding
ssh -Y user@hostname

# Run GUI application
ssh -X user@hostname firefox

Integración de transferencia de archivos

SCP Integración

# Copy file to remote host
scp file.txt user@hostname:/path/to/destination/

# Copy from remote host
scp user@hostname:/path/to/file.txt ./

# Recursive copy
scp -r directory/ user@hostname:/path/to/destination/

SFTP Integración

# Start SFTP session
sftp user@hostname

# SFTP with custom port
sftp -P 2222 user@hostname

Características avanzadas

Jump Hosts y Servidores Bastion

# Connect through jump host
ssh -J jumphost user@target

# Multiple jump hosts
ssh -J jump1,jump2 user@target

# Using ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@target

SSH Agent and Key Management

# Start SSH agent
eval $(ssh-agent)

# Add key to agent
ssh-add ~/.ssh/id_rsa

# Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa

# List agent keys
ssh-add -l

# Remove specific key
ssh-add -d ~/.ssh/id_rsa

# Remove all keys
ssh-add -D

Conexión múltiple

# Enable connection sharing in ~/.ssh/config
Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p
    ControlPersist 600

# Create socket directory
mkdir -p ~/.ssh/sockets

Seguridad y endurecimiento

Opciones de conexión seguras

# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname

# Use specific key only
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname

# Disable host key checking (development only)
ssh -o StrictHostKeyChecking=no user@hostname

# Use specific cipher
ssh -c aes256-ctr user@hostname

Verificación de claves

# Check host key fingerprint
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

# Remove host key from known_hosts
ssh-keygen -R hostname

# Add host key manually
ssh-keyscan hostname >> ~/.ssh/known_hosts

Autenticación basada en certificados

# Generate user certificate
ssh-keygen -s ca_key -I user_id -n username user_key.pub

# Use certificate for authentication
ssh -o CertificateFile=user_key-cert.pub user@hostname

Solución de problemas

Cuestiones de conexión

# Debug connection problems
ssh -vvv user@hostname

# Test specific authentication method
ssh -o PreferredAuthentications=publickey user@hostname

# Check SSH service status
systemctl status ssh  # Linux
service ssh status    # Linux (older)

Problemas y soluciones comunes

Problem	Symptoms	Solution
Permission denied	Authentication fails	Check key permissions (600 for private key)
Connection timeout	No response	Check firewall, network connectivity
Host key verification failed	Key mismatch warning	Update known_hosts or verify host identity
Agent forwarding not working	Keys not available on remote	Enable ForwardAgent in config

Cuestiones clave de la autorización

# Fix SSH key permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/config

Automatización y scripting

No interactiva SSH

# Run single command
ssh user@hostname "ls -la /var/log"

# Run multiple commands
ssh user@hostname "cd /var/log && tail -f syslog"

# Execute local script on remote host
ssh user@hostname 'bash -s' < local_script.sh

# Execute with sudo
ssh user@hostname "sudo systemctl restart nginx"

Batch Operations

#!/bin/bash
# Deploy to multiple servers

servers=("web1.example.com" "web2.example.com" "web3.example.com")

for server in "$\\\\{servers[@]\\\\}"; do
    echo "Deploying to $server"
    ssh user@$server "cd /var/www && git pull origin main"
    ssh user@$server "sudo systemctl restart nginx"
done

SSH with Expect (Password Automation)

#!/usr/bin/expect
spawn ssh user@hostname
expect "password:"
send "your_password\r"
interact

Optimización del rendimiento

Compresión y velocidad

# Enable compression
ssh -C user@hostname

# Disable compression for fast networks
ssh -o Compression=no user@hostname

# Use faster cipher for trusted networks
ssh -c arcfour user@hostname

Persistencia de conexión

# Keep connection alive
ssh -o ServerAliveInterval=60 user@hostname

# Persistent connection in background
ssh -f -N -L 8080:localhost:80 user@hostname

Consideraciones específicas de la Plataforma

Windows (OpenSSH)

# Windows OpenSSH client
ssh user@hostname

# Windows SSH config location
%USERPROFILE%\.ssh\config

# Start SSH agent on Windows
Start-Service ssh-agent
ssh-add ~/.ssh/id_rsa

MacOS Keychain Integration

# Add key to macOS keychain
ssh-add --apple-use-keychain ~/.ssh/id_rsa

# Configure automatic keychain loading
Host *
    AddKeysToAgent yes
    UseKeychain yes

Buenas prácticas

Seguridad

1. Use Key Authentication: Deshabilitar la autenticación de contraseña
2. Llaves de soporte: Use Ed25519 o 4096-bit RSA llaves
3. ** Rotación clave**: Rotación regular
4. Principio del Privilege Menos: Limitar el acceso del usuario
5. Monitor Access: Lograr y monitorear conexiones SSH

Configuration Management

1. Centralized Config: Use ~/.ssh/config for common settings
2. Los alienígenas principales: Crear alias de host significativos
3. Múltiplo de Connección: Reutilizar las conexiones para la eficiencia
4. Agente Forwarding: Use cuidadosamente, sólo cuando sea necesario
5. Documentación: Configuraciones personalizadas de documentos

Operaciones

1. Backup Keys: Copia de seguridad de las llaves privadas
2. Test Connections: Probando regularmente el acceso SSH
3. Actualizar software: Mantenga al cliente/servidor SSH actualizado
4. Monitor Logs: Cuidado con la actividad sospechosa
5. Emergency Access: Maintain alternative access methods