ssh - Accès à distance sécurisé Shell
Copier toutes les commandes
Générer PDF
Commandes SSH complètes pour l'accès sécurisé à distance, le tunnelage et l'administration du système sur toutes les plateformes.
Connexion de base
Connexion simple
| Command |
Description |
ssh user@hostname |
Connect to remote host |
ssh user@192.168.1.100 |
Connect using IP address |
ssh -p 2222 user@hostname |
Connect to custom port |
ssh hostname |
Connect with current username |
Options de connexion
| Command |
Description |
ssh -v user@hostname |
Verbose output for debugging |
ssh -vv user@hostname |
More verbose output |
ssh -vvv user@hostname |
Maximum verbosity |
ssh -q user@hostname |
Quiet mode (suppress warnings) |
Méthodes d'authentification
Authentification du mot de passe
# Standard password login
ssh user@hostname
# Force password authentication
ssh -o PreferredAuthentications=password user@hostname
# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname
Authentification par clé
# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com" # Modern, secure
# Copy public key to remote server
ssh-copy-id user@hostname
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
# Manual key installation
cat ~/.ssh/id_rsa.pub|ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
```_
### Gestion des clés
|Command|Description|
|---------|-------------|
|`ssh-keygen -t ed25519`|Generate Ed25519 key (recommended)|
|`ssh-keygen -t rsa -b 4096`|Generate 4096-bit RSA key|
|`ssh-keygen -f ~/.ssh/custom_key`|Generate key with custom name|
|`ssh-add ~/.ssh/private_key`|Add key to SSH agent|
|`ssh-add -l`|List loaded keys|
|`ssh-add -D`|Remove all keys from agent|
## Configuration
### Config client SSH (~/.ssh/config)
```bash
# Global defaults
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
TCPKeepAlive yes
# Specific host configuration
Host myserver
HostName server.example.com
User myusername
Port 2222
IdentityFile ~/.ssh/myserver_key
ForwardAgent yes
# Jump host configuration
Host target
HostName 192.168.1.100
User admin
ProxyJump jumphost
Host jumphost
HostName jump.example.com
User jumpuser
```_
### Options communes de configuration
|Option|Description|Example|
|--------|-------------|---------|
|`HostName`|Real hostname or IP|`HostName server.example.com`|
|`User`|Username for connection|`User admin`|
|`Port`|SSH port number|`Port 2222`|
|`IdentityFile`|Private key file|`IdentityFile ~/.ssh/id_rsa`|
|`ForwardAgent`|Enable agent forwarding|`ForwardAgent yes`|
|`Compression`|Enable compression|`Compression yes`|
## Transbordement et tunnel
### Transmission locale des ports
```bash
# Forward local port to remote service
ssh -L 8080:localhost:80 user@hostname
# Forward to different remote host
ssh -L 3306:database.internal:3306 user@gateway
# Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname
Transfert de port à distance
# Forward remote port to local service
ssh -R 8080:localhost:3000 user@hostname
# Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:3000 user@hostname
Transmission dynamique des ports (SOCKS Proxy)
# Create SOCKS proxy on local port 1080
ssh -D 1080 user@hostname
# Use with applications
# Configure browser to use SOCKS proxy: localhost:1080
X11 Transmission
# Enable X11 forwarding for GUI applications
ssh -X user@hostname
# Trusted X11 forwarding
ssh -Y user@hostname
# Run GUI application
ssh -X user@hostname firefox
Intégration du transfert de fichiers
SCP Intégration
# Copy file to remote host
scp file.txt user@hostname:/path/to/destination/
# Copy from remote host
scp user@hostname:/path/to/file.txt ./
# Recursive copy
scp -r directory/ user@hostname:/path/to/destination/
SFTP Intégration
# Start SFTP session
sftp user@hostname
# SFTP with custom port
sftp -P 2222 user@hostname
Caractéristiques avancées
Sauter les hôtes et les serveurs de bastion
# Connect through jump host
ssh -J jumphost user@target
# Multiple jump hosts
ssh -J jump1,jump2 user@target
# Using ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@target
Agent SSH et gestion des clés
# Start SSH agent
eval $(ssh-agent)
# Add key to agent
ssh-add ~/.ssh/id_rsa
# Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa
# List agent keys
ssh-add -l
# Remove specific key
ssh-add -d ~/.ssh/id_rsa
# Remove all keys
ssh-add -D
Multiplexage de connexion
# Enable connection sharing in ~/.ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600
# Create socket directory
mkdir -p ~/.ssh/sockets
Sécurité et durcissement
Options de connexion sécurisées
# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname
# Use specific key only
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname
# Disable host key checking (development only)
ssh -o StrictHostKeyChecking=no user@hostname
# Use specific cipher
ssh -c aes256-ctr user@hostname
Vérification de la clé de l'hôte
# Check host key fingerprint
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
# Remove host key from known_hosts
ssh-keygen -R hostname
# Add host key manually
ssh-keyscan hostname >> ~/.ssh/known_hosts
Authentification fondée sur un certificat
# Generate user certificate
ssh-keygen -s ca_key -I user_id -n username user_key.pub
# Use certificate for authentication
ssh -o CertificateFile=user_key-cert.pub user@hostname
Dépannage
Problèmes de connexion
# Debug connection problems
ssh -vvv user@hostname
# Test specific authentication method
ssh -o PreferredAuthentications=publickey user@hostname
# Check SSH service status
systemctl status ssh # Linux
service ssh status # Linux (older)
Problèmes et solutions communs
| Problem |
Symptoms |
Solution |
| Permission denied |
Authentication fails |
Check key permissions (600 for private key) |
| Connection timeout |
No response |
Check firewall, network connectivity |
| Host key verification failed |
Key mismatch warning |
Update known_hosts or verify host identity |
| Agent forwarding not working |
Keys not available on remote |
Enable ForwardAgent in config |
Principaux problèmes liés à la permission
# Fix SSH key permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/config
Automatisation et écriture
Non-inactif SSH
# Run single command
ssh user@hostname "ls -la /var/log"
# Run multiple commands
ssh user@hostname "cd /var/log && tail -f syslog"
# Execute local script on remote host
ssh user@hostname 'bash -s' < local_script.sh
# Execute with sudo
ssh user@hostname "sudo systemctl restart nginx"
Opérations par lots
#!/bin/bash
# Deploy to multiple servers
servers=("web1.example.com" "web2.example.com" "web3.example.com")
for server in "$\\\\{servers[@]\\\\}"; do
echo "Deploying to $server"
ssh user@$server "cd /var/www && git pull origin main"
ssh user@$server "sudo systemctl restart nginx"
done
SSH avec expect (Automatisation des mots de passe)
#!/usr/bin/expect
spawn ssh user@hostname
expect "password:"
send "your_password\r"
interact
Compression et vitesse
# Enable compression
ssh -C user@hostname
# Disable compression for fast networks
ssh -o Compression=no user@hostname
# Use faster cipher for trusted networks
ssh -c arcfour user@hostname
Persistance de connexion
# Keep connection alive
ssh -o ServerAliveInterval=60 user@hostname
# Persistent connection in background
ssh -f -N -L 8080:localhost:80 user@hostname
Windows (OpenSSH)
# Windows OpenSSH client
ssh user@hostname
# Windows SSH config location
%USERPROFILE%\.ssh\config
# Start SSH agent on Windows
Start-Service ssh-agent
ssh-add ~/.ssh/id_rsa
macOS Intégration des porte-clés
# Add key to macOS keychain
ssh-add --apple-use-keychain ~/.ssh/id_rsa
# Configure automatic keychain loading
Host *
AddKeysToAgent yes
UseKeychain yes
Meilleures pratiques
Sécurité
- Utiliser l'authentification des clés : Désactiver l'authentification du mot de passe
- Strong Keys: utiliser Ed25519 ou 4096 bits RSA clés
- Rotation des clés: Tourner régulièrement les clés SSH
- ** Principe du moindre privilège** : Limiter l'accès des utilisateurs
- Monitor Access: Loger et surveiller les connexions SSH
Gestion de la configuration
- Config centralisé: Utilisez ~/.ssh/config pour les paramètres communs
- Host Aliases: Créer des alias d'hôte significatifs
- Connection multiplexage: Réutiliser les connexions pour l'efficacité
- ** Agent chargé de la transmission** : Utiliser avec précaution, seulement si nécessaire
- Documentation: Configurations personnalisées des documents
Opérations
- Les clés de sauvegarde: Sauvegarder en toute sécurité les clés privées
- ** Connexions de test**: Tester régulièrement l'accès SSH
- Mise à jour du logiciel: Gardez à jour le client/serveur SSH
- Logs de veille: Surveillez les activités suspectes
- Accès d'urgence: Maintenir d'autres méthodes d'accès