ssh - Accès à distance sécurisé Shell

Copier toutes les commandes Générer PDF

Commandes SSH complètes pour l'accès sécurisé à distance, le tunnelage et l'administration du système sur toutes les plateformes.

Connexion de base

Connexion simple

Command	Description
`ssh user@hostname`	Connect to remote host
`ssh user@192.168.1.100`	Connect using IP address
`ssh -p 2222 user@hostname`	Connect to custom port
`ssh hostname`	Connect with current username

Options de connexion

Command	Description
`ssh -v user@hostname`	Verbose output for debugging
`ssh -vv user@hostname`	More verbose output
`ssh -vvv user@hostname`	Maximum verbosity
`ssh -q user@hostname`	Quiet mode (suppress warnings)

Méthodes d'authentification

Authentification du mot de passe

# Standard password login
ssh user@hostname

# Force password authentication
ssh -o PreferredAuthentications=password user@hostname

# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname

Authentification par clé

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com"  # Modern, secure

# Copy public key to remote server
ssh-copy-id user@hostname
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname

# Manual key installation
cat ~/.ssh/id_rsa.pub|ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
```_

### Gestion des clés
|Command|Description|
|---------|-------------|
|`ssh-keygen -t ed25519`|Generate Ed25519 key (recommended)|
|`ssh-keygen -t rsa -b 4096`|Generate 4096-bit RSA key|
|`ssh-keygen -f ~/.ssh/custom_key`|Generate key with custom name|
|`ssh-add ~/.ssh/private_key`|Add key to SSH agent|
|`ssh-add -l`|List loaded keys|
|`ssh-add -D`|Remove all keys from agent|

## Configuration

### Config client SSH (~/.ssh/config)
```bash
# Global defaults
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes

# Specific host configuration
Host myserver
    HostName server.example.com
    User myusername
    Port 2222
    IdentityFile ~/.ssh/myserver_key
    ForwardAgent yes

# Jump host configuration
Host target
    HostName 192.168.1.100
    User admin
    ProxyJump jumphost

Host jumphost
    HostName jump.example.com
    User jumpuser
```_

### Options communes de configuration
|Option|Description|Example|
|--------|-------------|---------|
|`HostName`|Real hostname or IP|`HostName server.example.com`|
|`User`|Username for connection|`User admin`|
|`Port`|SSH port number|`Port 2222`|
|`IdentityFile`|Private key file|`IdentityFile ~/.ssh/id_rsa`|
|`ForwardAgent`|Enable agent forwarding|`ForwardAgent yes`|
|`Compression`|Enable compression|`Compression yes`|

## Transbordement et tunnel

### Transmission locale des ports
```bash
# Forward local port to remote service
ssh -L 8080:localhost:80 user@hostname

# Forward to different remote host
ssh -L 3306:database.internal:3306 user@gateway

# Multiple port forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname

Transfert de port à distance

# Forward remote port to local service
ssh -R 8080:localhost:3000 user@hostname

# Allow remote connections to forwarded port
ssh -R 0.0.0.0:8080:localhost:3000 user@hostname

Transmission dynamique des ports (SOCKS Proxy)

# Create SOCKS proxy on local port 1080
ssh -D 1080 user@hostname

# Use with applications
# Configure browser to use SOCKS proxy: localhost:1080

X11 Transmission

# Enable X11 forwarding for GUI applications
ssh -X user@hostname

# Trusted X11 forwarding
ssh -Y user@hostname

# Run GUI application
ssh -X user@hostname firefox

Intégration du transfert de fichiers

SCP Intégration

# Copy file to remote host
scp file.txt user@hostname:/path/to/destination/

# Copy from remote host
scp user@hostname:/path/to/file.txt ./

# Recursive copy
scp -r directory/ user@hostname:/path/to/destination/

SFTP Intégration

# Start SFTP session
sftp user@hostname

# SFTP with custom port
sftp -P 2222 user@hostname

Caractéristiques avancées

Sauter les hôtes et les serveurs de bastion

# Connect through jump host
ssh -J jumphost user@target

# Multiple jump hosts
ssh -J jump1,jump2 user@target

# Using ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p jumphost" user@target

Agent SSH et gestion des clés

# Start SSH agent
eval $(ssh-agent)

# Add key to agent
ssh-add ~/.ssh/id_rsa

# Add key with timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_rsa

# List agent keys
ssh-add -l

# Remove specific key
ssh-add -d ~/.ssh/id_rsa

# Remove all keys
ssh-add -D

Multiplexage de connexion

# Enable connection sharing in ~/.ssh/config
Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p
    ControlPersist 600

# Create socket directory
mkdir -p ~/.ssh/sockets

Sécurité et durcissement

Options de connexion sécurisées

# Disable password authentication
ssh -o PasswordAuthentication=no user@hostname

# Use specific key only
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@hostname

# Disable host key checking (development only)
ssh -o StrictHostKeyChecking=no user@hostname

# Use specific cipher
ssh -c aes256-ctr user@hostname

Vérification de la clé de l'hôte

# Check host key fingerprint
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

# Remove host key from known_hosts
ssh-keygen -R hostname

# Add host key manually
ssh-keyscan hostname >> ~/.ssh/known_hosts

Authentification fondée sur un certificat

# Generate user certificate
ssh-keygen -s ca_key -I user_id -n username user_key.pub

# Use certificate for authentication
ssh -o CertificateFile=user_key-cert.pub user@hostname

Dépannage

Problèmes de connexion

# Debug connection problems
ssh -vvv user@hostname

# Test specific authentication method
ssh -o PreferredAuthentications=publickey user@hostname

# Check SSH service status
systemctl status ssh  # Linux
service ssh status    # Linux (older)

Problèmes et solutions communs

Problem	Symptoms	Solution
Permission denied	Authentication fails	Check key permissions (600 for private key)
Connection timeout	No response	Check firewall, network connectivity
Host key verification failed	Key mismatch warning	Update known_hosts or verify host identity
Agent forwarding not working	Keys not available on remote	Enable ForwardAgent in config

Principaux problèmes liés à la permission

# Fix SSH key permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/config

Automatisation et écriture

Non-inactif SSH

# Run single command
ssh user@hostname "ls -la /var/log"

# Run multiple commands
ssh user@hostname "cd /var/log && tail -f syslog"

# Execute local script on remote host
ssh user@hostname 'bash -s' < local_script.sh

# Execute with sudo
ssh user@hostname "sudo systemctl restart nginx"

Opérations par lots

#!/bin/bash
# Deploy to multiple servers

servers=("web1.example.com" "web2.example.com" "web3.example.com")

for server in "$\\\\{servers[@]\\\\}"; do
    echo "Deploying to $server"
    ssh user@$server "cd /var/www && git pull origin main"
    ssh user@$server "sudo systemctl restart nginx"
done

SSH avec expect (Automatisation des mots de passe)

#!/usr/bin/expect
spawn ssh user@hostname
expect "password:"
send "your_password\r"
interact

Optimisation des performances

Compression et vitesse

# Enable compression
ssh -C user@hostname

# Disable compression for fast networks
ssh -o Compression=no user@hostname

# Use faster cipher for trusted networks
ssh -c arcfour user@hostname

Persistance de connexion

# Keep connection alive
ssh -o ServerAliveInterval=60 user@hostname

# Persistent connection in background
ssh -f -N -L 8080:localhost:80 user@hostname

Considérations spécifiques à la plateforme

Windows (OpenSSH)

# Windows OpenSSH client
ssh user@hostname

# Windows SSH config location
%USERPROFILE%\.ssh\config

# Start SSH agent on Windows
Start-Service ssh-agent
ssh-add ~/.ssh/id_rsa

macOS Intégration des porte-clés

# Add key to macOS keychain
ssh-add --apple-use-keychain ~/.ssh/id_rsa

# Configure automatic keychain loading
Host *
    AddKeysToAgent yes
    UseKeychain yes

Meilleures pratiques

Sécurité

Utiliser l'authentification des clés : Désactiver l'authentification du mot de passe
Strong Keys: utiliser Ed25519 ou 4096 bits RSA clés
Rotation des clés: Tourner régulièrement les clés SSH
** Principe du moindre privilège** : Limiter l'accès des utilisateurs
Monitor Access: Loger et surveiller les connexions SSH

Gestion de la configuration

Config centralisé: Utilisez ~/.ssh/config pour les paramètres communs
Host Aliases: Créer des alias d'hôte significatifs
Connection multiplexage: Réutiliser les connexions pour l'efficacité
** Agent chargé de la transmission** : Utiliser avec précaution, seulement si nécessaire
Documentation: Configurations personnalisées des documents

Opérations

Les clés de sauvegarde: Sauvegarder en toute sécurité les clés privées
** Connexions de test**: Tester régulièrement l'accès SSH
Mise à jour du logiciel: Gardez à jour le client/serveur SSH
Logs de veille: Surveillez les activités suspectes
Accès d'urgence: Maintenir d'autres méthodes d'accès