ArcLibrary
L1入门L2进阶L3生态

SSH & Keys

The de-facto remote login tool — pubkey auth + a config file + tunnels.

SSHKeysTunnel
核心 · Key Idea

In one line: SSH is the Swiss-army knife of remote access — login + remote exec + port forwarding. Use keys, not passwords + centralize via ~/.ssh/config + master tunnels, and ops-day-to-day gets twice as fast.

What it is#

Three most common usages:

# Login
ssh user@host
 
# Run a remote command
ssh host 'docker ps'
 
# Copy files
scp file user@host:/path/
rsync -aP local/ user@host:remote/
 
# Port forwarding
ssh -L 5432:db.internal:5432 user@bastion   # local → remote
ssh -R 8080:localhost:3000 user@public      # remote-back-to-local

Analogy#

打个比方 · Analogy

SSH is an encrypted phone switchboard. Beyond connecting you (login), it can patch through to other extensions (port forwarding) or dial into the other party's internal phones (jump host) — all encrypted and mutually authenticated.

Key concepts#

Pubkey authPubkey Auth
Client holds private key (id_ed25519); server has public key in authorized_keys; handshake verifies a signature.
ssh-agentKey agent
Local long-running process holding private keys, so you don't type the passphrase every time.
ProxyJumpJump host
`ssh -J bastion target` — supports multi-hop.
ssh config~/.ssh/config
Encode Host / HostName / User / IdentityFile per alias; type only the alias.
known_hostsHost fingerprint
First connection records server's pubkey fingerprint; alerts on changes (MITM defense).
TunnelTunnel
-L local forward / -R reverse forward / -D SOCKS proxy.

~/.ssh/config:

Host bastion
    HostName 1.2.3.4
    User ops
    IdentityFile ~/.ssh/id_ed25519

Host db
    HostName 10.0.0.20
    User ops
    ProxyJump bastion
    ForwardAgent no

Host *
    ServerAliveInterval 30
    ServerAliveCountMax 3
    HashKnownHosts yes

After this, ssh db automatically jumps via the bastion.

/etc/ssh/sshd_config (server hardening):

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy ops
MaxAuthTries 3

How it works#

After this, all operations (shell / scp / forwards) are multiplexed on the encrypted channel.

Practical notes#

  • Generate keys: ssh-keygen -t ed25519 — smaller and stronger than RSA.
  • Copy pubkey: ssh-copy-id user@host.
  • Disable password login: PasswordAuthentication no.
  • ControlMaster: ControlMaster auto + ControlPath reuses one TCP for multiple ssh sessions — much faster.
  • SOCKS proxy: ssh -D 1080 host, point your browser at SOCKS5 → "one ssh = lightweight VPN".
  • Audit: /var/log/auth.log or journalctl -u sshd. Brute-force attempts? Install fail2ban.
  • fish/zsh users: sshd uses $SHELL and won't auto-read .profile — put env vars in .bashrc/.zshrc.

Easy confusions#

Password login
Brute-forceable.
OK for new device / one-off.
Key login
Cryptographic strength.
Production default.

Further reading#