commit 35fb9216585561d03680325d9d24d3d51ed44a72 Author: zlei9 Date: Sun Mar 29 08:23:29 2026 +0800 Initial commit with translated description diff --git a/SKILL.md b/SKILL.md new file mode 100644 index 0000000..c050dce --- /dev/null +++ b/SKILL.md @@ -0,0 +1,407 @@ +--- +name: ssh-essentials +description: "用于安全远程访问、密钥管理、隧道和文件传输的SSH基础命令。" +homepage: https://www.openssh.com/ +metadata: {"clawdbot":{"emoji":"🔐","requires":{"bins":["ssh"]}}} +--- + +# SSH Essentials + +Secure Shell (SSH) for remote access and secure file transfers. + +## Basic Connection + +### Connecting +```bash +# Connect with username +ssh user@hostname + +# Connect to specific port +ssh user@hostname -p 2222 + +# Connect with verbose output +ssh -v user@hostname + +# Connect with specific key +ssh -i ~/.ssh/id_rsa user@hostname + +# Connect and run command +ssh user@hostname 'ls -la' +ssh user@hostname 'uptime && df -h' +``` + +### Interactive use +```bash +# Connect with forwarding agent +ssh -A user@hostname + +# Connect with X11 forwarding (GUI apps) +ssh -X user@hostname +ssh -Y user@hostname # Trusted X11 + +# Escape sequences (during session) +# ~. - Disconnect +# ~^Z - Suspend SSH +# ~# - List forwarded connections +# ~? - Help +``` + +## SSH Keys + +### Generating keys +```bash +# Generate RSA key +ssh-keygen -t rsa -b 4096 -C "your_email@example.com" + +# Generate ED25519 key (recommended) +ssh-keygen -t ed25519 -C "your_email@example.com" + +# Generate with custom filename +ssh-keygen -t ed25519 -f ~/.ssh/id_myserver + +# Generate without passphrase (automation) +ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_deploy +``` + +### Managing keys +```bash +# Copy public key to server +ssh-copy-id user@hostname + +# Copy specific key +ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname + +# Manual key copy +cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> ~/.ssh/authorized_keys' + +# Check key fingerprint +ssh-keygen -lf ~/.ssh/id_rsa.pub + +# Change key passphrase +ssh-keygen -p -f ~/.ssh/id_rsa +``` + +### SSH agent +```bash +# Start ssh-agent +eval $(ssh-agent) + +# Add key to agent +ssh-add ~/.ssh/id_rsa + +# List keys in agent +ssh-add -l + +# Remove key from agent +ssh-add -d ~/.ssh/id_rsa + +# Remove all keys +ssh-add -D + +# Set key lifetime (seconds) +ssh-add -t 3600 ~/.ssh/id_rsa +``` + +## Port Forwarding & Tunneling + +### Local port forwarding +```bash +# Forward local port to remote +ssh -L 8080:localhost:80 user@hostname +# Access via: http://localhost:8080 + +# Forward to different remote host +ssh -L 8080:database.example.com:5432 user@jumphost +# Access database through jumphost + +# Multiple forwards +ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname +``` + +### Remote port forwarding +```bash +# Forward remote port to local +ssh -R 8080:localhost:3000 user@hostname +# Remote server can access localhost:3000 via its port 8080 + +# Make service accessible from remote +ssh -R 9000:localhost:9000 user@publicserver +``` + +### Dynamic port forwarding (SOCKS proxy) +```bash +# Create SOCKS proxy +ssh -D 1080 user@hostname + +# Use with browser or apps +# Configure SOCKS5 proxy: localhost:1080 + +# With Firefox +firefox --profile $(mktemp -d) \ + --preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080" +``` + +### Background tunnels +```bash +# Run in background +ssh -f -N -L 8080:localhost:80 user@hostname + +# -f: Background +# -N: No command execution +# -L: Local forward + +# Keep alive +ssh -o ServerAliveInterval=60 -L 8080:localhost:80 user@hostname +``` + +## Configuration + +### SSH config file (`~/.ssh/config`) +``` +# Simple host alias +Host myserver + HostName 192.168.1.100 + User admin + Port 2222 + +# With key and options +Host production + HostName prod.example.com + User deploy + IdentityFile ~/.ssh/id_prod + ForwardAgent yes + +# Jump host (bastion) +Host internal + HostName 10.0.0.5 + User admin + ProxyJump bastion + +Host bastion + HostName bastion.example.com + User admin + +# Wildcard configuration +Host *.example.com + User admin + ForwardAgent yes + +# Keep connections alive +Host * + ServerAliveInterval 60 + ServerAliveCountMax 3 +``` + +### Using config +```bash +# Connect using alias +ssh myserver + +# Jump through bastion automatically +ssh internal + +# Override config options +ssh -o "StrictHostKeyChecking=no" myserver +``` + +## File Transfers + +### SCP (Secure Copy) +```bash +# Copy file to remote +scp file.txt user@hostname:/path/to/destination/ + +# Copy file from remote +scp user@hostname:/path/to/file.txt ./local/ + +# Copy directory recursively +scp -r /local/dir user@hostname:/remote/dir/ + +# Copy with specific port +scp -P 2222 file.txt user@hostname:/path/ + +# Copy with compression +scp -C large-file.zip user@hostname:/path/ + +# Preserve attributes (timestamps, permissions) +scp -p file.txt user@hostname:/path/ +``` + +### SFTP (Secure FTP) +```bash +# Connect to SFTP server +sftp user@hostname + +# Common SFTP commands: +# pwd - Remote working directory +# lpwd - Local working directory +# ls - List remote files +# lls - List local files +# cd - Change remote directory +# lcd - Change local directory +# get file - Download file +# put file - Upload file +# mget *.txt - Download multiple files +# mput *.jpg - Upload multiple files +# mkdir dir - Create remote directory +# rmdir dir - Remove remote directory +# rm file - Delete remote file +# exit/bye - Quit + +# Batch mode +sftp -b commands.txt user@hostname +``` + +### Rsync over SSH +```bash +# Sync directory +rsync -avz /local/dir/ user@hostname:/remote/dir/ + +# Sync with progress +rsync -avz --progress /local/dir/ user@hostname:/remote/dir/ + +# Sync with delete (mirror) +rsync -avz --delete /local/dir/ user@hostname:/remote/dir/ + +# Exclude patterns +rsync -avz --exclude '*.log' --exclude 'node_modules/' \ + /local/dir/ user@hostname:/remote/dir/ + +# Custom SSH port +rsync -avz -e "ssh -p 2222" /local/dir/ user@hostname:/remote/dir/ + +# Dry run +rsync -avz --dry-run /local/dir/ user@hostname:/remote/dir/ +``` + +## Security Best Practices + +### Hardening SSH +```bash +# Disable password authentication (edit /etc/ssh/sshd_config) +PasswordAuthentication no +PubkeyAuthentication yes + +# Disable root login +PermitRootLogin no + +# Change default port +Port 2222 + +# Use protocol 2 only +Protocol 2 + +# Limit users +AllowUsers user1 user2 + +# Restart SSH service +sudo systemctl restart sshd +``` + +### Connection security +```bash +# Check host key +ssh-keygen -F hostname + +# Remove old host key +ssh-keygen -R hostname + +# Strict host key checking +ssh -o StrictHostKeyChecking=yes user@hostname + +# Use specific cipher +ssh -c aes256-ctr user@hostname +``` + +## Troubleshooting + +### Debugging +```bash +# Verbose output +ssh -v user@hostname +ssh -vv user@hostname # More verbose +ssh -vvv user@hostname # Maximum verbosity + +# Test connection +ssh -T user@hostname + +# Check permissions +ls -la ~/.ssh/ +# Should be: 700 for ~/.ssh, 600 for keys, 644 for .pub files +``` + +### Common issues +```bash +# Fix permissions +chmod 700 ~/.ssh +chmod 600 ~/.ssh/id_rsa +chmod 644 ~/.ssh/id_rsa.pub +chmod 644 ~/.ssh/authorized_keys + +# Clear known_hosts entry +ssh-keygen -R hostname + +# Disable host key checking (not recommended) +ssh -o StrictHostKeyChecking=no user@hostname +``` + +## Advanced Operations + +### Jump hosts (ProxyJump) +```bash +# Connect through bastion +ssh -J bastion.example.com user@internal.local + +# Multiple jumps +ssh -J bastion1,bastion2 user@final-destination + +# Using config (see Configuration section above) +ssh internal # Automatically uses ProxyJump +``` + +### Multiplexing +```bash +# Master connection +ssh -M -S ~/.ssh/control-%r@%h:%p user@hostname + +# Reuse connection +ssh -S ~/.ssh/control-user@hostname:22 user@hostname + +# In config: +# ControlMaster auto +# ControlPath ~/.ssh/control-%r@%h:%p +# ControlPersist 10m +``` + +### Execute commands +```bash +# Single command +ssh user@hostname 'uptime' + +# Multiple commands +ssh user@hostname 'cd /var/log && tail -n 20 syslog' + +# Pipe commands +cat local-script.sh | ssh user@hostname 'bash -s' + +# With sudo +ssh -t user@hostname 'sudo command' +``` + +## Tips + +- Use SSH keys instead of passwords +- Use `~/.ssh/config` for frequently accessed hosts +- Enable SSH agent forwarding carefully (security risk) +- Use ProxyJump for accessing internal networks +- Keep SSH client and server updated +- Use fail2ban or similar to prevent brute force +- Monitor `/var/log/auth.log` for suspicious activity +- Use port knocking or VPN for additional security +- Backup your SSH keys securely +- Use different keys for different purposes + +## Documentation + +Official docs: https://www.openssh.com/manual.html +Man pages: `man ssh`, `man ssh_config`, `man sshd_config` diff --git a/_meta.json b/_meta.json new file mode 100644 index 0000000..0e35849 --- /dev/null +++ b/_meta.json @@ -0,0 +1,6 @@ +{ + "ownerId": "kn7anq2d7gcch060anc2j9cg89800dyv", + "slug": "ssh-essentials", + "version": "1.0.0", + "publishedAt": 1769692063680 +} \ No newline at end of file