In the Linux environment, SSH has become the most mainstream protocol for remote login and control of servers. Through SSH, users can safely execute remote commands, transfer files, and even perform encrypted tunnel communication in the local terminal. Compared with traditional Telnet or FTP, SSH not only supports encrypted transmission, but also has the advantages of flexible authentication, high security, and flexible configuration. This article will systematically explain how to use SSH commands in Linux to connect to remote servers.
1. The basic principles of SSH protocol
SSH is an encrypted remote communication protocol based on the TCP protocol, using port 22 by default. Its original design intention was to replace Telnet for plain text transmission and achieve secure and encrypted remote login, command execution, and file operations.
SSH communication uses a combination of public key encryption and symmetric encryption: public key exchange is used to verify identity during the initial connection, symmetric encryption is used in the session to speed up transmission efficiency, and authentication methods based on passwords or keys are supported. This makes it impossible for attackers to steal login credentials or listen to command content even in a public network environment.
2. Basic syntax of SSH commands
In Linux systems, SSH clients are built into most distributions. The basic connection command format is:
For example:
ssh root@192.168.1.100This means connecting to the target server 192.168.1.100 as the root user, using port 22 by default.
If the target server port is non-default, you can specify it using the -p parameter:
ssh user@example.com -p 2222After connecting, the system will prompt you to enter the login password of the target host account. If the verification is successful, you will enter the remote command line interaction state.
3. Use key authentication instead of password login
Although SSH supports password authentication, it is recommended to use asymmetric key authentication to improve security.
1. Generate a key pair locally
Execute the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"The process will prompt you to enter the save path (default ~/.ssh/id_rsa) and an optional passphrase.
After completion, two files will be generated:
id_rsa: private key file, strictly prohibited from disclosure;
id_rsa.pub: public key file, which can be safely transmitted.
2. Upload the public key to the remote server
You can use the ssh-copy-id command:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@192.168.1.100The system will automatically append the public key to the remote host's ~/.ssh/authorized_keys file.
You can also upload it manually and set permissions:
scp ~/.ssh/id_rsa.pub user@remote:/tmp
ssh user@remote
mkdir -p ~/.ssh
cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
rm /tmp/id_rsa.pub
3. Use the key to connect to the remote host
Then you can directly execute:
ssh user@192.168.1.100No password is required. If a phrase is set for the private key, you will be prompted to enter the phrase.
If the key file is not in the default location, you can specify the private key path:
ssh -i /path/to/id_rsa user@host4. Configure SSH client files to simplify connections
When frequently connecting to multiple servers, you can configure the ~/.ssh/config file to improve efficiency. For example:
Host devserver
HostName 192.168.1.100
User ubuntu
Port 2222
IdentityFile ~/.ssh/dev_rsa
Afterwards just execute:
ssh devserverIt can automatically import parameters such as username, port, key path, etc.
Multiple configuration blocks can coexist, for example:
Host ali-prod
HostName 47.91.x.x
User root
Port 22
IdentityFile ~/.ssh/ali_rsa
Host tencent-test
HostName 119.29.x.x
User ubuntu
Port 2022
IdentityFile ~/.ssh/tencent_id_rsa
5. How to upload and download files?
SSH supports file transfer based on SCP and SFTP.
1. Use scp to upload files
scp localfile.txt user@remote:/home/user/Upload localfile.txt to the specified path of the remote server.
Recursively upload directories:
scp -r myfolder/ user@remote:/home/user/
2. Download files from a remote server
scp user@remote:/home/user/data.zip .Download data.zip to the current directory.
3. Use sftp for interactive operations
sftp user@remoteAfter logging in, you can use:
ls: list remote directories;
cd: switch remote directories;
put localfile: upload;
get remotefile: download.
VI. Practical suggestions for enhancing SSH security
In order to protect the remote server from malicious attacks, you can configure it according to the following strategies:
1. Disable password login
Edit the remote host /etc/ssh/sshd_config:
PasswordAuthentication no
PermitRootLogin noThen restart the service:
sudo systemctl restart sshdMake sure you only log in via the key.
2. Change the default port number
Change Port 22 to other uncommon ports (such as 2222, 2828) to reduce scanning brute force cracking.
Port 2222After modification, don't forget to use -p to specify the new port in the local connection command.
3. Use Fail2Ban to prevent brute force cracking
Installation:
sudo apt install fail2banConfigure /etc/fail2ban/jail.local to enable SSH protection policy.
Mastering SSH commands is not only a basic skill for Linux operation and maintenance personnel, but also an essential tool for the daily work of developers, database engineers, and security engineers. From the initial command line connection to key authentication, configuration optimization, security policy deployment, and then to tunnel forwarding and file synchronization, SSH covers a series of the most important links in remote management.
Correct use of SSH can greatly improve the efficiency and security of server access. Especially in the scenarios of multi-node deployment, automated scripts, and CI/CD integration, SSH's automatic login and seamless control capabilities have become basic components in the system architecture.
