SSH on Rickyhttps://linzeyan.github.io/zh-tw/categories/ssh/Recent content in SSH on RickyHugo -- gohugo.iozh-twTue, 11 Feb 2025 15:06:00 +0800設定多個 GitHub 帳號的 SSH 金鑰https://linzeyan.github.io/zh-tw/posts/2025/20250211-configure-ssh-keys-for-multiple-github-accounts/Tue, 11 Feb 2025 15:06:00 +0800https://linzeyan.github.io/zh-tw/posts/2025/20250211-configure-ssh-keys-for-multiple-github-accounts/<ul> <li><a href="https://stevenharman.net/configure-ssh-keys-for-multiple-github-accounts" target="_blank" rel="noopener">設定多個 GitHub 帳號的 SSH 金鑰</a></li> </ul> <h3 id="使用不同的-host-值">使用不同的 Host 值</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Host github.com </span></span><span style="display:flex;"><span> HostName github.com </span></span><span style="display:flex;"><span> User git </span></span><span style="display:flex;"><span> IdentityFile ~/.ssh/id_fry_ed25519 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Host github-plnx </span></span><span style="display:flex;"><span> HostName github.com </span></span><span style="display:flex;"><span> User git </span></span><span style="display:flex;"><span> IdentityFile ~/.ssh/id_fry_plnx_ed25519 </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Instead of the actual URL</span> </span></span><span style="display:flex;"><span>$ git clone git@github.com:planet-express/delivery_service.git </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Substitue in our custom Host value for the `github.com` part</span> </span></span><span style="display:flex;"><span>$ git clone git@github-plnx:planet-express/delivery_service.git </span></span></code></pre></div><h3 id="自動替換-host">自動替換 Host</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#f92672">[</span>include<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> path <span style="color:#f92672">=</span> ~/.gitconfig_custom </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># See custom `Host github-plnx` in ~/.ssh/config</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">[</span>url <span style="color:#e6db74">&#34;github-plnx:planet-express&#34;</span><span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> insteadOf <span style="color:#f92672">=</span> git@github.com:planet-express </span></span></code></pre></div>Add SFTP user and share directoryhttps://linzeyan.github.io/zh-tw/posts/2023/20231130-sftp/Thu, 30 Nov 2023 17:22:00 +0800https://linzeyan.github.io/zh-tw/posts/2023/20231130-sftp/<h1 id="add-sftp-user-and-share-directory">Add SFTP user and share directory</h1> <p>dev_test_user, qa_test_user 同權限 dev_user, qa_user 同權限</p> <h2 id="1-建立共享資料夾sftp-使用的資料夾">1. 建立共享資料夾(SFTP 使用的資料夾)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo mkdir -p /home/<span style="color:#f92672">{</span>test,prod<span style="color:#f92672">}</span>/<span style="color:#f92672">{</span>exchange,upload<span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span>sudo mkdir -p /home/<span style="color:#f92672">{</span>test,prod<span style="color:#f92672">}</span>/exchange/success </span></span><span style="display:flex;"><span>sudo mkdir -p /home/<span style="color:#f92672">{</span>test,prod<span style="color:#f92672">}</span>/upload/backup </span></span></code></pre></div><h2 id="2-建立使用者群組">2. 建立使用者群組</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo groupadd share01-test </span></span><span style="display:flex;"><span>sudo groupadd share01-prod </span></span></code></pre></div><h2 id="3-創建-qa_test_user-使用者並設定-qa_test_user-使用者的群組為-share01-test">3. 創建 qa_test_user 使用者並設定 qa_test_user 使用者的群組為 share01-test</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo useradd -m -G share01-test qa_test_user </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 設定 dev_test_user 使用者的群組為 share01-test</span> </span></span><span style="display:flex;"><span>sudo usermod -G share01-test dev_test_user </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 設定密碼</span> </span></span><span style="display:flex;"><span>sudo passwd qa_test_user </span></span></code></pre></div><h2 id="4-創建-qa_user-使用者並設定-qa_user-使用者的群組為-share01-prod">4. 創建 qa_user 使用者並設定 qa_user 使用者的群組為 share01-prod</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo useradd -m -G share01-prod qa_user </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 設定 dev_user 使用者的群組為 share01-prod</span> </span></span><span style="display:flex;"><span>sudo usermod -G share01-prod dev_user </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 設定密碼</span> </span></span><span style="display:flex;"><span>sudo passwd qa_user </span></span></code></pre></div><h2 id="5-設定權限">5. 設定權限</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 設定 /home/test 資料夾(含下級資料夾)的使用者為 qa_test_user,群組為 share01-test</span> </span></span><span style="display:flex;"><span>sudo chown -R qa_test_user:share01-test test/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 設定 /home/prod 資料夾(含下級資料夾)的使用者為 qa_user,群組為 share01-prod</span> </span></span><span style="display:flex;"><span>sudo chown -R qa_user:share01-prod prod/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SFTP 登入資料夾權限要給 root</span> </span></span><span style="display:flex;"><span>sudo chown root:root /home/test </span></span><span style="display:flex;"><span>sudo chown root:root /home/prod </span></span></code></pre></div><h2 id="6-設定-etcsshsshd_config">6. 設定 /etc/ssh/sshd_config</h2> <p><code>/etc/ssh/sshd_config</code></p>使用終端機與 SSH 連線到遠端主機https://linzeyan.github.io/zh-tw/posts/2023/20231124-ssh/Fri, 24 Nov 2023 22:22:00 +0800https://linzeyan.github.io/zh-tw/posts/2023/20231124-ssh/<h1 id="使用終端機與-ssh-連線到遠端主機">使用終端機與 SSH 連線到遠端主機</h1> <h2 id="1-現代終端機">1. 現代終端機</h2> <ul> <li><a href="https://github.com/vercel/hyper" target="_blank" rel="noopener">Hyper</a></li> <li><a href="https://iterm2.com/" target="_blank" rel="noopener">iTerm2</a></li> <li><a href="https://github.com/Eugeny/tabby" target="_blank" rel="noopener">Tabby</a></li> <li><a href="https://www.warp.dev/" target="_blank" rel="noopener">Warp</a></li> <li><a href="https://github.com/wez/wezterm" target="_blank" rel="noopener">Wez&rsquo;s Terminal</a></li> <li><a href="https://github.com/kingToolbox/WindTerm" target="_blank" rel="noopener">WindTerm</a></li> </ul> <h2 id="2-在-macos-開啟終端機">2. 在 macOS 開啟終端機</h2> <ol> <li>按 <code>⌘ + space</code> 開啟 Spotlight <img src="https://linzeyan.github.io/posts/2023/20231124-ssh/pics/auto_20231124_222253.png" alt=""></li> <li>搜尋 terminal.app <img src="https://linzeyan.github.io/posts/2023/20231124-ssh/pics/auto_20231124_222316.png" alt=""></li> <li>按下 <code>↩</code> <img src="https://linzeyan.github.io/posts/2023/20231124-ssh/pics/auto_20231124_222410.png" alt=""></li> </ol> <h2 id="3-使用-ssh-連線到遠端主機">3. 使用 SSH 連線到遠端主機</h2> <ol> <li>確認私鑰檔案路徑。</li> <li>在終端機輸入指令:<code>ssh -i /path/to/private_key.pem ubuntu@ubuntu.host.com</code></li> </ol>Windows SSH setuphttps://linzeyan.github.io/zh-tw/posts/2023/20230103-windows-ssh-setup/Tue, 03 Jan 2023 12:36:00 +0800https://linzeyan.github.io/zh-tw/posts/2023/20230103-windows-ssh-setup/<ul> <li><a href="https://ansible.cloudns.pro/post/windows-ssh-setup/" target="_blank" rel="noopener">Windows SSH setup</a></li> <li><a href="https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse" target="_blank" rel="noopener">Install OpenSSH for Windows</a></li> </ul> <ol> <li>預設的 shell 是使用 cmd,照文件說,若需要修改,是要改 ansible_shell_type 變數,這應該是要在 inventory 主機裡加入主機變數:ansible_shell_type,變數內容可以是 cmd 或 powershell。</li> <li>inventory 主機裡要加入 ansible_connection 主機變數,告知要使用 ssh 連線。(<code>192.168.192.11 ansible_user=Administrator ansible_connection=ssh ansible_shell_type=cmd </code>)</li> <li>可能會需要在 ansible.cfg 裡加上 remote_tmp 設定,指定為 C:\TEMP</li> <li>Playbook 裡可以使用 <code>win_</code> 開頭的模組,或是使用 raw 模組</li> </ol>SSH 失敗錯誤:fatal: daemon() failed: No such devicehttps://linzeyan.github.io/zh-tw/posts/2021/20210304-ssh-failing-with-error-fatal-daemon-failed-no-such-device/Thu, 04 Mar 2021 18:48:39 +0800https://linzeyan.github.io/zh-tw/posts/2021/20210304-ssh-failing-with-error-fatal-daemon-failed-no-such-device/<ul> <li><a href="https://admin-ahead.com/forum/general-linux/ssh-failing-with-error-fatal-daemon%28%29-failed-no-such-device/" target="_blank" rel="noopener">SSH 失敗錯誤:fatal: daemon() failed: No such device</a></li> </ul> <p>/var/log/secure</p> <p><code>Oct 10 10:58:05 vps sshd[23799]: fatal: daemon() failed: No such device</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># rm -vf /dev/null</span> </span></span><span style="display:flex;"><span>removed <span style="color:#e6db74">`</span>/dev/null<span style="color:#e6db74">`</span> </span></span><span style="display:flex;"><span>-bash-3.2# mknod /dev/null c <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span>Started SSH and the SSH started responding: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># service sshd restart</span> </span></span><span style="display:flex;"><span>Stopping sshd: <span style="color:#f92672">[</span> OK <span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>Starting sshd: <span style="color:#f92672">[</span> OK <span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>-bash-3.2# service sshd status </span></span><span style="display:flex;"><span>openssh-daemon <span style="color:#f92672">(</span>pid 30608<span style="color:#f92672">)</span> is running… </span></span></code></pre></div>Ansible Network 的新 LibSSH 連線外掛取代 Paramiko,並支援 FIPS 模式https://linzeyan.github.io/zh-tw/posts/2020/20201125-new-libssh-connection-plugin-for-ansible-network/Wed, 25 Nov 2020 21:09:50 +0800https://linzeyan.github.io/zh-tw/posts/2020/20201125-new-libssh-connection-plugin-for-ansible-network/<ul> <li><a href="https://www.ansible.com/blog/new-libssh-connection-plugin-for-ansible-network" target="_blank" rel="noopener">Ansible Network 的新 LibSSH 連線外掛取代 Paramiko,並支援 FIPS 模式</a></li> </ul> <h5 id="切換-ansible-playbook-使用-libssh">切換 Ansible Playbook 使用 LibSSH</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 安裝 LibSSH</span> </span></span><span style="display:flex;"><span>pip install ansible-pylibssh </span></span></code></pre></div><p>在 Ansible Playbook 中使用 LibSSH</p> <p>方法 1. 在專案的 <code>ansible.cfg</code> 檔案中設定 <code>ssh_type</code> 參數使用 libssh</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span>[<span style="color:#a6e22e">persistent_connection</span>] </span></span><span style="display:flex;"><span><span style="color:#a6e22e">ssh_type</span> = <span style="color:#a6e22e">libssh</span> </span></span></code></pre></div><p>方法 2: 設定 <code>ANSIBLE_NETWORK_CLI_SSH_TYPE</code> 環境變數</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ export ANSIBLE_NETWORK_CLI_SSH_TYPE<span style="color:#f92672">=</span>libssh </span></span></code></pre></div><p>方法 3: 在 play 等級的 playbook 中設定 <code>ansible_network_cli_ssh_type</code> 為 libssh</p> <h5 id="用來測試-libssh-設定的-playbook">用來測試 libssh 設定的 Playbook</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">hosts</span>: <span style="color:#e6db74">&#34;changeme&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">gather_facts</span>: <span style="color:#66d9ef">no</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">connection</span>: <span style="color:#ae81ff">ansible.netcommon.network_cli</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">vars</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">ansible_network_os</span>: <span style="color:#ae81ff">cisco.ios.ios</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ansible_user</span>: <span style="color:#e6db74">&#34;changeme&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ansible_password</span>: <span style="color:#e6db74">&#34;changeme&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ansible_network_cli_ssh_type</span>: <span style="color:#ae81ff">libssh</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tasks</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">run show version command</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ansible.netcommon.cli_command</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">command</span>: <span style="color:#ae81ff">show version</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">run show version command</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ansible.netcommon.cli_command</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">command</span>: <span style="color:#ae81ff">show interfaces</span> </span></span></code></pre></div>SSH 证书登录教程https://linzeyan.github.io/zh-tw/posts/2020/20200708-ssh-certificate/Wed, 08 Jul 2020 13:39:48 +0800https://linzeyan.github.io/zh-tw/posts/2020/20200708-ssh-certificate/<ul> <li><a href="https://www.ruanyifeng.com/blog/2020/07/ssh-certificate.html" target="_blank" rel="noopener">SSH 证书登录教程</a></li> </ul> <h3 id="证书登录的流程">证书登录的流程</h3> <p>SSH 证书登录之前,如果还没有证书,需要生成证书。具体方法是:</p> <ol> <li>用户和服务器都将自己的公钥,发给 CA</li> <li>CA 使用服务器公钥,生成服务器证书,发给服务器</li> <li>CA 使用用户的公钥,生成用户证书,发给用户。</li> </ol> <p>有了证书以后,用户就可以登录服务器了。整个过程都是 SSH 自动处理,用户无感知。</p> <ol> <li>用户登录服务器时,SSH 自动将用户证书发给服务器。</li> <li>服务器检查用户证书是否有效,以及是否由可信的 CA 颁发。</li> <li>SSH 自动将服务器证书发给用户。</li> <li>用户检查服务器证书是否有效,以及是否由信任的 CA 颁发。</li> <li>双方建立连接,服务器允许用户登录。</li> </ol> <h3 id="生成-ca-的密钥">生成 CA 的密钥</h3> <p>虽然 CA 可以用同一对密码签发用户证书和服务器证书,但是出于安全性和灵活性,最好用不同的密钥分别签发。所以,CA 至少需要两对密钥,一对是签发用户证书的密钥,假设叫做 <code>user_ca</code>,另一对是签发服务器证书的密钥,假设叫做 <code>host_ca</code>。</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># 生成 CA 签发用户证书的密钥</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 会在~/.ssh目录生成一对密钥:user_ca(私钥)和user_ca.pub(公钥)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 各个参数含义如下</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -t rsa:指定密钥算法 RSA。</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -b 4096:指定密钥的位数是4096位。安全性要求不高的场合,这个值可以小一点,但是不应小于1024。</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -f ~/.ssh/user_ca:指定生成密钥的位置和文件名。</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -C user_ca:指定密钥的识别字符串,相当于注释,可以随意设置。</span> </span></span><span style="display:flex;"><span>$ ssh-keygen -t rsa -b <span style="color:#ae81ff">4096</span> -f ~/.ssh/user_ca -C user_ca </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 生成 CA 签发服务器证书的密钥</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 会在~/.ssh目录生成一对密钥:host_ca(私钥)和host_ca.pub(公钥)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 现在,~/.ssh目录应该至少有四把密钥。</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - ~/.ssh/user_ca</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - ~/.ssh/user_ca.pub</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - ~/.ssh/host_ca</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - ~/.ssh/host_ca.pub</span> </span></span><span style="display:flex;"><span>$ ssh-keygen -t rsa -b <span style="color:#ae81ff">4096</span> -f host_ca -C host_ca </span></span></code></pre></div><h4 id="服务器安装-ca-公钥">服务器安装 CA 公钥</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># 为了让服务器信任用户证书,必须将 CA 签发用户证书的公钥`user_ca.pub`,拷贝到服务器</span> </span></span><span style="display:flex;"><span>$ scp ~/.ssh/user_ca.pub root@host.example.com:/etc/ssh/ </span></span></code></pre></div><h5 id="然后将下面一行添加到服务器配置文件-etcsshsshd_config">然后,将下面一行添加到服务器配置文件 <code>/etc/ssh/sshd_config</code></h5> <pre tabindex="0"><code>TrustedUserCAKeys /etc/ssh/user_ca.pub </code></pre><p>上面的做法是将<code>user_ca.pub</code>加到<code>/etc/ssh/sshd_config</code>,这会产生全局效果,即服务器的所有账户都会信任<code>user_ca</code>签发的所有用户证书。</p>