Ssh | @sskaje - Page 2

SSH KeepAlive

By @sskaje
Link: https://sskaje.me/2015/10/ssh-keepalive/

网络不稳定的情况下，可能SSH的连接会中断。一般GUI的客户端，如SecureCRT、XShell、vSSH等，都可以有选项直接定时（例如每5秒）发送心跳包，来保持连接。命令后的OpenSSH客户端也有类似功能，需要开启参数 ServerAliveInterval。
Mac 下需要用root编辑 /etc/ssh_config，linux下在 /etc/ssh/ssh_config.
也可以使用 ~/.ssh/config 配置用户级参数。

编辑后的内容形如：

Host * 
  SendEnv LANG LC_*
  ServerAliveCountMax 5
  ServerAliveInterval 10

Host *

SendEnv LANG LC_*

ServerAliveCountMax 5

ServerAliveInterval 10

ssh_config 里还有个参数 TCPKeepAlive，默认false，可以改为yes。
参考 http://unix.stackexchange.com/questions/34004/how-does-tcp-keepalive-work-in-ssh/34201#34201 的说明：
TCPKeepAlive是靠发送空的ACK包来保持连接，由可能在特定情况下无效（被防火墙过滤）；
ServerAliveInterval 是SSH层的，数据加密状态传输，不会被简单规则过滤。
更多参数说明可以参考 man ssh_config.

上边的配置里我还开启了 ServerAliveCountMax 5，解释是：
10秒钟发送一次心跳，如果连续5次都没有响应，客户端就断开连接。
这个值默认是3。

SSH KeepAlive by @sskaje: https://sskaje.me/2015/10/ssh-keepalive/

Incoming search terms:

使用HAProxy搭建SSH代理

By @sskaje
Link: https://sskaje.me/2015/10/%e4%bd%bf%e7%94%a8haproxy%e6%90%ad%e5%bb%bassh%e4%bb%a3%e7%90%86/

VPS SSH经常被封杀，只能国内找个某云，配个HAProxy，实现效果参考 windows 的netsh portproxy。

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

defaults
        log     global
        mode    tcp
        timeout connect 5000
        timeout client  50000
        timeout server  50000

listen proxy
        option tcplog
        option logasap
        option tcpka
        maxconn 9999
        bind 0.0.0.0:监听端口
        server server-1 VPS主机:22 maxconn 5000

global

log /dev/log local0

log /dev/log local1 notice

chroot /var/lib/haproxy

stats socket /run/haproxy/admin.sock mode 660 level admin

stats timeout 30s

user haproxy

group haproxy

daemon

defaults

log global

mode tcp

timeout connect 5000

timeout client 50000

timeout server 50000

listen proxy

option tcplog

option logasap

option tcpka

maxconn 9999

bind 0.0.0.0:监听端口

server server-1 VPS主机:22 maxconn 5000

更多方案参考：https://www.digi77.com/the-art-of-port-forwarding-on-linux/

使用HAProxy搭建SSH代理 by @sskaje: https://sskaje.me/2015/10/%e4%bd%bf%e7%94%a8haproxy%e6%90%ad%e5%bb%bassh%e4%bb%a3%e7%90%86/

Incoming search terms:

SSH 代理被封杀

SSH Chroot jails

By @sskaje
Link: https://sskaje.me/2015/05/ssh-chroot-jails/

为了不给各种仅使用ssh tunnel的人访问vps的信息，把SSH的chroot jail配好了。

准备工作

假定Chroot根目录为 /var/jail, 定义为

# JAILROOT=/var/jail

1	# JAILROOT=/var/jail

添加用户组

# groupadd sshusers

1	# groupadd sshusers

配置sshd_config

修改 /etc/ssh/sshd_config 添加下列配置

Match group sshusers
          ChrootDirectory /var/jail/
          X11Forwarding yes
          AllowTcpForwarding yes
          GatewayPorts yes
          PermitOpen any
          PermitTunnel yes

Match group sshusers

ChrootDirectory /var/jail/

X11Forwarding yes

AllowTcpForwarding yes

GatewayPorts yes

PermitOpen any

PermitTunnel yes

创建Jail

其实不创建也行，客户端ssh时开-N就好

/var/jail
/var/jail/etc
/var/jail/etc/nsswitch.conf
/var/jail/etc/hosts
/var/jail/etc/ld.so.cache
/var/jail/etc/resolv.conf
/var/jail/etc/ld.so.conf
/var/jail/lib
/var/jail/lib/x86_64-linux-gnu
/var/jail/lib/x86_64-linux-gnu/libnss_dns.so.2
/var/jail/lib/x86_64-linux-gnu/libnss_hesiod.so.2
/var/jail/lib/x86_64-linux-gnu/libselinux.so.1
/var/jail/lib/x86_64-linux-gnu/libpthread.so.0
/var/jail/lib/x86_64-linux-gnu/libdl.so.2
/var/jail/lib/x86_64-linux-gnu/libattr.so.1
/var/jail/lib/x86_64-linux-gnu/libnss_files-2.19.so
/var/jail/lib/x86_64-linux-gnu/liblzma.so.5
/var/jail/lib/x86_64-linux-gnu/libnss_compat-2.19.so
/var/jail/lib/x86_64-linux-gnu/libc.so.6
/var/jail/lib/x86_64-linux-gnu/libpcre.so.3
/var/jail/lib/x86_64-linux-gnu/libnss_nisplus-2.19.so
/var/jail/lib/x86_64-linux-gnu/libnss_compat.so.2
/var/jail/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
/var/jail/lib/x86_64-linux-gnu/libgcc_s.so.1
/var/jail/lib/x86_64-linux-gnu/libz.so.1
/var/jail/lib/x86_64-linux-gnu/libtinfo.so.5
/var/jail/lib/x86_64-linux-gnu/libresolv.so.2
/var/jail/lib/x86_64-linux-gnu/libnss_dns-2.19.so
/var/jail/lib/x86_64-linux-gnu/libnss_nis.so.2
/var/jail/lib/x86_64-linux-gnu/libcom_err.so.2
/var/jail/lib/x86_64-linux-gnu/libkeyutils.so.1
/var/jail/lib/x86_64-linux-gnu/libnss_nis-2.19.so
/var/jail/lib/x86_64-linux-gnu/libacl.so.1
/var/jail/lib/x86_64-linux-gnu/libnss_nisplus.so.2
/var/jail/lib/x86_64-linux-gnu/libm.so.6
/var/jail/lib/x86_64-linux-gnu/libnss_hesiod-2.19.so
/var/jail/lib/x86_64-linux-gnu/libnss_files.so.2
/var/jail/usr
/var/jail/usr/lib
/var/jail/usr/lib/libbind9.so.90
/var/jail/usr/lib/x86_64-linux-gnu
/var/jail/usr/lib/x86_64-linux-gnu/libkrb5support.so.0
/var/jail/usr/lib/x86_64-linux-gnu/libk5crypto.so.3
/var/jail/usr/lib/x86_64-linux-gnu/libGeoIP.so.1
/var/jail/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
/var/jail/usr/lib/x86_64-linux-gnu/libkrb5.so.3
/var/jail/usr/lib/x86_64-linux-gnu/libstdc++.so.6
/var/jail/usr/lib/x86_64-linux-gnu/libxml2.so.2
/var/jail/usr/lib/liblwres.so.90
/var/jail/usr/lib/libisccfg.so.90
/var/jail/usr/lib/libdns.so.100
/var/jail/usr/lib/libisc.so.95
/var/jail/usr/bin
/var/jail/usr/bin/dig
/var/jail/usr/bin/telnet
/var/jail/dev
/var/jail/dev/null
/var/jail/home
/var/jail/home/sskaje
/var/jail/lib64
/var/jail/lib64/ld-linux-x86-64.so.2
/var/jail/bin
/var/jail/bin/bash
/var/jail/bin/ls
/var/jail/bin/cat

/var/jail

/var/jail/etc

/var/jail/etc/nsswitch.conf

/var/jail/etc/hosts

/var/jail/etc/ld.so.cache

/var/jail/etc/resolv.conf

/var/jail/etc/ld.so.conf

/var/jail/lib

/var/jail/lib/x86_64-linux-gnu

/var/jail/lib/x86_64-linux-gnu/libnss_dns.so.2

/var/jail/lib/x86_64-linux-gnu/libnss_hesiod.so.2

/var/jail/lib/x86_64-linux-gnu/libselinux.so.1

/var/jail/lib/x86_64-linux-gnu/libpthread.so.0

/var/jail/lib/x86_64-linux-gnu/libdl.so.2

/var/jail/lib/x86_64-linux-gnu/libattr.so.1

/var/jail/lib/x86_64-linux-gnu/libnss_files-2.19.so

/var/jail/lib/x86_64-linux-gnu/liblzma.so.5

/var/jail/lib/x86_64-linux-gnu/libnss_compat-2.19.so

/var/jail/lib/x86_64-linux-gnu/libc.so.6

/var/jail/lib/x86_64-linux-gnu/libpcre.so.3

/var/jail/lib/x86_64-linux-gnu/libnss_nisplus-2.19.so

/var/jail/lib/x86_64-linux-gnu/libnss_compat.so.2

/var/jail/lib/x86_64-linux-gnu/libcrypto.so.1.0.0

/var/jail/lib/x86_64-linux-gnu/libgcc_s.so.1

/var/jail/lib/x86_64-linux-gnu/libz.so.1

/var/jail/lib/x86_64-linux-gnu/libtinfo.so.5

/var/jail/lib/x86_64-linux-gnu/libresolv.so.2

/var/jail/lib/x86_64-linux-gnu/libnss_dns-2.19.so

/var/jail/lib/x86_64-linux-gnu/libnss_nis.so.2

/var/jail/lib/x86_64-linux-gnu/libcom_err.so.2

/var/jail/lib/x86_64-linux-gnu/libkeyutils.so.1

/var/jail/lib/x86_64-linux-gnu/libnss_nis-2.19.so

/var/jail/lib/x86_64-linux-gnu/libacl.so.1

/var/jail/lib/x86_64-linux-gnu/libnss_nisplus.so.2

/var/jail/lib/x86_64-linux-gnu/libm.so.6

/var/jail/lib/x86_64-linux-gnu/libnss_hesiod-2.19.so

/var/jail/lib/x86_64-linux-gnu/libnss_files.so.2

/var/jail/usr

/var/jail/usr/lib

/var/jail/usr/lib/libbind9.so.90

/var/jail/usr/lib/x86_64-linux-gnu

/var/jail/usr/lib/x86_64-linux-gnu/libkrb5support.so.0

/var/jail/usr/lib/x86_64-linux-gnu/libk5crypto.so.3

/var/jail/usr/lib/x86_64-linux-gnu/libGeoIP.so.1

/var/jail/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2

/var/jail/usr/lib/x86_64-linux-gnu/libkrb5.so.3

/var/jail/usr/lib/x86_64-linux-gnu/libstdc++.so.6

/var/jail/usr/lib/x86_64-linux-gnu/libxml2.so.2

/var/jail/usr/lib/liblwres.so.90

/var/jail/usr/lib/libisccfg.so.90

/var/jail/usr/lib/libdns.so.100

/var/jail/usr/lib/libisc.so.95

/var/jail/usr/bin

/var/jail/usr/bin/dig

/var/jail/usr/bin/telnet

/var/jail/dev

/var/jail/dev/null

/var/jail/home

/var/jail/home/sskaje

/var/jail/lib64

/var/jail/lib64/ld-linux-x86-64.so.2

/var/jail/bin

/var/jail/bin/bash

/var/jail/bin/ls

/var/jail/bin/cat

添加用户

# USERNAME=sskaje
# usermod -G sshusers -a $USERNAME
# mkdir $JAILROOT/home/$USERNAME
# chown $USERNAME: $JAILROOT/home/$USERNAME

# USERNAME=sskaje

# usermod -G sshusers -a $USERNAME

# mkdir $JAILROOT/home/$USERNAME

# chown $USERNAME: $JAILROOT/home/$USERNAME

SSH Chroot jails by @sskaje: https://sskaje.me/2015/05/ssh-chroot-jails/

Incoming search terms:

silverv98

英文OSX Terminal SSH无法输入中文

By @sskaje
Link: https://sskaje.me/2015/04/%e8%8b%b1%e6%96%87osx-terminal-ssh%e6%97%a0%e6%b3%95%e8%be%93%e5%85%a5%e4%b8%ad%e6%96%87/

新电脑系统用了英文。
安装了两台debian 7的开发机，SSH上去之后发现Bash下中文输入不了，输入完成后Terminal会闪一下，输入不成功，但是vim里可以。
对比其他的VPS、服务器，CentOS，Ubuntu都一切正常。

为了排除字体，locale的可能，把中文字体装了，中文的locale也全加上了，依旧输入不了。

直到我想到这篇文章，然后退出SSH，本地看了眼这个session下的locale

LANG=
LC_COLLATE="C"
LC_CTYPE="UTF-8"
LC_MESSAGES="C"
LC_MONETARY="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_ALL=

LANG=

LC_COLLATE="C"

LC_CTYPE="UTF-8"

LC_MESSAGES="C"

LC_MONETARY="C"

LC_NUMERIC="C"

LC_TIME="C"

LC_ALL=

执行

export LC_ALL=en_US.UTF-8

1	export LC_ALL=en_US.UTF-8

就好了

英文OSX Terminal SSH无法输入中文 by @sskaje: https://sskaje.me/2015/04/%e8%8b%b1%e6%96%87osx-terminal-ssh%e6%97%a0%e6%b3%95%e8%be%93%e5%85%a5%e4%b8%ad%e6%96%87/

ssh_exchange_identification: Connection closed by remote host

By @sskaje
Link: https://sskaje.me/2014/05/ssh_exchange_identification-connection-closed-remote-host/

ssh_exchange_identification: Connection closed by remote host

1	ssh_exchange_identification: Connection closed by remote host

Google tells me that I am blocked because of something like /etc/hosts.deny or some other reason, I did everything but problem remains there.

Until I checked the audit.log and found there many attempts of ssh login.

So I add ListenAddress line in /etc/ssh/sshd_config, everything works well now.
This is because I have an local IP address like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, but if I only have a public IP, I may choose to change ssh running at another port.

ssh_exchange_identification: Connection closed by remote host by @sskaje: https://sskaje.me/2014/05/ssh_exchange_identification-connection-closed-remote-host/

Incoming search terms:

second8gw