AgentSkillsCN

ssh

SSH 远程访问模式与实用工具。支持连接服务器、管理密钥、建立隧道并实现文件传输功能。

SKILL.md
--- frontmatter
name: ssh
description: "SSH remote access patterns and utilities. Connect to servers, manage keys, tunnels, and transfers."

SSH Skill

Use SSH for secure remote access, file transfers, and tunneling.

Basic Connection

Connect to server:

bash
ssh user@hostname

Connect on specific port:

bash
ssh -p 2222 user@hostname

Connect with specific identity:

bash
ssh -i ~/.ssh/my_key user@hostname

SSH Config

Config file location:

code
~/.ssh/config

Example config entry:

code
Host myserver
    HostName 192.168.1.100
    User deploy
    Port 22
    IdentityFile ~/.ssh/myserver_key
    ForwardAgent yes

Then connect with just:

bash
ssh myserver

Running Remote Commands

Execute single command:

bash
ssh user@host "ls -la /var/log"

Execute multiple commands:

bash
ssh user@host "cd /app && git pull && pm2 restart all"

Run with pseudo-terminal (for interactive):

bash
ssh -t user@host "htop"

File Transfer with SCP

Copy file to remote:

bash
scp local.txt user@host:/remote/path/

Copy file from remote:

bash
scp user@host:/remote/file.txt ./local/

Copy directory recursively:

bash
scp -r ./local_dir user@host:/remote/path/

File Transfer with rsync (preferred)

Sync directory to remote:

bash
rsync -avz ./local/ user@host:/remote/path/

Sync from remote:

bash
rsync -avz user@host:/remote/path/ ./local/

With progress and compression:

bash
rsync -avzP ./local/ user@host:/remote/path/

Dry run first:

bash
rsync -avzn ./local/ user@host:/remote/path/

Port Forwarding (Tunnels)

Local forward (access remote service locally):

bash
ssh -L 8080:localhost:80 user@host
# Now localhost:8080 connects to host's port 80

Local forward to another host:

bash
ssh -L 5432:db-server:5432 user@jumphost
# Access db-server:5432 via localhost:5432

Remote forward (expose local service to remote):

bash
ssh -R 9000:localhost:3000 user@host
# Remote's port 9000 connects to your local 3000

Dynamic SOCKS proxy:

bash
ssh -D 1080 user@host
# Use localhost:1080 as SOCKS5 proxy

Jump Hosts / Bastion

Connect through jump host:

bash
ssh -J jumphost user@internal-server

Multiple jumps:

bash
ssh -J jump1,jump2 user@internal-server

In config file:

code
Host internal
    HostName 10.0.0.50
    User deploy
    ProxyJump bastion

Key Management

Generate new key (Ed25519, recommended):

bash
ssh-keygen -t ed25519 -C "your_email@example.com"

Generate RSA key (legacy compatibility):

bash
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Copy public key to server:

bash
ssh-copy-id user@host

Copy specific key:

bash
ssh-copy-id -i ~/.ssh/mykey.pub user@host

SSH Agent

Start agent:

bash
eval "$(ssh-agent -s)"

Add key to agent:

bash
ssh-add ~/.ssh/id_ed25519

Add with macOS keychain:

bash
ssh-add --apple-use-keychain ~/.ssh/id_ed25519

List loaded keys:

bash
ssh-add -l

Multiplexing (Connection Sharing)

In ~/.ssh/config:

code
Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p
    ControlPersist 600

Create socket directory:

bash
mkdir -p ~/.ssh/sockets

Known Hosts

Remove old host key:

bash
ssh-keygen -R hostname

Scan and add host key:

bash
ssh-keyscan hostname >> ~/.ssh/known_hosts

Debugging

Verbose output:

bash
ssh -v user@host

Very verbose:

bash
ssh -vv user@host

Maximum verbosity:

bash
ssh -vvv user@host

Security Tips

  • Use Ed25519 keys (faster, more secure than RSA)
  • Set PasswordAuthentication no on servers
  • Use fail2ban on servers to block brute force
  • Keep keys encrypted with passphrases
  • Use ssh-agent to avoid typing passphrase repeatedly
  • Restrict key usage with command= in authorized_keys