Learning to master efficient remote connection methods can help improve productivity, especially for developers/system administrators, using max's Terminal to connect to remote servers is a basic skill in daily work. It can be used when deploying code, managing cloud resources, or debugging. This paper mainly describes the core mechanism of SSH protocol and how to build a stable and secure remote working environment on mac terminal.

First, SSH basics: Password authentication connection

Secure Shell (SSH) is an encrypted network protocol designed for remote login and file transfer. The OpenSSH client is built in the Mac operating system and can be used without additional installation.

Base link command

Terminal (located in the Applications/Utilities directory), enter the following command:

ssh username@server_ip

username: indicates the username of the remote server (such as root, ubuntu, etc.).

server_ip: The IP address or domain name of the server (such as 203.0.113.10 or example.com)

Example:

ssh admin@203.0.113.10

The system will prompt you to enter the password. No character is displayed when you enter the password. Press Enter to log in.

Specifies the port connection. If the SSH port of the server is not 22 by default, you need to specify the port through the p parameter:

ssh p 2222 user@example.com

Analysis of connection process. The host fingerprint verification prompt will be displayed upon the first connection:

The authenticity of host '203.0.113.10 (203.0.113.10)' can't be established.
ECDSA key fingerprint is SHA256:Abc123... xyz.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

After you enter yes, the server public key is saved to ~/.ssh/known_hosts, and this authentication is skipped on subsequent connections.

Second, key authentication: Farewell password input

Password authentication is subject to brute force cracking. SSH key authentication uses asymmetric encryption to implement more secure login.

Generate a key pair. Execute in Terminal:

sshkeygen t ed25519 C "your_email@example.com"

t ed25519: Specifies the use of a more secure and efficient Ed25519 algorithm (use t rsa b 4096 if compatibility requirements are high)

C: Add a comment (usually email)

Select the path for saving the key (default ~/.ssh/id_ed25519) and the password (optional) as prompted. Two files generated:

Private key: id_ed25519 (must be strictly confidential)

Public key: id_ed25519.pub (needs to be uploaded to the server)

Upload the public key to the server. Automatic deployment using the sshcopyid tool:

sshcopyid i ~/.ssh/id_ed25519.pub user@example.com

After entering the password, the public key is appended to the ~/.ssh/authorized_keys file on the server.

Key connection authentication. When you log in again, if the configuration is correct, you will directly enter the server, or you will be prompted to enter the key password (if the password was set during the generation).

Third, configuration file optimization: say goodbye to duplicate parameters

The ~/.ssh/config file presets connection parameters to simplify command input.

Create a profile

nano ~/.ssh/config

Add server configuration

Host myserver Custom alias
HostName example.com Server address
User Indicates the user name of ubuntu
Port 2222 Port
IdentityFile ~/.ssh/id_ed25519 Private key path
ServerAliveInterval 60 Sends a keepalive signal every 60 seconds

Once the configuration is complete, simply type:

ssh myserver

Fourth, advanced skills: improve efficiency and safety

File transfer SCP command to upload files:

scp P 2222 local_file.txt user@example.com:/remote/directory

Download file:

scp P 2222 user@example.com:/remote/file.txt ~/Downloads

Rsync Synchronization (incremental transmission) :

rsync avz e "ssh p 2222" ~/project/ user@example.com:/var/www/

Port forwarding. Local port forwarding (accessing remote Intranet services) :

ssh L 8080:localhost:80 user@example.com

To map to port 80 on the server, go to http://localhost:8080.

Dynamic SOCKS Proxy:

ssh D 1080 user@example.com

Configure the browser to use localhost:1080 as the SOCKS proxy.

Session persistence. Use tmux or screen to prevent network outages resulting in job termination:

tmux new s mysession

After running the task, press Ctrl+B D to split the session

tmux attach t mysession

Multi-factor authentication (MFA) enhances security and needs to be configured on the server. To install Google Authenticator:

sudo apt install libpamgoogleauthenticator

Perform initialization:

googleauthenticator

To modify SSH configuration:

/etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboardinteractive

Fifth, troubleshooting: common problems and solutions

Connection timeout Check network:

ping example.com
traceroute example.com

Verify port open:

nc zv example.com 22

Permission error, key file permission:

chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

Server authorized_keys Permission:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Host key change warning. WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! "Indicates that the server key is changed (a man-in-the-middle attack may occur). Delete old records after confirming security:

sshkeygen R example.com

Security Best practices

Disable password login. Modify /etc/ssh/sshd_config on the server:

PasswordAuthentication no

Limit user login:

AllowUsers ubuntu admin
DenyUsers root

Rotate keys regularly, generate new key pairs every 36 months, and update the server authorization list.

For log monitoring, use journalctl u ssh or grep 'sshd' /var/log/auth.log to check for login attempts.

The above is about the Mac Terminal with SSH protocol to complete routine maintenance or complex Intranet penetration sharing, Terminal application enterprises can more easily open the remote server exploration journey.