shumengya/linux-ssh-operator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6742336bce54343d5602d7ca3d08ea416ea02ba
linux-ssh-operator/references/ssh-playbook.md
萌小芽 a6742336bc first commit
2026-03-23 17:27:15 +08:00

2.4 KiB
Raw Blame History

SSH playbook (Linux server ops)

Defaults and conventions

  • Prefer SSH keys (ed25519) and ~/.ssh/config aliases for repeatable runs.
  • Avoid putting passwords in files, prompts, or chat logs. If password auth is required, use an interactive terminal/TTY.
  • Start with read-only inspection, then apply changes, then verify.

Recommended env vars for wrappers:

  • REMOTE_USER: default SSH user
  • REMOTE_PORT: default SSH port (usually 22)
  • REMOTE_KEY: path to identity file (private key)
  • REMOTE_CONNECT_TIMEOUT: connect timeout seconds

SSH key setup (recommended)

Generate a new key:

ssh-keygen -t ed25519 -C "codex" -f ~/.ssh/id_ed25519

Copy the public key to the server:

ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 22 USER@SERVER_IP

Add a host alias:

Host my-server
  HostName SERVER_IP
  Port 22
  User USER
  IdentityFile ~/.ssh/id_ed25519
  IdentitiesOnly yes

Common tasks

Connectivity and OS info

ssh my-server "whoami && hostname && uname -a"
ssh my-server "cat /etc/os-release"

Disk and memory

ssh my-server "df -h"
ssh my-server "free -h"
ssh my-server "du -sh /var/log/* | sort -h | tail"

Processes and ports

ssh my-server "ps aux --sort=-%mem | head"
ssh my-server "ss -lntp"

Logs (systemd)

ssh my-server "journalctl -u SERVICE -n 200 --no-pager"
ssh my-server "journalctl -u SERVICE -f --no-pager"

Services (systemd)

Status:

ssh my-server "systemctl status SERVICE --no-pager"

Restart (often needs sudo and TTY):

ssh -tt my-server "sudo systemctl restart SERVICE"

Non-interactive sudo (fails if a password prompt would be required):

ssh my-server "sudo -n systemctl restart SERVICE"

Safer host key handling

  • Prefer verifying the host key fingerprint out-of-band on first connect.
  • If you must automate first-connect for ephemeral hosts, use StrictHostKeyChecking=accept-new (OpenSSH 7.6+).
  • If you see a "host key changed" warning, treat it as a potential security incident until you confirm the change is expected.

Troubleshooting quick hits

  • Permission denied (publickey): wrong user, wrong key, server missing your public key, or sshd settings.
  • Connection timed out: routing/firewall/security group, wrong port, server down.
  • No route to host: network path missing (VPN, subnet, ACL).
Reference in New Issue View Git Blame Copy Permalink